Vulnerability Management Policy for Information Technology


University of North Carolina at Chapel Hill Information Technology Vulnerability Management Policy



This policy applies to all UNC-Chapel Hill Affiliates who have responsibility for covered computing devices.

Scope of Applicability

This policy applies to all UNC-Chapel Hill Affiliates who have responsibility for covered computing devices.


Policy Statement

Computing devices covered by the UNC-Chapel Hill Information Security Controls Standard which require vulnerability scanning are covered by this policy. Any UNC-Chapel Hill Affiliate with responsibility for a covered computing device must ensure that detected vulnerabilities are remediated in accordance with the specific timeframes described in the UNC-Chapel Hill Standard for Vulnerability Management unless an approved exception exists.

The Chief Information Security Officer (CISO) has the authority to take action, with appropriate communication with system owners in advance, to ensure that un-remediated systems do not pose a threat to University information resources. Drastic actions such as blocking systems from the campus data network shall require the joint approval of the CISO and Chief Information Officer (CIO) (or in their absence, CISO/CIO delegates). In support of this policy, the CISO shall publish needed controls, standards, and procedures. Such standards shall include processes for determining remediation exceptions for systems and types of systems based on (at least): compensating controls, prohibitive technical and operational obstacles, or other system-specific circumstances.

Specific guidelines regarding compensating controls, developed in collaboration with internal University committees and the CISO, may make exceptions to the requirements specified in the UNC-Chapel Hill Standard for Vulnerability Management. These exceptions will balance the requirements of this standard with potential negative impact to the mission of the University.

Roles and Responsibilities

Chief Information Security Officer: Compliance with this policy throughout the University. Adjudicate and escalate exceptions to policy.

Administrators/IT Managers/Information Security Liaisons (ISL): Ensure users and systems administrators adhere to this policy and supporting guidelines and standards or to escalate to University management.

Other Affiliates: Cooperate with Administrators/IT Managers/ISLs with respect to scheduling of system downtime, service outage windows, providing access to systems to facilitate vulnerability remediation, and maintaining awareness of vulnerability status of systems for which you are responsible.




  • Administrator (System or Application): Individual responsible for the installation, maintenance, and deprovisioning of an information system, providing effective use of the information system, appropriate security parameters, and sound implementation of established information security best practices and University policy and procedures.
  • Computing Devices: For the purposes of this policy, computing devices include all information technology hardware capable of storing data, including, but not limited to, servers, workstations, laptops, and other mobile devices in use at UNC-Chapel Hill.
  • UNC-Chapel Hill Affiliate: UNC-Chapel Hill faculty, staff, students, retirees, contractors, distance learners, visiting scholars, and others who require UNC-Chapel Hill resources to work in conjunction with UNC-Chapel Hill.

Related Requirements

External Regulations and Consequences

Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC- Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Informational Resources

For more background on Sensitive Information please go to and search for "Sensitive Information," visit, or consult the Information Classification Standard.

Contact Information

Policy Contacts

Subject Contact Telephone Online/Email
Policy Questions UNC ITS Policy Office 919-962-HELP or
Request Information Security Consulting UNC ITS Information Security Office 919-962-HELP
Report a Violation UNC ITS Information Security Office 919-962-HELP N/A
Assistance with Sensitive Information UNC Privacy Office 919-962-HELP

Document History

  • Effective Date: June 30, 2010, Chief Information Officer
  • Revised Date: February 18th, 2016, Chief Information Officer. CISO authority clarification.
    Added exception section,
100% helpful - 1 review


Article ID: 131253
Thu 4/8/21 9:04 PM
Mon 7/12/21 11:23 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/15/2020 8:34 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
12/15/2020 8:34 AM
Last Revised
Date on which the most recent changes to this document were approved.
10/24/2019 2:57 PM
Date on which the original version of this document was first made official.
06/30/2010 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services