Information Security Liaison Standard

Title

University of North Carolina at Chapel Hill Standard on Information Security Liaisons

Introduction

Purpose

Given the risks associated with information security incidents, as well as implications for the University's compliance with federal and State regulatory requirements and the terms of certain grants and contracts, unit heads must be aware of information security issues and of their responsibilities for mitigating those risks.

Scope of Applicability

Unit heads reporting to the Provost or Chancellor ("Responsible Unit Heads"). Designated Information Security Liaisons. Information Security Office staff. Chief Information Security Officer.

Standard

Unit heads who report to the Provost or Chancellor (Responsible Unit Heads) must designate, at a minimum, one primary and one secondary Information Security Liaison (ISL). Depending on the size and distributed nature of the unit, additional Secondary Liaisons may be designated (Responsible Unit Heads should ensure that enough Liaisons are designated to cover their organizational span appropriately). Names and contact information for designated Liaisons must be provided to the Information Security Office (ISO) and kept up to date whenever changes occur.

Each ISL will act as an intermediary between his/her respective University business unit and the ISO by assisting the business unit in implementing the University's information security policies, participating in information security initiatives, and responding to security incidents.

Responsible Unit Heads may designate their Information Security Liaisons by sending (in writing, which includes electronic communication) the name, title, and contact information of each designee to the Information Security Office. When a vacancy occurs, at the discretion of the Responsible Unit Head or at any time at the request of the Information Security Office, the Responsible Unit Head must designate a replacement ISL. The ISL role should be treated by the assigned individual's unit as an official job responsibility.

ISL responsibilities are:

  1. Serve as a point of contact to the ISO and their user base for information security.
  2. Coordinate with the ISO with the goal of improving information security at UNC-Chapel Hill.

Specific duties include:

  1. Assist the ISO with timely incident management and response as requested.
  2. Support the proper identification, classification, and storage of University sensitive information.
  3. Advise and support the unit in proper management of mission critical computer resources and those that work with sensitive information, including both in-house and resources supplied by third parties. In particular, enhance unit participation in the System Administration Initiative (SAI) program, support disaster recovery planning and testing, facilitate unit IT change management processes, and support implementation of necessary access controls.
  4. Represent their University business unit at ISL meetings.
  5. Partner with the ISO on security improvements for the ISL's University business unit or department.
  6. Keep the business unit management apprised of their entity's status with respect to information security matters and compliance with key security controls.

Exceptions

The Chief Information Security Officer or Chief Information Officer may decline an ISL designation, request an alternate designation, require fewer than two ISLs or request additional ISL designations from a unit, at their discretion.

Other exceptions to this Standard may be made by the Chief Information Security Officer or Chief Information Officer in writing.

Definitions

Information Security Incident: Includes any event that is known or has the potential to negatively impact the confidentiality, integrity, or availability of UNC-Chapel Hill's information. Incidents can range from the loss of a mobile device to the virus infection of an end-user work station to a major intrusion by an intruder.

Information Security Office (ISO): Denotes the staff of the University's Information Security Office.

Mission-Critical Resource: Includes any resource that is critical to the mission of the University. Typical mission-critical resources have a maximum downtime of three consecutive hours or less. The owning business unit determines whether a resource is mission-critical. Once designated as mission-critical, information security policies and standards apply in an effort to assure that the resource remains available. If a business unit does not designate a source as mission-critical, that resource may not be a priority for restoration of services in the event of an incident or outage.

Responsible Unit Head: Head of one or more University operating units who reports directly to the University Provost or Chancellor.

Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.

Related Requirements

External Regulations and Consequences

Failure to adhere to this standard may put UNC-Chapel Hill information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Contractors and vendors who fail to adhere to this standard may face termination of their business relationships with the University.

Violation of this standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Incident Management Policy

Incident Management Procedure

Payment Card Industry Incident Management Plan

Information Security Policy

Information Security Controls Standard

Information Classification Standard

Contact Information

Primary Contacts

Information Security Office (919-962-HELP, help.unc.edu)

ITS Policy Office its_policy@unc.edu

Important Dates

  • Effective Date and title of Approver: Unknown
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: Information Security Liaison Policy Revised 6/10/2010, 6/30/2010, 6/8/2017 Chief Information Officer. Superseded by Information Security Liaison Standard, Chief Information Security Officer.
100% helpful - 1 review

Details

Article ID: 131246
Created
Thu 4/8/21 9:04 PM
Modified
Mon 7/12/21 10:13 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
02/26/2020 8:24 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Vice Chancellor and Chief Information Security Officer
Last Review
Date on which the most recent document review was completed.
02/26/2020 8:24 AM
Last Revised
Date on which the most recent changes to this document were approved.
02/08/2019 11:00 PM
Origination
Date on which the original version of this document was first made official.
06/10/2010 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services