Information Security Policy Guide


A Guide to Assist in Locating the Policies and Standards that Apply to You

The University of North Carolina at Chapel Hill maintains an expansive network of Information Technology (IT) services and systems. From Sakai, email and wireless access to more specialized types of technology such as Qualys, Research Clusters and PeopleSoft, these services are designed to empower the Carolina community to fulfill the University’s mission to serve as a center for research, scholarship, and creativity. To facilitate the use of IT at Carolina, policies have been developed in order to fulfill the University’s obligation to protect the information that has been entrusted to it.

For your convenience, these references are to help you identify policies that might be relevant to your work or education here at Carolina. Short descriptions are provided on this page, but these absolutely do not reflect the full scope and breadth of the policies that they describe. Everyone in the Carolina community is responsible for adhering to the policies as they are published and modified over time. Annually, you are required to recertify that you will adhere to the IT policies in order to maintain your Onyen account. Please address any questions to the UNC Information Security Office at 919-962-HELP.


Identifying Information Security Policies

Below are brief descriptions of Carolina’s Information Security Policies. The full text of each policy can be found by visiting and clicking the applicable link (PDF).

  • Information Security PolicyThis policy establishes roles for data security, sets requirements for protecting sensitive information and mission critical systems, and provides an overview of the security program components required to protect University systems and information.
  • Information Security StandardsThe standards list a number of minimum requirements for computing devices used for handling business information at UNC-Chapel Hill. It is intended to implement industry best practices and safeguard university information.
  • Password PolicyThis policy defines the minimum requirements for password usage for all campus users and incorporates the existing Onyen password requirements.
  • Password Policy for System and Application AdministratorsThis policy details the heightened obligations of administrators, including a requirement for technical enforcement of the password standard.
  • Transmission of Sensitive Information Policy and StandardThis policy sets the requirements for transmitting certain types of sensitive information over public or wireless connections.
  • Information Security Liaison PolicyThis policy defines the roles and responsibilities of departmental Security Liaisons and requires Deans, Directors, Department Heads, and Principal Investigators to appoint a Security Liaison if they oversee areas that manage their own IT.
  • Institutional Data governance Policy and Information Classification Standard: This policy defines the governance structure for management of institutional data and the standard establishes tiers for data classification.
  • Vulnerability Management PolicyThis policy details the requirements for remediating Web, database, application, and operating system vulnerabilities.
  • Incident Management PolicyThis policy defines incident management responsibilities and the process for investigating risk to sensitive information or mission critical devices. It formally assigns the responsibility for the cost of a breach to the department responsible for the breached system.
  • E-Mail Address Policy: This policy discusses required uses for an official UNC-Chapel Hill provided email address and when forwarding of UNC-Chapel Hill email is and is not permitted.
  • E-Mail Domain Policy: This policy requires all campus email servers to be maintained in accordance with the security policies and requires a memorandum of understanding (MOU) for each affiliated domain to be filed with the Information Security Office.

Every computer user at Carolina is required to adhere to applicable policies. All referenced policies and standards can be found on the ITS Policies and Procedures page.

If you believe that the security of sensitive information or a mission critical system (e.g., ConnectCarolina, Payroll, campus email, etc.) is at risk, it is your responsibility to report that immediately by calling 919-962-HELP and requesting a “critical” help ticket be issued to the Information Security Office.


Revised: 2/16/2015