Information Assurance (IA) Review Process

Summary

Managing risk associated with information and data security is important for any study utilizing mobile technologies. These studies require data to be transferred from a 3rd party into the university computing environment and 3rd parties often have access to study data. Both activities create vulnerabilities that need to be managed. This article provides information and resources for investigators that will help them prepare for and request an IA review at Michigan.

General Overview

NOTE: Several of the links in this article require being logged in with Level 1 or Level 2 U-M credentials. If links are not working make sure you are logged in and retry the links. 

Investigators should start by understanding the Technology Elements of a study utilizing mobile technologies. Completing the downloadable planning document helps investigators make a plan for the technology they will need to successfully conduct a study. When finalized, this document should be submitted with their request for an IA review.

To learn about the key components that feed information security requirements at Michigan, review Are you purchasing an IT System or Service? Scroll down to the interactive "snake chart" and follow each step. If you aren't sure if you need an IA review, you can request a consult to have an IA team member provide guidance. 

Does My Study Need an IA Review

A review is required if:

  • Any vendor connects to the U-M / MM computer network.
  • Study data is stored or transmitted, either via cloud or on-premise server, by any technology or service being utilized by the study team.
  • Any 3rd party is connecting to a system owned by U-M / MM, either via cloud or on-premise server.
  • The technology or service is not on the approved list.

The following are examples of situations that would require a review. This list does not cover every possible situation. 

  • If you are using any software or mobile app that is not on the approved list. 
  • If you want to automate pushing data from an outside vendor.
  • If you plan to store data with any vendor or collaborator outside of Michigan Medicine.
  • If you are moving data between academic institutions.
  • If you are unsure of the data classification for your study data. Learn more about Data Security at U-M.
  • If any 3rd parties will have access to data collected for the study. 
  • If any vendor will have a U-M / MM sponsored account.

Before Requesting an IA Review

The goal of the IA team is to understand the security risks associated with your particular project. Gathering the following information and submitting it with your request for a review will reduce back-and-forth between your team and the IA team.

General Information

  • Company and product names of any technology that will be used in the study.
  • A description of the technology and how it will be used. What problem does it solve?
  • The primary use of the technology: academic (including research), business and administration, clinical.

Vendor Access to Data

  • Will the vendor have access to data? Access to data includes but is not limited to data on the university network or data stored in a cloud or off-premise location.
  • Will the vendor have a 'service and support' connection? e.g.: VPN, remote viewing, remote access
  • Will the vendor have any sponsored accounts?
  • Does a Business Associate Agreement and a Data Protection Agreement pertain to this product? If so, does one exist? Check here.

Technology Elements & Data Flow

  • Completed Technology Elements for a Study with Mobile Technologies document, found on the right toolbar of this article
  • A study-specific data flow diagram. This article provides an example of a standardized data flow. The Mobile Technologies Core or MM Academic IT can help with developing a data flow diagram if needed. 

Timing

Reviews should be requested as soon as an investigator knows what technology will be used and how they plan to implement the technology. Requests are prioritized by many factors including risk type, data types, and study deadlines. Plan a minimum of 6 weeks for the review.

What to Expect During an IA Review

The IA team will likely have follow-up questions and may make recommendations that reduce risk. If a new vendor is being evaluated, the IA team will have questions for the vendor. Review time can be significantly impacted if the study team or vendor does not promptly reply to requests for information from the IA team.  

Request an IA Review 

MICHIGAN MEDICINE

This process is for Michigan Medicine PI's and Co-PI's and for University of Michigan PI's who will be using Michigan Medicine data in their study. 

First, determine if your unit has a Michigan Medicine Trusted Service Provider (TSP) designation. If you are unsure, ask your unit administrator.

Units with a TSP

If your unit has a TSP, provide them with the links below and ask that they submit an MMIAR on your behalf.

Units without a TSP

If your unit does not have a TSP, request an Introductory Research Consult with Academic IT. They will guide you through the process. 

UNIVERSITY OF MICHIGAN

University of Michigan PI's who will not be using Michigan Medicine data should submit a ticket to ITS requesting an IA review for their study. 

Resources

University of Michigan - Level 1 login required

Michigan Medicine - Level 2 login required

About the Author

                                                
            

As the Mobile Technologies Core Manager at the University of Michigan’s Eisenberg Family Depression Center, Victoria Bennett helps investigators navigate the university’s robust resources while perpetually looking for opportunities to curate new resources. She aims to reduce friction for investigators who wish to utilize mobile technologies in health research. Drawing from her extensive experience with entrepreneurship, Victoria applies an entrepreneurial mindset to create efficient systems, improving operational effectiveness and impact. 

            

 |  

            
Print Article

Details

Article ID: 11378
Created
Mon 12/18/23 4:59 PM
Modified
Fri 3/29/24 4:06 PM
Author(s)
Victoria Bennett

Related Articles (3)

IRB Considerations for Studies with Mobile Devices and Mobile Apps
This article provides general IRB guidance for investigators planning to include mobile apps, mobile devices, and other mobile technologies in human health research. It is not intended to address all aspects of an IRB review, only those related to mobile technologies.
Mobile Study Data Flow
Standardized data flow for research studies that utilize mobile technologies at the University of Michigan. It depicts how data typically moves from a smart watch or wearable device, into University resources behind a firewall, and finally lands on long-term storage for preservation and analytics.
Technology Elements & Budget Implications for Studies Utilizing Mobile Technologies
Understanding the technology elements for a study utilizing wearable and mobile technologies will assist researchers during the study planning process in several ways.

- Build a more accurate study budget.
- Develop a Data Management & Sharing Plan, which can be a requirement for funders and journal submissions.
- Prepare for regulatory and compliance processes, like an Information Assurance (IA) review, if needed