The UNC Policy Manual


Adopted 01/26/18

Technical Corrections 04/25/19


Information Security


I.                      Purpose.  This policy directs the UNC System Office and the constituent institutions of the University of North Carolina to establish an information security program and designate a senior officer, accountable to the president or chancellor, who is responsible for information security. This policy also requires the Board of Governors and constituent institution boards of trustees to oversee information security.


II.                Definitions


A.            “Information security program” means policies, assessments, protocols, and trainings designed to govern the storage, accessibility, and security of information resources.


B.            “Information resources” means information owned or possessed by the University, or related to business of the University, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information.


III.                 Establishment of Information Security Program.  The UNC System Office and each constituent institution shall develop and maintain an information security program to preserve the security, confidentiality, accessibility, and integrity of information resources of the UNC System Office or the constituent institution. The programs developed by the UNC System Office and the constituent institutions must comply with the prevailing information security standard adopted by the Board of Governors standing committee assigned with audit responsibility. At a minimum, this program must include policies on the storage, use, and accessibility of information resources, regular risk assessments of existing information resources, a strategy statement setting forth priorities for managing identified information security risks, and incident response planning and notification procedures.


IV.                Designation of Senior Officer with Information Security Responsibility. The UNC System Office as well as each constituent institution shall identify a senior officer accountable for overseeing implementation and periodic evaluation of the information security program.  The identified senior officer shall be responsible for identifying and deploying all reasonable measures to maintain the security, confidentiality, accessibility, and integrity of information resources of the UNC System Office or the constituent institution.  The senior officer, as an essential component of the officer’s designation, shall possess all necessary authority to implement and evaluate all aspects of the information security plan. The senior officer shall be accountable to the president or chancellor and responsible for reporting to the Board of Governors or the constituent institution’s board of trustees on matters related to information security upon request.


V.                  Oversight of Information Security.  The Board of Governors and the board of trustees of each constituent institution shall assign responsibility for oversight of the institution’s information security program to a standing committee of the appropriate board with audit responsibility.


A.                  Audit Planning and Risk Assessment. Each institution’s internal auditor shall address information security in annual audit planning and risk assessment. The assigned committee shall ensure that information security is addressed in the annual audit planning and risk assessments that are conducted by the institution’s internal auditor.


B.                  Agenda Item at Regular Meetings.  The assigned committee shall periodically include an agenda item for emerging information security matters at its regularly scheduled meetings.


C.                  Annual Report.  The designated senior officer with information security responsibility shall present a report to the assigned committee, at least annually, on the institution’s information security program and information technology security controls.


VI.          Other Matters


                A.            Effective Date.  The requirements of this policy shall be effective on the date of adoption of this policy by the Board of Governors.


                B.            Relation to State Laws.  The foregoing policies as adopted by the Board of Governors are meant to supplement, and do not purport to supplant or modify, those statutory enactments which may govern the activities of public officials.


                C.            Regulations and Guidelines.  These policies shall be implemented and applied in accordance with such regulations and guidelines as may be adopted from time to time by the president.