The mission of the Information Security Office is to safeguard the confidentiality, integrity, and availability of information systems by providing proactive security expertise, creating and maintaining a robust security architecture and fostering a culture of security awareness throughout the campus.
The Security Compliance unit is responsible for creating institutional awareness about and adherence to IT security policies, procedures, and best practices, ensuring compliance with regulatory standards such as PCI, FERPA, GLBA, Red Flag, HIPAA, and FISMA, and conducting IT security assurance audits to validate the effectiveness of existing controls. This unit works closely with IT Quality Control on developing enterprise-wide IT security policies and standard operating procedures that address the regulatory and data protection needs of the University. IT Security Compliance is the primary interface to engage firms conducting risk assessments, penetration tests, vulnerability scans, and similar IT security audit engagements. This unit also reviews the security aspects of various contracts and guides the establishment of IT security procurement standards.
ENTERPRISE SECURITY ARCHITECTURE:
The Enterprise Security Architecture and Operations unit is primarily responsible for establishing UM’s institutional IT security strategy, managing the existing security infrastructure, planning and prioritizing IT security investments, incident response, monitoring, forensic investigations, and vulnerability remediation. This unit has an important long-term planning and capital budgeting function, guides disaster recovery and business continuity efforts, and intervenes to minimize or prevent business disruption from security threats. Operationally, this unit establishes the configurations, settings and rules for security appliances such as firewalls and intrusion detection systems. Architecturally, this unit reviews and recommends new security technologies to protect institutional data, systems, and associated assets.
The Quality Control unit is responsible for guiding and coaching system teams in validating computerized systems used in clinical research trials to FDA standards. The main duties include directing validation projects and documentation packages for multiple clinical trial and medical management systems, ensuring system compliance to UM Quality Assurance standards, FDA regulations, and other related external and internal requirements, and developing departmental standard operating procedures and work instructions as needed for performing system validation work. This unit supervises the document creation, approval, and dissemination process, development of standard operating procedures, reports, system quality reviews, identifying deficiencies, completing traceability matrices, preparing CAPA (Corrective and Preventive Action) documents, test scripts, change control or change management, process and strategy planning with computer systems validation of clinical research systems and laboratory applications in regulatory scope for FDA part 11 and other compliance frameworks such as HIPAA, FISMA.