Information Security Liaison Standard

Title

University of North Carolina at Chapel Hill Standard on Information Security Liaisons

Introduction

Purpose

Unit heads who report to the Provost or Chancellor of the University of North Carolina at Chapel Hill ( “University” or "UNC-Chapel Hill") are called "Responsible Unit Heads." Responsible Unit Heads oversee a University operating unit. It’s important for these University leaders to understand the risks that information security issues bring. These issues affect our ability to follow federal and state regulations. They can also make it harder to meet the terms of grants and contracts. It’s also important for responsible Unit Heads to understand their role in reducing information security risks.  

Scope

Responsible Unit Heads. Staff who have the role of Information Security Liaison (ISL). Information Security Office staff. Chief Information Security Officer. 

Standard

Responsible Unit Heads must assign at least one person in their unit to be the ISL. (Responsible Unit Heads must ensure they have enough ISLs to cover their organization well.) Responsible Unit Heads must give the name, title, and contact information for ISLs to the Information Security Office (ISO) in writing. Each ISL will be the go-between for their University operating unit and the ISO. When an ISL vacancy occurs, the Responsible Unit Head can choose a replacement and update the ISO in writing. The Information Security Office can also request a replacement at any time. The ISL role should be an official job responsibility for the person who fills the role. The ISL performs these duties:  

  • Is a point of contact to the ISO and their user base for information security;
  • Works with the ISO to improve information security at UNC-Chapel Hill;
  • Helps the business unit put the University's information security policies in place;
  • Takes part in information security initiatives;
  • Helps the ISO manage and respond to incidents when asked;
  • Helps find, classify, and store sensitive information correctly;
  • Helps the unit manage mission-critical computer resources;
  • Gives advice and support those who work with sensitive information. This applies to both in-house resources and those supplied by third parties;
  • Helps the unit take part in the System Administration Initiative program;
  • Helps plan and test disaster recovery methods;
  • Runs the unit’s process for managing IT changes;
  • Helps put controls in place on system access;
  • Represents their business unit at ISL meetings;
  • Partners with the ISO to improve security for the ISL's University business unit;
  • Keeps their management up to date on information security matters; and
  • Lets their management know how well they are following key security controls.

Exceptions

The Chief Information Security Officer or Chief Information Officer may choose to turn down an ISL choice. They may ask the Responsible Unit Head for a different ISL or for more or fewer ISLs for a University operating unit.

The Chief Information Security Officer or Chief Information Officer may make other exceptions to this Standard in writing.

Definitions

Information Security Incident: Any event that can make UNC-Chapel Hill’s information less confidential, have less integrity, or be less available. Incidents can range from losing a mobile device to a virus infecting an end-user workstation to a major intrusion by an intruder.

Mission-Critical Resource: Any resource that is critical to the mission of the University. Mission-critical resources can usually be down for no more than three (3) consecutive hours. The University operating unit that owns the resource decides if it is mission critical. If it is, information security policies and standards apply. This is to make sure the resource stays available. If the resource is not marked mission-critical, it is not a priority for being restored if there is an incident or outage.

Responsible Unit Head: Head of one or more University operating units who reports directly to the University Provost or Chancellor.

Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.

System Administration Initiative (SAI): A program of the University that provides training to people responsible for IT services, as well as vulnerability management services for those services.

Related Requirements

External Regulations and Consequences

Failure to adhere to this standard may put UNC-Chapel Hill information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Contractors and vendors who fail to adhere to this standard may face termination of their business relationships with the University.

Violation of this standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Contact Information

Primary Contacts

Information Security Office

Phone: 919-962-HELP

Web: help.unc.edu

ITS Policy Office

Email: its_policy@unc.edu

Important Dates

  • Effective Date and title of Approver: Unknown
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: Information Security Liaison Policy Revised 6/10/2010, 6/30/2010, 6/8/2017 Chief Information Officer. Superseded by Information Security Liaison Standard, Chief Information Security Officer.
100% helpful - 1 review

Details

Article ID: 131246
Created
Thu 4/8/21 9:04 PM
Modified
Tue 4/16/24 3:58 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
02/26/2020 8:24 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Vice Chancellor and CISO • ITS - VC - CIO
Last Review
Date on which the most recent document review was completed.
12/13/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
02/08/2019 11:00 PM
Next Review
Date on which the next document review is due.
12/13/2026 12:00 AM
Origination
Date on which the original version of this document was first made official.
06/10/2010 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services

Related Articles (2)

Information Security Controls Standard
This standard defines the minimum security controls for Information Technology systems in use at UNC-Chapel Hill including personal and University-owned devices. Units within the University may apply stricter controls to protect information and systems in their areas of responsibility. The standard applies to each UNC-Chapel Hill Constituent, student, employee, or other for any covered system under their control.
Information Security Policy
This policy defines a framework for the Information Security Program. It gives direction for policies, standards, and procedures that relate to security. These documents tell us how to include information security in all the ways we work at the University of North Carolina at Chapel Hill.