This Policy provides general guidance on the protection of University information. This Policy is especially focused on protecting sensitive University information and is intended to require those responsible to safeguard these resources in an appropriate manner.
Information is a vital component of University operations, and it is important to ensure that persons with a need for information have ready access to that information. It is equally important to ensure that measures have been taken to protect critical information against accidental or unauthorized access, modification, disclosure, or destruction.
The purpose of this Policy is to ensure that all individuals within its scope understand their responsibilities to preserve the security, reliability, integrity, and availability of information. This is accomplished by reducing the risk of compromise and taking appropriate security measures to protect University information resources. Access to certain University information resources is a privilege, not a right, and implies user responsibilities. Such access is subject to UNC Board of Governors and University policies, standards, guidelines, and procedures, as well as federal and state laws and regulations.
Standards: Minimum requirements designed to address certain risks and specific requirements that ensure compliance with this Policy. These provide a basis for verifying compliance through audits and assessments. All units must comply with the standards by following prescribed procedures or by developing unit-specific procedures that are approved by the CIO and that meet or exceed the minimum requirements established by the standards. Units are encouraged to adopt local standards that exceed the minimum requirements.
Guidelines: General recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.
Procedures: Step-by-step instructions for accomplishing a task. Procedures are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.
Terms not otherwise defined herein are italicized and defined in the Information Security Terms Guideline.
This Policy and all implemented standards, procedures, and guidelines apply to individuals using, accessing, storing, transmitting, or overseeing University information resources, including but not limited to:
The University’s Chief Information Officer (CIO) will have primary responsibility for:
The CIO will issue standards, procedures, and guidelines to assist units in implementing this and other information security-related policies. This Policy is the governing foundation for future standards, procedures, and guidelines related to information security.
The CIO may delegate individual responsibilities and authorities specified in this Policy or associated standards and procedures.
To ensure the security of University information resources, each University unit will protect University information resources by adhering to the security standards accompanying this Policy.
Individuals within the scope of this Policy are responsible for complying with this Policy and its accompanying standards, and with any accompanying procedures applicable to their unit.
VI. Recourse for Non-Compliance
In cases where University information resources are actively threatened, the CIO will act in the best interest of the University by securing those resources. When possible, the CIO will abide by established incident handling procedures to mitigate any threat. In an urgent situation requiring immediate action and leaving no time for collaboration, the CIO is authorized to disconnect any affected device from the network. University information resources are subject to vulnerability assessment and safeguard verification by the CIO.
Individuals who fail to comply with this Policy and/or any of its accompanying standards or procedures will be subject to disciplinary action in accordance with University Policy 801, Violation of University Policy.
Exceptions to approved standards and procedures require CIO approval.
Responsible Office: Academic Affairs
|311.1||Credit/Debit Card Processing Regulation-REPLACED BY Payment (Credit/Debit) Card Processing Standard|
|311.2||GLBA Information Security Program Regulation|
|311.4||Peer-to-Peer File Sharing Regulation|
|311.5||Personal Information Security Breach Notification Procedures|
|311.6||Regulation on Security of Electronic Individually Identifiable Health Care Information under HIPAA|
|311.7||Regulations on Information Systems Security|
|311.8||Regulations on the Use of Social Security Numbers|
|311.9||Regulation Regarding Third Party Data Subject to Contractual Access Restrictions|