Research Security Requirements–Developing New Applications


Overview

research security requirements banner

 

10.25-KB0020283-purchase-left.jpg

Developing New Applications

If you plan to develop a new application on the Michigan Medicine network (for example, using a HITS virtual machine (VM) or MCloud), you must first complete a Michigan Medicine Investment Assurance Request (MMIAR) before the application can go live. 

The Information Assurance: Michigan Medicine (IA:MM) team uses the MMIAR to provide a comprehensive listing of security requirements for all investments with Michigan Medicine data. The requirements for each MMIAR are individually determined and based on items such as data classification, data location, and external regulations. The MMIAR will differ based upon a system's data classification and service tier - and depending on whether it will create, receive, maintain, or transmit regulated data.

This IA:MM standard process is governed by University of Michigan Information Security Policy SPG 601.27.  Additional requirements may be defined based on Michigan Medicine Policies, Data Types and/or specific regulatory or contractual requirements.

If you are purchasing an external application that will not reside on the Michigan Medicine network, refer to the section on Purchasing New Applications instead. However, if a vendor application will be hosted within the Michigan Medicine network, the requirements on this page still apply.

If your application includes a vendor product, a Third-Party Vendor Security Assessment may also be required.

Even when using services already approved in the Sensitive Data Guide, your project may still qualify as a new application that requires review. Indicators include:

  • Running a web server
  • Requesting firewall changes
  • Enabling communication between multiple non-storage servers (e.g., several HITS virtual servers)

Technical Owner

Every investment must have a technical owner who serves as the primary contact for security and vulnerability management.

A technical owner must be a member of HITS or another Trusted IT Service Provider (TSP). Researchers are typically not in these groups, so one must be assigned before the Investment Assurance Request is submitted.

Your technical owner will:

  • Guide you through the assurance process
  • Submit the necessary requests and forms
  • Communicate with IA:MM on your behalf

However, your active participation is needed throughout the process.


Request help with a Technical Owner Request.

______________________________________________________________________________________________________

Ongoing requirements

After approval, the research team is responsible for:

  • Applying security patches in a timely manner
  • Collaborating with the technical owner to resolve new vulnerabilities identified by automated scans

The technical owner will receive vulnerability notifications and forward them to the research team.

Applications that process High data must also complete a controls assessment every four years. Notifications for this recurring requirement will also be sent to the technical owner, who will coordinate with your team to ensure compliance.

overview