Overview
Building New Applications
If you are building a new application on the Michigan Medicine network (for example, on a HITS VM or using MCloud), you must complete a Michigan Medicine Investment Assurance Request before it is allowed to start running, or "go live" in IT parlance. If you are buying a new application that isn't on the Michigan Medicine network, see Buying New Applications. If you need to host a vendor application on the Michigan Medicine network, this page also applies.
Even if you are working within approved services according to the Sensitive Data Guide, your application might still be considered a new application that needs to be assessed. Some key indicators of new applications are web servers, firewall changes, and communication between multiple non-storage servers (such as multiple HITS virtual servers). Information Assurance decides what needs to be assessed, so it's better to ask them early if you will need one. They have the authority to block your application from the network if it needs an assessment and doesn't have one.
Technical Owner
Every Investment needs a technical owner that can be a point of contact for security related matters, such as vulnerability management. A technical owner must be a member of HITS or another Trusted IT Service Provider. Researchers are likely not either of these, so they can request one. This should be done first, before the Michigan Medicine Investment Assurance Request is submitted. Click on the link below to submit a request for HITS to help you find a technical owner.
Request help with a Technical Owner Request.
Michigan Medicine Investment Assurance Request
The Michigan Medicine Investment Assurance Request is a formal process to assess the security of your application. It has different requirements based on Data Classification and what components make up the application. If a vendor product is also a part of the application, the Vendor Security Assessment will also be required (see Buying New Applications). Your technical owner will guide you through the Assurance process, request these requirements for you, and fill out the appropriate electronic forms. However, they need your engagement in the process.
Cybersecurity Technical Design
This will be required, regardless of data classification. It is a document detailing the broad security controls in the design of the system. There is extensive documentation on the Cybersecurity Technical Design, so you can start gathering the appropriate information beforehand.
Instructions for how to complete the Cybersecurity Technical Design.
Vulnerability Scan
This will be required, regardless of data classification. The application will be scanned for known vulnerabilities and you will need to patch them accordingly.
Software Secure Code Review
This is required when you write your own code and have High data. Your code will be statically analyzed for vulnerabilities like SQL injections and buffer overflows. You will need to mitigate these vulnerabilities accordingly.
Penetration Test
This is required for High data. An Information Assurance analyst will try to hack your application to reveal any vulnerabilities that only show up when the application is running. You will need to mitigate these vulnerabilities accordingly.
How long does this take?
Here are some time estimates for these requirements based on the size of the project. This does not take into account any time needed to remediate any vulnerabilities by the research team.
Ongoing requirements
After the new application is approved, the research team will be responsible for applying security patches in a timely manner. The application's technical owner will receive notifications if the vulnerability scanner finds any vulnerabilities and will forward them on to the research team. Applications with High data will also need to complete a controls assessment every four years. Again, the technical owner will receive notifications and forward them.