The University of North Carolina at Chapel Hill
Summary of 2010 Information Security Policies and Responsibilities
The University of North Carolina at Chapel Hill collects and maintains large amounts of sensitive data. With that comes an obligation to protect the data. Carolina takes its responsibilities seriously.
To strengthen security of the University’s systems and sensitive data, the University has in place ten information security policies. For the full text of these policies, please see http://its.unc.edu/about-its/university-it-policies/.
For your convenience, a brief summary of the key requirements of these policies follows. In addition, a glossary of terms is available at http://its.unc.edu/infosecurity/information-security/glossary/. Please address any questions to the UNC Information Security Office in ITS at email@example.com or call 919-445-9393.
On August 1, 2011 a memo was sent the campus community explaining that all campus computer users needed to read these summaries. Beginning September 15th, 2011, the Onyen password reset process will be changed. This change will require all computer users to certify annually that they have read the Information Security Policies Summaries located on this page and that they understand and agree to abide by the information security policies applicable to them. In addition, all users with access to the University’s Protected Health Information or Personally Identifiable Information (e.g., Social Security numbers, credit/debit card information, etc.) are required to affirm that they will not store this information on mobile devices without both (i) obtaining prior authorization from their dean or the head of their business unit, and (ii) encrypting the data. After the change, password resets will not complete unless the affirmation box is checked.
What Every Computer User at Carolina Must Know:
This document provides a summary of the University’s information security policies. Every computer user at Carolina is required to read these summaries in their entirety and to understand the requirements of the applicable policies.
- In many cases, operating system and application updates along with malware protection are all that stand between a computer and a system compromise or infection. Check with your IT support staff to ensure that your computer is configured to receive automated patches. Allow automated updates to run so that they may patch security vulnerabilities. Also make sure your malware protection is properly installed, updated and is running the latest virus definitions. These are requirements from the Information Security Standards located in the Information Security Policy. No software is 100% effective in preventing compromises or infections, and not all websites are safe. Users must be alert when using the Internet, especially on systems storing or processing Sensitive Information. One way to reduce the risk of compromise is to limit your non-work related Internet activity. Another good technique to reduce risk is to limit the amount of Sensitive Information you store on your computing devices. If you avoid storing Sensitive Information on a computer, should the computer be attacked, the information cannot be compromised by an attacker.
- Sensitive Information includes many different types of information, such as Social Security numbers, personal health information, student records, and bank and credit card information.
- In accordance with the Information Security Standards located in the Information Security Policy, Sensitive Information must never be stored on a mobile device, including a laptop computer or a smart phone, unless storage on the mobile device has been approved by your dean (if you are a student) or the head of your business unit (if you are an employee) and the Sensitive Information is encrypted.
- If you must transfer Sensitive Information (e.g., by file transfer or email), the transfer has to be conducted in compliance with the Transmission of Protected Health Information and Personal Identifying Information Policy.
- Sensitive Information must never be shared through Instant Messaging or Peer-to-Peer (P2P) file-sharing software or devices. P2P software must never be installed on machines or devices that store, process or access Sensitive Information. Users at UNC-Chapel Hill are required to obey copyright laws and to adhere to the Data Network Acceptable Use Policy.
- Sensitive Information must be accessed only through one of the following methods: (1) user identification with the correct password; (2) multi-factor authentication, such as a smart card in combination with a password; or (3) biometric identification approved by the Information Security Office. Some networked storage options supplied by the University are not suitable for the storage of Sensitive Information because they do not conform to these access requirements. Likewise, third party consumer, cloud computing or software-as-a-service offerings such as Dropbox, Google Docs, iCloud, and other similar offerings are not acceptable for the storage of University-owned Sensitive Information unless the University maintains a current contract with these providers. If you are not sure if a storage location is secure, please seek assistance from either your Information Security Liaison or the Information Security Office via 962-HELP.
