Policy on Information Security

Applied-to-Constituents Applies-to-Faculty Applies-to-Staff Applies-to-Students IT University-Policy IT-Security

University Policy

University of North Carolina at Chapel Hill Policy on Information Security

Introduction

Purpose

This policy defines the framework upon which the information security program operates and gives direction for Information Security-related Policies, Standards, and Procedures to address specific areas of operation.

Scope of Applicability

All University Constituents and units.

Policy

Policy Statement

The University has a rich, complex, distributed, diverse, and dynamic information technology environment. Academic, research, and administrative functions of the University rely on technology that is trustworthy and accessible in order to fulfill the mission of this institution. Ongoing and evolving challenges to the integrity, reliability, and availability of University systems require a robust information security program.

Each University Constituent has responsibility for the security of University technology and University data to which they have access resulting from their affiliation with or relationship to the University. The UNC-Chapel Hill information security program is designed to involve each person in training, awareness, reporting, protecting sensitive information, and implementing security controls.

The University information technology security program is based upon the framework outlined in the International Standards Organization (ISO) and International Electrotechnical Commission (IEC) standard 27002. The framework is appropriately interpreted by The University's Chief Information Officer (CIO) and Chief Information Security Officer (CISO) who have determined that this framework conforms to the needs of this higher education institution. The University information technology security program is also informed by security principles and best practices provided by a variety of other sources, including those established by industry organizations and professional associations.

The University IT security program is also subject to applicable regulations, such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and North Carolina ID Theft Protection Act (NCID).

The CISO shall recommend appropriate policies in keeping with applicable law and best practices. The CISO shall promulgate standards and procedures for the University to implement policy and support a robust information security program that enables the University to operate securely and effectively.

Exceptions

Exceptions to specific elements of the information security program should be requested through the processes identified in related information security policies, standards, and procedures.

Definitions

Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.

University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

Compliance

Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Standards and Procedures

Information Security Controls Standard
Vulnerability Management Policy and Standard
Passwords, Pass-phrases, and Other Authentication Methods Standard
Information Classification Standard
Information Security Liaison Standard
Information Technology Acceptable Use Policy
Onyen Policy
Transmission of Sensitive Information Standard

Contact Information

Policy Contact

ITS Policy Office
Email: its_policy@unc.edu
Phone: 919-962-HELP

Other Contacts

Guidance on Specific Requests

Deputy CIO, CISO

919-962-HELP

help.unc.edu

Important Dates

Effective Date and title of Approver:
1. Effective Date: 6/30/2010
2. Approver: Chief Information Officer
Revision and Review Dates, Change notes, title of Reviewer or Approver:
1. Last Revised Date: 10/24/2017
2. Revised by: Chief Information Officer
3. Substantive Revisions:
  1. Complete revision

0 reviews

Details

Article ID: 131258

Created

Thu 4/8/21 9:04 PM

Modified

Wed 4/21/21 11:26 AM

Effective Date

If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.

12/07/2020 2:14 PM

Issuing Officer

Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.

Mike Barker

Issuing Officer Title

Title of the person who is primarily responsible for issuing this policy.

Vice Chancellor for IT and CIO

Last Review

Date on which the most recent document review was completed.

12/07/2020 2:14 PM

Last Revised

Date on which the most recent changes to this document were approved.

10/24/2019 12:00 AM

Origination

Date on which the original version of this document was first made official.

06/30/2010 12:00 AM

Responsible Unit

School, Department, or other organizational unit issuing this document.

Information Technology Services

Updating...