User Identity and Access Control

I. Purpose. The security, privacy, and integrity of data and information systems is an operational priority for the University of North Carolina. Identity confirmation and access control techniques help mitigate the risk of unauthorized access to University data and information systems. This policy directs all University of North Carolina System constituent institutions to evaluate and conduct risk-based implementation of appropriate identity confirmation and access control techniques, such as multi-factor authentication, to control access to University data.

II. Risk-Based Implementation of Identity Confirmation and Access Control Measures. The UNC System chief information officer shall, in consultation with the Chief Information Officers Council, develop, maintain, and update standards for risk-informed identity confirmation and access control, such as multi-factor authentication, for use by constituent institutions and the UNC System Office. In the absence of multi-factor authentication, constituent institutions shall identify, implement, and document other appropriate measures to control access to sensitive data. Based on evaluation of the constituent institutions’ identity confirmation and access control techniques, the University chief information officer may identify constituent institutions that require additional resources or consultation to implement and maintain adequate measures and meet the requirements of this policy.

A. Each constituent institution and the UNC System Office shall, implement and maintain risk-informed techniques to confirm user identity and control access to University information systems and resources, in accordance with the standards developed and maintained by the UNC System chief information officer.

B. The chancellor, or the president in the case of the UNC System Office, shall designate the institution’s chief information officer or other member of the senior staff, who will be responsible for the oversight of the implementation and maintenance of user identity confirmation and access control techniques as required by this policy. The institution’s chief information officer shall be vested such authority as is necessary to successfully oversee all aspects of the user identity confirmation and access control program as it applies to staff, faculty, students, and other individuals with access to the institution’s information technology systems and information resources.

C. Each institution’s user identification and access control measures must sufficiently control access to sensitive University data such as personally identifiable information, personal health information, and information subject to state or federal laws or regulations.

D. The timing and application of user identification and access control measures, such as multi-factor authentication and other techniques, shall be conducted in accordance with the standards maintained by the UNC System chief information officer, and guided by a risk-based evaluation of university data and information systems.

E. The standards developed and maintained by the UNC System chief information officer and the standards and measures established by the constituent institutions in accordance with those policies shall be confidential and not considered a public record to the extent permitted by North Carolina law.

F. The UNC System Office chief information officer shall work with the UNC System Office finance, audit, and legal staff, and the Chief Information Officers Council, to establish the process and criteria by which each constituent institution and the UNC System Office shall demonstrate that it is operating in accordance with the requirements of this policy.

IV. Other Matters

A. Effective Date. The requirements of this policy shall be effective on the date of adoption of this policy by the Board of Governors.

B. Relation to State Laws. The foregoing policies as adopted by the Board of Governors are meant to supplement, and do not purport to supplant or modify, those statutory enactments which may govern the activities of public officials.

C. Regulations and Guidelines. These policies shall be implemented and applied in accordance with such regulations and guidelines as may be adopted from time to time by the president.