Information Security Policy


University of North Carolina at Chapel Hill Policy on Information Security



This policy defines a framework for the Information Security Program. It gives direction for policies, standards, and procedures that relate to security. These documents tell us how to include information security in all the ways we work at the University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill"). 


Everyone connected to the University and all University units. 


Policy Statement

The University has an information technology environment that is: 

  • rich,
  • complex,
  • distributed,
  • diverse, and
  • dynamic.

To do the work of the University, everyone at the University needs technology they can trust and access. That includes people in the academic, research, and administrative functions. That is easier said than done. University systems experience challenges every day. Those challenges are always evolving. They attack the systems’ integrity and can make them less reliable or available. We need a strong information security program to meet those challenges. 

Everyone at the University needs to keep University technology and data secure. To help, the Information Security Program: 

  • gives training,
  • raises awareness,
  • creates reports,
  • protects sensitive information, and
  • puts in place security controls.

The Information Security Program follows a framework set out in an international standard. Our University follows the International Standards Organization Standard (ISO) 27002. The Program also takes best practices from other sources. For example, industry organizations and professional associations give best practices.

Two people at the University are in charge of security. They are the Chief Information Officer and Chief Information Security Officer. These two leaders determined the ISO 27002 framework meets the University’s needs.

The Information Security Program also follows regulations like:

  • the Family Educational Rights and Privacy Act (FERPA),
  • the Health Insurance Portability and Accountability Act (HIPAA), and
  • the North Carolina ID Theft Protection Act (NCID).

The Chief Information Security Officer: 

  • recommends policies that follow security-related laws and best practices.
  • creates standards and procedures to give specific requirements about how to follow policies, and
  • runs an Information Security Program that keeps the University secure.


You may find that you need an exception from part of the Information Security Program. If you do, the processes in the information security policies, standards, and procedures explain how to ask for it.


Sensitive Information: Information that the Information Classification Standard classifies as Tier 2 or Tier 3.

Related Requirements

External Regulations and Consequences


Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Contact Information

Policy Contact

Unit: ITS Policy Office

Phone: 919-962-HELP


Other Contacts

Guidance on Specific Requests

Reach out to the ITS Policy Office (919-962-HELP or, or check out the resources on

Important Dates

  • Effective Date and title of Approver:
    1. Effective Date: 6/30/2010
    2. Approver: Chief Information Officer
  • Revision and Review Dates, Change notes, title of Reviewer or Approver:
    1. Last Revised Date: 10/24/2017
    2. Revised by: Chief Information Officer
    3. Substantive Revisions:
      1. Complete revision
100% helpful - 2 reviews
Print Article


Article ID: 131258
Thu 4/8/21 9:04 PM
Thu 12/14/23 12:02 PM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Next Review
Date on which the next document review is due.
12/13/2026 12:00 AM
Last Review
Date on which the most recent document review was completed.
12/13/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
10/24/2019 12:00 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/07/2020 2:14 PM
Date on which the original version of this document was first made official.
06/30/2010 12:00 AM

Related Articles (6)

The UNC-Chapel Hill Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.
Some University business units operate their own email systems. Email accounts used to conduct the business of the University require that appropriate security, backup, and records-retention measures be in place. Departments may host or contract for separate email systems using either sub-domains (such as "") or entirely separate domains (such as ""). This Policy addresses requirements for these units.
This document describes who at the University of North Carolina at Chapel Hill appoints Information Security Liaisons and what those Information Security Liaisons do.
All members of the University community who engage with any University information technology (including wireless or other networks) must adhere to this Acceptable Use Policy.
Failure to protect information through the use of strong passwords/pass-phrases and additional authentication methods may result in incidents that expose sensitive information and/or impact mission-critical UNC-Chapel Hill services. This Standard outlines minimum requirements for authentication mechanisms for information systems under the University's control and password strength and other requirements for accounts on University systems and accounts that use University data.
This standard sets a minimum baseline for managing vulnerabilities on any UNC-Chapel Hill system required by the UNC-Chapel Hill Information Security Controls Standard to be scanned for vulnerabilities. Please see the “Exceptions” section for phased implementation through 2026.