- Machines and devices that store Sensitive Information, or that are used to access mission-critical systems (e.g., HRIS, FRS, SIS, ERP, Payroll), should be used only in areas with restricted or controlled access and should be locked every single time they are left unattended. Machines and devices containing Sensitive Information or used to access mission-critical systems must be set to require re-authentication after not more than 30 minutes of inactivity.
- Sensitive Information maintained on computers or other electronic devices should be destroyed or disposed of only in accordance with the UNC-Chapel Hill Campus Standards for Electronic Media Disposal. Any department intending to surplus computing devices must first destroy the electronic information by wiping them, then keeping the devices physically secure until transfer to University Surplus.
- You must maintain strong passwords for every University system and application you access that stores/processes University data. You must change all your passwords used for University systems every 90 days. These requirements are located in the Password Policy for General Users.
- Per the Email Address Policy, your official UNC-Chapel Hill supplied email address must always be used for official business. Auto-forwarding of University email accounts is not allowed. Manual forwarding of individual personal email messages is permitted.
- Per the Incident Management Policy, you must immediately report lost or stolen mobile devices (e.g., laptops, smartphones) or security breaches (e.g., computer viruses, hacking attempts) to the IT Response Center at 919-962-HELP. The IT Response Center is available 24 hours a day, 7 days a week, so there is no reason for not contacting them immediately. Do not provide details to the ITRC; rather, ask that your Remedy ticket be assigned to the ITS Security Remedy group. If you believe Sensitive Information or Mission Critical systems are at risk, ask that the ticket be made critical and provide a phone number where the ITS Security representative can call you back. Also, if you believe Sensitive Information is at risk, do not take actions such as manually scanning the computer with antivirus software without speaking to an ITS Security employee.
- Be mindful of the risks associated with Sensitive Information when storing, processing, or accessing data. If you are not sure how to comply fully with these policies or if you are not sure how to conduct a process securely, ask your IT support personnel, consult with your Information Security Liaison, or call the ITS help desk at 919-962-HELP. Per the Information Security Liaison Policy, all units are required to have an Information Security Liaison. Please take a few moments to identify your Information Security Liaison so that you will be able to contact him or her when there is a need.
If you believe that the security of sensitive information or a mission critical system (e.g., HRIS, FRS, SIS, ERP, Payroll, campus email, etc.) has been compromised or is at risk, it is your responsibility to report that immediately to the ITS Information Security Office at firstname.lastname@example.org or 919-445-9393.
What Deans, Directors, Department Heads, Principal Investigators and Security Liaisons must know:
In addition to all of the above, Deans, Directors, Department Heads, Principal Investigators and Security Liaisons must also know:
- IT personnel managing mission critical systems (e.g., HRIS, FRS, SIS, ERP, Payroll, campus email, etc.) or systems that store/process sensitive information must have formal Information Security training. Information Security training is available at https://itsapps.unc.edu/ITSSelfStudy/.
- Each University business unit that is responsible for maintaining its own information technology services must have a designated Information Security Liaison, plus a designated backup Information Security Liaison. The duties and responsibilities of an Information Security Liaison are described in detail in the Information Security Liaison Policy.
- Each university business unit that maintains its own information technology services must ensure that its IT support personnel are familiar with and manage the unit’s IT resources in compliance with all of the University’s information security policies, as they may be amended from time to time. See http://its.unc.edu/about-its/university-it-policies/.
- Each university business unit that stores sensitive information or that operates mission critical systems must perform monthly vulnerability scans in accordance with the Vulnerability Management Policy.
- Each University business unit that maintains its own information technology services is responsible for reporting immediately to the ITS Information Security Office at email@example.com or 919-445-9393 and coordinating with that Office any time there is reason to believe that the security of sensitive data or of a mission critical system (e.g., HRIS, FRS, SIS, ERP, Payroll, campus email, etc.) has been compromised or is at risk.
- Costs associated with the remediation of severe incidents involving the compromise of sensitive data or mission critical systems are the financial responsibility of the University business unit determined to bear primary responsibility for the security of the data or system that was breached.
