The UNC Policy Manual

1400.1[1]

Adopted 02/26/26

 

Information Technology

 

I.                     Purpose. As provided in G.S. 116-11(9c), G.S. 116-40.22, and G.S. 143B-1320(b), the purpose of this policy is to delegate authority to the president to establish and administer a Systemwide information technology program and direct the University of North Carolina System (UNC System) and its constituent institutions to adopt certain policies or regulations to ensure the integrity of the UNC System’s information technology programs across the System. This policy requires minimum standards for the UNC System Office and constituent institutions’ information technology governance, information security, and user and access control programs. The president shall be responsible for the Systemwide information technology program and may further delegate additional oversight or other responsibilities as appropriate.

 

II.                   Management Flexibility. Constituent institutions with management flexibility shall establish policies and rules governing the planning, acquisition, implementation, and delivery of information technology and telecommunications at the constituent institution consistent with this policy and supplemental regulations. These policies and rules shall provide for security and encryption standards; software standards; hardware standards; acquisition of information technology consulting and contract services; disaster recovery standards; and standards for desktop and server computing, telecommunications, networking, video services, personal digital assistants, and other wireless technologies; and other information technology matters that are necessary and appropriate to fulfill the teaching, educational, research, extension, and service missions of the constituent institutions.

 

III.                 Information Technology Governance.

 

A.                  Documented Information Technology Governance Plan. The UNC System Office and constituent institutions shall adopt a comprehensive information technology governance plan and related policies. The plan may be part of a larger information technology framework, or a stand-alone plan. The information technology governance plan shall include:

 

1.                   A defined framework to guide the development and implementation of the plan; and

 

2.                   A set of principles and guidelines addressing planning and investment prioritization, funding, evaluation, auditing, disaster recovery, risk assessment, risk management, oversight of distributed IT resources, performance measurement, and such other areas as may be appropriate.

 

B.                  Electronic Records.  The UNC System Office and constituent institutions shall adopt policies and procedures that provide certain minimum requirements for the maintenance and disposition of electronic records. The minimum requirements shall be established in a supplemental regulation and include retention and disposition processes and timelines for electronically stored information.

 

C.                  Strategic Procurement and Evaluation of Technology Costs.

 

1.                   To promote efficiency, cost effectiveness, and consistent high-quality services for students, the University of North Carolina System shall encourage, when appropriate, the use of common information technology solutions and systems. The president shall adopt a supplemental regulation implementing an information technology strategic procurement process that includes provisions governing the selection, use, and oversight of strategic Systemwide technologies. Under the information technology strategic procurement process, costs may be reasonably allocated to participating constituent institutions and affiliates.

 

2.                   Constituent institutions shall evaluate technology, computer hardware, and software using criteria as provided in a supplemental regulation that includes at least the following:

 

a.                   The long-term cost of ownership, including costs of repairing the technology, computer hardware, or software;

 

b.                   Any flexibility for innovation during the life of the technology, computer hardware, or software; and

 

c.                   Any anticipated resale or salvage value at the end of the target life cycle for the technology, computer hardware, or software based on the average resale or salvage value of similar technology, computer hardware, or software as a percentage of the initial cost of purchase.

 

3.                   The president may adopt additional requirements related to the UNC System and constituent institutions procurement of information technology goods and services.

 

IV.                Information Security.

 

A.                  Documented Information Security Program. The UNC System Office and constituent institutions shall adopt a comprehensive information security program. The program may be part of a larger information technology framework, or a stand-alone program. The information security program shall include:

 

1.                   Written security policies and standards aligned with UNC System Office-defined standards;

 

2.                   Periodic risk assessments and a documented risk treatment plan;

 

3.                   Security awareness practices and training; and

 

4.                   Incident response planning, including notification and escalation expectations.

 

V.                  Identity and Access Control.

 

A.                  Identity and Access Control Requirements. The UNC System Office and constituent institutions shall adopt minimum identity and access control requirements. The requirements may be part of a larger information technology framework, or stand-alone requirements. Minimum identity and access control requirements shall include:

 

1.                   Risk-based access controls for all systems and data;

 

2.                   Multi-factor authentication where appropriate; and

 

3.                   Where multi-factor authentication is not implemented, the documented basis and compensating controls to address associated risk.

 

VI.                Other Matters.

 

A.                  Effective Date. The requirements of this policy shall be effective on the date of adoption by the Board of Governors.

 

B.                  Relation to State Laws. The foregoing policies as adopted by the Board of Governors are meant to supplement, and do not purport to supplant or modify, those statutory enactments which may govern the activities of public officials.

 

C.                  Regulations. This policy shall be implemented and applied in accordance with such regulations as may be adopted from time to time by the president.