Title
University of North Carolina at Chapel Hill Policy on Information Security
Introduction
Purpose
This policy defines the framework upon which the information security program operates and gives direction for Information Security-related Policies, Standards, and Procedures to address specific areas of operation.
Scope of Applicability
All University Constituents and units.
Policy
Policy Statement
The University has a rich, complex, distributed, diverse, and dynamic information technology environment. Academic, research, and administrative functions of the University rely on technology that is trustworthy and accessible in order to fulfill the mission of this institution. Ongoing and evolving challenges to the integrity, reliability, and availability of University systems require a robust information security program.
Each University Constituent has responsibility for the security of University technology and University data to which they have access resulting from their affiliation with or relationship to the University. The UNC-Chapel Hill information security program is designed to involve each person in training, awareness, reporting, protecting sensitive information, and implementing security controls.
The University information technology security program is based upon the framework outlined in the International Standards Organization (ISO) and International Electrotechnical Commission (IEC) standard 27002. The framework is appropriately interpreted by The University's Chief Information Officer (CIO) and Chief Information Security Officer (CISO) who have determined that this framework conforms to the needs of this higher education institution. The University information technology security program is also informed by security principles and best practices provided by a variety of other sources, including those established by industry organizations and professional associations.
The University IT security program is also subject to applicable regulations, such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and North Carolina ID Theft Protection Act (NCID).
The CISO shall recommend appropriate policies in keeping with applicable law and best practices. The CISO shall promulgate standards and procedures for the University to implement policy and support a robust information security program that enables the University to operate securely and effectively.
Exceptions
Exceptions to specific elements of the information security program should be requested through the processes identified in related information security policies, standards, and procedures.
Definitions
Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.
University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources.
Related Requirements
External Regulations and Consequences
Compliance
Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.
Violation of this policy may also carry the risk of civil or criminal penalties.
University Policies, Standards, and Procedures
Contact Information
Policy Contact
- ITS Policy Office
Email: its_policy@unc.edu
Phone: 919-962-HELP
Other Contacts
Guidance on Specific Requests |
ITS Policy Office |
919-962-HELP |
help.unc.edu or its_policy@unc.edu |
Important Dates
- Effective Date and title of Approver:
- Effective Date: 6/30/2010
- Approver: Chief Information Officer
- Revision and Review Dates, Change notes, title of Reviewer or Approver:
- Last Revised Date: 10/24/2017
- Revised by: Chief Information Officer
- Substantive Revisions:
- Complete revision