Information Security Policy


University of North Carolina at Chapel Hill Policy on Information Security



This policy defines the framework upon which the information security program operates and gives direction for Information Security-related Policies, Standards, and Procedures to address specific areas of operation.

Scope of Applicability

All University Constituents and units.


Policy Statement

The University has a rich, complex, distributed, diverse, and dynamic information technology environment. Academic, research, and administrative functions of the University rely on technology that is trustworthy and accessible in order to fulfill the mission of this institution. Ongoing and evolving challenges to the integrity, reliability, and availability of University systems require a robust information security program.

Each University Constituent has responsibility for the security of University technology and University data to which they have access resulting from their affiliation with or relationship to the University. The UNC-Chapel Hill information security program is designed to involve each person in training, awareness, reporting, protecting sensitive information, and implementing security controls.

The University information technology security program is based upon the framework outlined in the International Standards Organization (ISO) and International Electrotechnical Commission (IEC) standard 27002. The framework is appropriately interpreted by The University's Chief Information Officer (CIO) and Chief Information Security Officer (CISO) who have determined that this framework conforms to the needs of this higher education institution. The University information technology security program is also informed by security principles and best practices provided by a variety of other sources, including those established by industry organizations and professional associations.

The University IT security program is also subject to applicable regulations, such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and North Carolina ID Theft Protection Act (NCID).

The CISO shall recommend appropriate policies in keeping with applicable law and best practices. The CISO shall promulgate standards and procedures for the University to implement policy and support a robust information security program that enables the University to operate securely and effectively.


Exceptions to specific elements of the information security program should be requested through the processes identified in related information security policies, standards, and procedures.


Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.

University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences


Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Contact Information

Policy Contact

  1. ITS Policy Office
    Phone: 919-962-HELP

Other Contacts

Guidance on Specific Requests ITS Policy Office 919-962-HELP or

Important Dates

  • Effective Date and title of Approver:
    1. Effective Date: 6/30/2010
    2. Approver: Chief Information Officer
  • Revision and Review Dates, Change notes, title of Reviewer or Approver:
    1. Last Revised Date: 10/24/2017
    2. Revised by: Chief Information Officer
    3. Substantive Revisions:
      1. Complete revision
100% helpful - 2 reviews


Article ID: 131258
Thu 4/8/21 9:04 PM
Wed 3/2/22 9:19 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/07/2020 2:14 PM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
12/15/2021 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
10/24/2019 12:00 AM
Next Review
Date on which the next document review is due.
12/14/2024 12:00 AM
Date on which the original version of this document was first made official.
06/30/2010 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services