The UNC Policy Manual
1400.3
Adopted 05/24/18
I.
Purpose.
The security, privacy, and integrity of data and information systems is
an operational priority for the University of North Carolina. Identity
confirmation and access control techniques help mitigate the risk of
unauthorized access to University data and information systems. This policy
directs all University of North Carolina System constituent institutions to evaluate
and conduct risk-based implementation of appropriate identity confirmation and
access control techniques, such as multi-factor authentication, to control
access to University data.
II. Risk-Based Implementation of Identity
Confirmation and Access Control Measures. The UNC System chief information
officer shall, in consultation with the Chief Information Officers Council,
develop, maintain, and update standards for risk-informed identity confirmation
and access control, such as multi-factor authentication, for use by constituent
institutions and the UNC System Office. In the absence of multi-factor
authentication, constituent institutions shall identify, implement, and
document other appropriate measures to control access to sensitive data. Based
on evaluation of the constituent institutions’ identity confirmation and access
control techniques, the University chief information officer may identify
constituent institutions that require additional resources or consultation to
implement and maintain adequate measures and meet the requirements of this
policy.
A. Each
constituent institution and the UNC System Office shall, implement and maintain
risk-informed techniques to confirm user identity and control access to
University information systems and resources, in accordance with the standards
developed and maintained by the UNC System chief information officer.
B. The
chancellor, or the president in the case of the UNC System Office, shall
designate the institution’s chief information officer or other member of the
senior staff, who will be responsible for the oversight of the implementation
and maintenance of user identity confirmation and access control techniques as
required by this policy. The institution’s chief information officer shall be
vested such authority as is necessary to successfully oversee all aspects of
the user identity confirmation and access control program as it applies to
staff, faculty, students, and other individuals with access to the
institution’s information technology systems and information resources.
C. Each
institution’s user identification and access control measures must sufficiently
control access to sensitive University data such as personally identifiable
information, personal health information, and information subject to state or
federal laws or regulations.
D. The
timing and application of user identification and access control measures, such
as multi-factor authentication and other techniques, shall be conducted in
accordance with the standards maintained by the UNC System chief information
officer, and guided by a risk-based evaluation of university data and
information systems.
E. The
standards developed and maintained by the UNC System chief information officer
and the standards and measures established by the constituent institutions in
accordance with those policies shall be confidential and not
considered a public record to the extent permitted by North Carolina law.
F. The UNC System Office chief
information officer shall work with the UNC System Office finance, audit, and
legal staff, and the Chief Information Officers Council, to establish the
process and criteria by which each constituent institution and the UNC System
Office shall demonstrate that it is operating in accordance with the requirements
of this policy.
IV. Other Matters
A. Effective Date. The requirements of this policy shall be
effective on the date of adoption of this policy by the Board of Governors.
B. Relation to State Laws. The foregoing policies as adopted by the
Board of Governors are meant to supplement, and do not purport to supplant or
modify, those statutory enactments which may govern the activities of public
officials.
C. Regulations and Guidelines. These policies shall be implemented and
applied in accordance with such regulations and guidelines as may be adopted
from time to time by the president.