This Policy provides general guidance on the protection of University information. This Policy is especially focused on protecting sensitive University information and is intended to require those responsible to safeguard these resources in an appropriate manner.
I. Purpose
Information is a vital component of University operations, and it is important to ensure that persons with a need for information have ready access to that information. It is equally important to ensure that measures have been taken to protect critical information against accidental or unauthorized access, modification, disclosure, or destruction.
The purpose of this Policy is to ensure that all individuals within its scope understand their responsibilities to preserve the security, reliability, integrity, and availability of information. This is accomplished by reducing the risk of compromise and taking appropriate security measures to protect University information resources. Access to certain University information resources is a privilege, not a right, and implies user responsibilities. Such access is subject to UNC Board of Governors and University policies, standards, guidelines, and procedures, as well as federal and state laws and regulations.
II. Definitions
Standards: Minimum requirements designed to address certain risks and specific requirements that ensure compliance with this Policy. These provide a basis for verifying compliance through audits and assessments. All units must comply with the standards by following prescribed procedures or by developing unit-specific procedures that are approved by the CIO and that meet or exceed the minimum requirements established by the standards. Units are encouraged to adopt local standards that exceed the minimum requirements.
Guidelines: General recommendations or instructions that provide a framework for achieving compliance with policies. They are more technical in nature than policies and standards and are updated on a more frequent basis to account for changes in technology and/or University practices.
Procedures: Step-by-step instructions for accomplishing a task. Procedures are designed to reinforce University policies. Procedures may also play an important role in maintaining compliance with regulations.
Terms not otherwise defined herein are italicized and defined in the Information Security Terms Guideline.
III. Scope
This Policy and all implemented standards, procedures, and guidelines apply to individuals using, accessing, storing, transmitting, or overseeing University information resources, including but not limited to:
- Faculty, staff, and students
- Affiliates, associates, contractors, and volunteers
- Third party vendors, including cases where vendor owned and/or managed equipment is housed or used in a University unit
IV. Responsibilities
The University’s Chief Information Officer (CIO) will have primary responsibility for:
- Oversight of information security
- Implementation and enforcement of this Policy
- Development, revision, approval, and oversight of information security standards, procedures, and guidelines developed pursuant to this Policy
- Educating the University community about information security responsibilities
The CIO will issue standards, procedures, and guidelines to assist units in implementing this and other information security-related policies. This Policy is the governing foundation for future standards, procedures, and guidelines related to information security.
The CIO may delegate individual responsibilities and authorities specified in this Policy or associated standards and procedures.
V. Policy
To ensure the security of University information resources, each University unit will protect University information resources by adhering to the security standards accompanying this Policy.
Individuals within the scope of this Policy are responsible for complying with this Policy and its accompanying standards, and with any accompanying procedures applicable to their unit.
VI. Recourse for Non-Compliance
In cases where University information resources are actively threatened, the CIO will act in the best interest of the University by securing those resources. When possible, the CIO will abide by established incident handling procedures to mitigate any threat. In an urgent situation requiring immediate action and leaving no time for collaboration, the CIO is authorized to disconnect any affected device from the network. University information resources are subject to vulnerability assessment and safeguard verification by the CIO.
Individuals who fail to comply with this Policy and/or any of its accompanying standards or procedures will be subject to disciplinary action in accordance with University Policy 801, Violation of University Policy.
VII. Exceptions
Exceptions to approved standards and procedures require CIO approval.
VIII. Support
All incidents of actual or suspected compromise must be reported immediately to the CIO or Chief Information Security Officer (CISO).
- Initially approved October 16, 1995
- Revised September 27, 2002
- Updated October 19, 2006
- Updated January 2, 2008
- Revised June 3, 2011
- Revised June 10, 2014
- Updated September 17, 2014
- Updated February 9, 2015
- Updated April 2, 2015
Authority: Chancellor
Responsible Office: Academic Affairs
Related Resources:
Regulations Supplemental to University Policy 311: