The UNC Policy Manual
1400.2
Adopted 01/26/18
Technical Corrections 04/25/19
I.
Purpose.
This policy directs the UNC System Office and the constituent
institutions of the University of North Carolina to establish an information
security program and designate a senior officer, accountable to the president
or chancellor, who is responsible for information security. This policy also
requires the Board of Governors and constituent institution boards of trustees
to oversee information security.
II.
Definitions
A. “Information
security program” means policies, assessments, protocols, and trainings
designed to govern the storage, accessibility, and security of information
resources.
B. “Information
resources” means information owned or possessed by the University, or related
to business of the University, regardless of form or location, and the hardware
and software resources used to electronically store, process, or transmit that
information.
III.
Establishment
of Information Security Program. The UNC
System Office and each constituent institution shall develop and maintain an
information security program to preserve the security, confidentiality,
accessibility, and integrity of information resources of the UNC System Office
or the constituent institution. The programs developed by the UNC System Office
and the constituent institutions must comply with the prevailing information
security standard adopted by the Board of Governors standing committee assigned
with audit responsibility. At a minimum, this program must include policies on the
storage, use, and accessibility of information resources, regular risk
assessments of existing information resources, a strategy statement setting
forth priorities for managing identified information security risks, and
incident response planning and notification procedures.
IV.
Designation
of Senior Officer with Information Security Responsibility. The UNC System
Office as well as each constituent institution shall identify a senior officer accountable
for overseeing implementation and periodic evaluation of the information
security program. The identified senior
officer shall be responsible for identifying and deploying all reasonable
measures to maintain the security, confidentiality, accessibility, and
integrity of information resources of the UNC System Office or the constituent
institution. The senior officer, as an essential
component of the officer’s designation, shall possess all necessary authority
to implement and evaluate all aspects of the information security plan. The
senior officer shall be accountable to the president or chancellor and
responsible for reporting to the Board of Governors or the constituent
institution’s board of trustees on matters related to information security upon
request.
V.
Oversight
of Information Security. The Board of
Governors and the board of trustees of each constituent institution shall
assign responsibility for oversight of the institution’s information security program
to a standing committee of the appropriate board with audit responsibility.
A.
Audit
Planning and Risk Assessment. Each institution’s internal auditor shall address
information security in annual audit planning and risk assessment. The assigned
committee shall ensure that information security is addressed in the annual
audit planning and risk assessments that are conducted by the institution’s
internal auditor.
B.
Agenda
Item at Regular Meetings. The assigned
committee shall periodically include an agenda item for emerging information
security matters at its regularly scheduled meetings.
C.
Annual
Report. The designated senior officer
with information security responsibility shall present a report to the assigned
committee, at least annually, on the institution’s information security program
and information technology security controls.
VI. Other Matters
A. Effective Date. The requirements of this policy
shall be effective on the date of adoption of this policy by the Board of
Governors.
B. Relation to State Laws.
The foregoing policies as adopted by the Board of Governors are meant to
supplement, and do not purport to supplant or modify, those statutory
enactments which may govern the activities of public officials.
C. Regulations and Guidelines. These policies shall be implemented and
applied in accordance with such regulations and guidelines as may be adopted
from time to time by the president.