What IT Personnel must know:
In addition to all of the above, IT personnel, regardless of the business unit to which they are assigned, must also know:
- The Information Security Standards described in the Information Security Policy are minimum standards required for the protection of University systems, including those that store/process sensitive information or that are considered mission critical. You must master these standards and manage the IT resources for which you are responsible in compliance with these standards. If you have questions or need assistance, it is your responsibility to contact the ITS Information Security Office at firstname.lastname@example.org or 919-445-9393.
- You are responsible for ensuring that the passwords for the systems and applications you manage meet the requirements of the Password Policy for General Users. System and application administrators must configure all University-owned and managed IT devices/systems to enforce the password policy to the degree technically feasible, in compliance with the Password Policy for System and Application Administrators.
- When sensitive information must be transferred, it is critical that the transfer be conducted in compliance with the Transmission of Protected Health Information and Personal Identifying Information Policy. If users you are responsible for assisting must transmit sensitive information and you need help determining how best to protect that information in compliance with University policy, it is your responsibility to contact the ITS Information Security Office at email@example.com or 919-445-9393.
- System and application vulnerabilities must be addressed within timeframes specified in the Vulnerability Management Policy.
- Regular vulnerability scanning and patching of all IT systems for which you are responsible is an absolute requirement and priority must be given to the remediation of vulnerabilities.
- If you believe that the security of sensitive data or of a mission critical system (e.g., HRIS, FRS, SIS, ERP, Payroll, campus email, etc.) has been compromised or is at risk, it is your responsibility to report that immediately to the ITS Information Security Office at firstname.lastname@example.org or 919-445-9393. No action should be taken that might inhibit investigation of an incident or make unavailable information that might assist the investigation.
- You are required to follow incident handling instructions as specified in the Incident Management Policy and/or as directed by the ITS Information Security Office in response to potentially severe (level 2 or 3) incidents, as defined in the Incident Management Policy.
- Email systems must have a memorandum of understanding on file with the Information Security Office in order to be considered official.
Summarizing the Information Security Policies
Below are brief descriptions of Carolina’s Information Security Policies. The full text of each policy can be found by visiting http://its.unc.edu/about-its/university-it-policies/ and clicking the applicable link.
- Information Security Policy: This policy establishes roles for data security, sets requirements for protecting sensitive data and mission critical systems, and provides an overview of all the security program components required to protect University systems and data.
- Information Security Standards: The standards included in the Information Security Policy lists in a number of tables the minimum requirements for computing devices owned or managed by UNC-Chapel Hill. It is intended to implement industry best practices and safeguard university data.
- Password Policy for General Users: This policy defines the minimum requirements for password usage for all campus users and incorporates the existing Onyen password requirements for all passwords.
- Password Policy for System and Application Administrators: This policy details the heightened obligations of administrators, including a requirement for technical enforcement of the password standard.
- Transmission of Protected Health Information and Personal Identifying Information Policy: This policy sets the requirements for transmitting certain types of sensitive information over public or wireless connections.
- Information Security Liaison Policy: This policy defines the roles and responsibilities of departmental Security Liaisons and requires Deans, Directors, Department Heads, and Principal Investigators to appoint a Security Liaison if they oversee areas that manage their own IT.
- Institutional Data Governance Policy: This policy defines the governance structure for management of institutional data and establishes procedures for data classification.
- Vulnerability Management Policy: This policy states the requirements for remediating Web, database and operating system vulnerabilities.
- Incident Management Policy: This policy defines incident management responsibilities and the process for investigating breaches of sensitive information or mission critical devices. It formally assigns the responsibility for the cost of a breach to the department that has the primary responsibility for the system(s) on which the breach occurred.
- E-mail Address Policy: This policy requires the campus community to use an official UNC-Chapel Hill provided email address for official business. Also prohibits auto-forwarding of UNC-Chapel Hill email accounts. Manual forwarding of email is allowed under the policy.
- E-mail Domain Policy: This policy requires all campus email servers to be maintained in accordance with the security policies and requires a memorandum of understanding for each domain to be filed with the Information Security Office.