Information Security Policy

Title

University of North Carolina at Chapel Hill Policy on Information Security

Introduction

Purpose

This policy defines a framework for the Information Security Program. It gives direction for policies, standards, and procedures that relate to security. These documents tell us how to include information security in all the ways we work at the University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill"). 

Scope

Everyone connected to the University and all University units. 

Policy

Policy Statement

The University has an information technology environment that is: 

  • rich,
  • complex,
  • distributed,
  • diverse, and
  • dynamic.

To do the work of the University, everyone at the University needs technology they can trust and access. That includes people in the academic, research, and administrative functions. That is easier said than done. University systems experience challenges every day. Those challenges are always evolving. They attack the systems’ integrity and can make them less reliable or available. We need a strong information security program to meet those challenges. 

Everyone at the University needs to keep University technology and data secure. To help, the Information Security Program: 

  • gives training,
  • raises awareness,
  • creates reports,
  • protects sensitive information, and
  • puts in place security controls.

The Information Security Program follows a framework set out in an international standard. Our University follows the International Standards Organization Standard (ISO) 27002. The Program also takes best practices from other sources. For example, industry organizations and professional associations give best practices.

Two people at the University are in charge of security. They are the Chief Information Officer and Chief Information Security Officer. These two leaders determined the ISO 27002 framework meets the University’s needs.

The Information Security Program also follows regulations like:

  • the Family Educational Rights and Privacy Act (FERPA),
  • the Health Insurance Portability and Accountability Act (HIPAA), and
  • the North Carolina ID Theft Protection Act (NCID).

The Chief Information Security Officer: 

  • recommends policies that follow security-related laws and best practices.
  • creates standards and procedures to give specific requirements about how to follow policies, and
  • runs an Information Security Program that keeps the University secure.

Exceptions

You may find that you need an exception from part of the Information Security Program. If you do, the processes in the information security policies, standards, and procedures explain how to ask for it.

Definitions

Sensitive Information: Information that the Information Classification Standard classifies as Tier 2 or Tier 3.

Related Requirements

External Regulations and Consequences

Compliance

Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Contact Information

Policy Contact

Unit: ITS Policy Office

Phone: 919-962-HELP

Email: its_policy@unc.edu

Other Contacts

Guidance on Specific Requests

Reach out to the ITS Policy Office (919-962-HELP or its_policy@unc.edu), or check out the resources on help.unc.edu.

Important Dates

  • Effective Date and title of Approver:
    1. Effective Date: 6/30/2010
    2. Approver: Chief Information Officer
  • Revision and Review Dates, Change notes, title of Reviewer or Approver:
    1. Last Revised Date: 10/24/2017
    2. Revised by: Chief Information Officer
    3. Substantive Revisions:
      1. Complete revision
100% helpful - 3 reviews
Print Article

Related Articles (6)

Adams School of Dentistry: Choose Your Own Device Policy
The UNC-Chapel Hill Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.
Email Domain Policy
Some University business units operate their own email systems. Email accounts used to conduct the business of the University require that appropriate security, backup, and records-retention measures be in place. Departments may host or contract for separate email systems using either unc.edu sub-domains (such as "physics.unc.edu") or entirely separate domains (such as "unclatindepartment.org"). This Policy addresses requirements for these units.
Information Security Liaison Standard
This document describes who at the University of North Carolina at Chapel Hill appoints Information Security Liaisons and what those Information Security Liaisons do.
Information Technology Acceptable Use Policy
All members of the University community who engage with any University information technology (including wireless or other networks) must adhere to this Acceptable Use Policy.
Passwords, Pass-phrases, and Other Authentication Methods Standard
Failure to protect information through the use of strong passwords/pass-phrases and additional authentication methods may result in incidents that expose sensitive information and/or impact mission-critical UNC-Chapel Hill services. This Standard outlines minimum requirements for authentication mechanisms for information systems under the University's control and password strength and other requirements for accounts on University systems and accounts that use University data.
Vulnerability Management Standard for Information Technology
This standard sets a minimum baseline for managing vulnerabilities on any UNC-Chapel Hill system required by the UNC-Chapel Hill Information Security Controls Standard to be scanned for vulnerabilities. Please see the “Exceptions” section for phased implementation through 2026.