Information Security

University Policy: 
Executive Summary: 

This Policy provides general guidance on the protection of University information. This Policy is especially focused on protecting sensitive University information and is intended to require those responsible to safeguard these resources in an appropriate manner.

I.  Purpose

Information is a vital component of University operations, and it is important to ensure that persons with a need for information have ready access to that information. It is equally important to ensure that measures have been taken to protect critical information against accidental or unauthorized access, modification, disclosure, or destruction.

The purpose of this Policy is to ensure that all individuals within its scope understand their responsibilities to preserve the security, reliability, integrity, and availability of information.  This is accomplished by reducing the risk of compromise and taking appropriate security measures to protect University information resources.  Access to certain University information resources is a privilege, not a right, and implies user responsibilities.  Such access is subject to UNC Board of Governors and University policies, standards, guidelines, and procedures, as well as federal and state laws and regulations.

II.  Definitions

Standards:  Minimum requirements designed to address certain risks and specific requirements that ensure compliance with this Policy. These provide a basis for verifying compliance through audits and assessments. All units must comply with the standards by following prescribed procedures or by developing unit-specific procedures that are approved by the CIO and that meet or exceed the minimum requirements established by the standards.  Units are encouraged to adopt local standards that exceed the minimum requirements.

Guidelines:  General recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.

Procedures:  Step-by-step instructions for accomplishing a task. Procedures are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.

Terms not otherwise defined herein are italicized and defined in the Information Security Terms Guideline.

III.  Scope

This Policy and all implemented standards, procedures, and guidelines apply to individuals using, accessing, storing, transmitting, or overseeing University information resources, including but not limited to:

  • Faculty, staff, and students
  • Affiliates, associates, contractors, and volunteers
  • Third party vendors, including cases where vendor owned and/or managed equipment is housed or used in a University unit

IV.  Responsibilities

The University’s Chief Information Officer (CIO) will have primary responsibility for:

  • Oversight of information security
  • Implementation and enforcement of this Policy
  • Development, revision, approval, and oversight of information security standards, procedures, and guidelines developed pursuant to this Policy
  • Educating the University community about information security responsibilities

The CIO will issue standards, procedures, and guidelines to assist units in implementing this and other information security-related policies. This Policy is the governing foundation for future standards, procedures, and guidelines related to information security.

The CIO may delegate individual responsibilities and authorities specified in this Policy or associated standards and procedures.

V.  Policy

To ensure the security of University information resources, each University unit will protect University information resources by adhering to the security standards accompanying this Policy.

Individuals within the scope of this Policy are responsible for complying with this Policy and its accompanying standards, and with any accompanying procedures applicable to their unit.

VI.  Recourse for Non-Compliance

In cases where University information resources are actively threatened, the CIO will act in the best interest of the University by securing those resources. When possible, the CIO will abide by established incident handling procedures to mitigate any threat. In an urgent situation requiring immediate action and leaving no time for collaboration, the CIO is authorized to disconnect any affected device from the network. University information resources are subject to vulnerability assessment and safeguard verification by the CIO.

Individuals who fail to comply with this Policy and/or any of its accompanying standards or procedures will be subject to disciplinary action in accordance with University Policy 801, Violation of University Policy.

VII.  Exceptions

Exceptions to approved standards and procedures require CIO approval.

VIII.  Support

All incidents of actual or suspected compromise must be reported immediately to the CIO or Chief Information Security Officer (CISO).

Revision History: 
  • Initially approved October 16, 1995
  • Revised September 27, 2002
  • Updated October 19, 2006
  • Updated January 2, 2008
  • Revised June 3, 2011
  • Revised June 10, 2014
  • Updated September 17, 2014
  • Updated February 9, 2015
  • Updated April 2, 2015

Authority: Chancellor

Responsible Office: Academic Affairs

Related Resources:

Regulations Supplemental to University Policy 311:

311.1 Credit/Debit Card Processing Regulation-REPLACED BY Payment (Credit/Debit) Card Processing Standard
311.2 GLBA Information Security Program Regulation
311.4 Peer-to-Peer File Sharing Regulation
311.5 Personal Information Security Breach Notification Procedures
311.6 Regulation on Security of Electronic Individually Identifiable Health Care Information under HIPAA
311.7 Regulations on Information Systems Security
311.8 Regulations on the Use of Social Security Numbers
311.9 Regulation Regarding Third Party Data Subject to Contractual Access Restrictions