Information Security Policies & Responsibilities – Deans, Directors, Department Heads

The University of North Carolina at Chapel Hill

Summary of 2010 Information Security Policies and Responsibilities

The University of North Carolina at Chapel Hill collects and maintains large amounts of sensitive data. With that comes an obligation to protect the data. Carolina takes its responsibilities seriously.

To strengthen security of the University’s systems and sensitive data, the University has in place eight information security policies. For the full text of these policies, please see http://www.unc.edu/campus/policies.

For your convenience, a brief summary of the key requirements of these policies follows. In addition, a glossary of terms is available at http://its.unc.edu/infosecurity/information-security/glossary/. Please address any questions to the UNC Information Security Office in ITS at security@unc.edu or call 445-9393.

What Deans, Directors, Department Heads, Principal Investigators and Security Liaisons must know:

In addition to “What every Computer User at Carolina must know” which is available at this page, Deans, Directors, Department Heads, Principal Investigators and Security Liaisons must also know:

  • IT personnel managing mission critical systems (e.g., HRIS, FRS, SIS, ERP, Payroll, campus email, etc.) or systems that store/process sensitive information must have formal Information Security training. Information Security training is available at https://itsapps.unc.edu/ITSSelfStudy/.
  • Each University business unit that is responsible for maintaining its own information technology services must have a designated Information Security Liaison, plus a designated backup Information Security Liaison. The duties and responsibilities of an Information Security Liaison are described in detail in the Security Liaison Policy.
  • Each university business unit that maintains its own information technology services must ensure that its IT support personnel are familiar with and manage the unit’s IT resources in compliance with all of the University’s information security policies, as they may be amended from time to time. See http://www.unc.edu/campus/policies.html.
  • Each university business unit that stores sensitive information or that operates mission critical systems must perform monthly vulnerability scans in accordance with the Vulnerability Management Policy.
  • Each University business unit that maintains its own information technology services is responsible for reporting immediately to the ITS Information Security Office at security@unc.edu or 445-9393 and coordinating with that Office any time there is reason to believe that the security of sensitive data or of a mission critical system (e.g., HRIS, FRS, SIS, ERP, Payroll, campus email, etc.) has been compromised or is at risk.
  • Costs associated with the remediation of severe incidents involving the compromise of sensitive data or mission critical systems are the financial responsibility of the University business unit determined to bear primary responsibility for the security of the data or system that was breached.