Payment Card Industry Data Security Standards (PCI DSS) Incident Response Plan

University of North Carolina at Chapel Hill Payment Card Industry Data Security Standards (PCI DSS) Incident Response Plan

The UNC-Chapel Hill Incident Management Policy requires "every faculty member, staff member, student, temporary employee, contractor, outside vendor, and visitor to campus (AKA User) who has access to University-owned or managed information through computing systems, devices, or physical files" to "report Information Security Incidents" per the procedures defined. As defined in the UNC-Chapel Hill Incident Management Policy, sensitive information includes "card holder data," as defined by the Payment Card Industry Data Security Standards.

As stated in the UNC-Chapel Hill Incident Management Policy, the Information Technology Services (ITS) Information Security Office (ISO), in conjunction with the Office of University Counsel and the affected University department, shall direct the incident response and investigation. ITS ISO, the Office of University Counsel, and the affected University department will coordinate on business recovery procedures, business continuity procedures, and data back-up processes, as appropriate. Coordination of activities may include the UNC Police when physical files are involved.

Specific incident response procedures are defined in the UNC-Chapel Hill Incident Management Procedures, consistent with availability to appropriate personnel. Communication and contact strategies in the event of an "Information Security Incident" are defined in the "Incident Reporting" section of the Incident Management Procedures, consistent with availability to appropriate personnel. The ITS ISO will work with the Office of University Counsel, as appropriate, to contact the Office of State Controller in the event of a reportable incident.

Specific procedures are documented in protected help.unc.edu documents and other locations specific to the groups with a business need to access the documents.

As a part of the incident response process, consultation of incident response procedures proposed by the payment brands may be required:

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Document History

  • Effective Date: 10/01/14
  • Review Date: 9/16/2014, 10/13/2015 (CISO), 10/17/2016 (CISO), 10/13/2017 (CISO) 10/7/2018 (CISO delegate)
100% helpful - 1 review

Details

Article ID: 131257
Created
Thu 4/8/21 9:04 PM
Modified
Tue 3/8/22 10:23 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/15/2020 8:35 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
12/15/2020 8:35 AM
Last Revised
Date on which the most recent changes to this document were approved.
10/24/2019 2:57 PM
Origination
Date on which the original version of this document was first made official.
10/01/2014 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services