Information Security Program Charter

The University of North Carolina School of the Arts (UNCSA) Information Security Regulation (512) specifies the development of an Information Security Program to safeguard the security, confidentiality, accessibility, integrity, and availability of university information resources and to address specific security requirements defined by federal and state regulations, University of North Carolina System policies, and relevant contractual obligations.  

Program components include the mission; overarching objectives, goals, and strategies to meet program objectives and manage identified risks; governance to advise and support the program; program activities; and a continuous cycle of plans and operations necessary to meet the program mission. 

The Chief Information Officer (CIO) is responsible to the Chancellor for oversight of information security and is vested with such authority as is necessary to successfully oversee the Information Security Program. The Director of Networking and Information Security leads the development, execution, and enforcement of the Information Security Program. 

The mission of the Information Security Program is to ensure the confidentiality, integrity, and availability of the university’s information resources and data by safeguarding them from compromise, misuse, loss, or damage caused intentionally or unintentionally. This assurance will allow the university to continue its mission-critical operations of educational programs, learning experiences, interdisciplinary work in the arts, and will enhance administrative operations. 

The Information Security Program charter applies to all members of the UNCSA community including students, employees, affiliates, and other individuals authorized to use and/or access university information resources. 

The Information Security Program has the following Program Objectives:  

1. Employees, students, and affiliates will be armed with the awareness and knowledge to protect institutional information resources and meet compliance obligations. 

2. Employees, students, and affiliates will leverage program tools and services to protect information resources and meet compliance obligations. 

3. The Division of Information Technology will serve as trusted advisors and consultants on security and compliance issues to foster secure and scalable information resource environments. 

4. The Division of Information Technology will deploy and run a coordinated set of services and operations to meet security obligations for information resources. 

In addition to the principles specified in the Information Security Regulation (512), the Information Security Program will be further guided by the following principles: 

1. Unified Compliance: Where possible the program will utilize a strategy of unified compliance to consolidate and create processes to meet numerous information resource compliance requirements applicable to the university. The program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework for campuses of the University of North Carolina (UNC) System.  

2. Risk-Based: The development of policies, regulations, procedures, rules, standards, technical specifications, guidance, and other products of the Information Security Program shall be driven by the identification, assessment, communication, and efficient and effective treatment of risks related to information resources. 

3. Shared Responsibility: University leadership promotes a campus culture of shared responsibility for information security in support of the university’s administration and mission-critical operations of exceptional teaching, learning, discovery, and community engagement. This shared responsibility is critical to the success of the program. 

4. Proactive Posture: Where possible the program will focus on proactive solutions to manage and secure resources rather than reactive and short-term activities.  

The Information Security Program shall include the following high-level areas of focus: risk management, policy and compliance, education and awareness, and security operations. 

The management of information security risk involves includes both the identification and assessment of risk through annual risk assessments and the initiation and monitoring of appropriate practices in response to that analysis through a risk management program. The program is supported by strong information security advocacy and consultancy from the Division of Information Technology and a robust set of tools and services to manage cybersecurity activities to reduce vulnerabilities and combat threats. 

Information security policies, regulations, procedures, rules, standards, technical specifications, and any other guidance, are developed collaboratively within the Division of Information Technology. Policies, regulations, procedures, and rules follow the campus approval processes noted in the UNCSA Statement on Policies (001). It is the responsibility of the Division of Information Technology to periodically review and revise information security documentation. 

Periodic assessments will be conducted to review the adherence of university units and employees to applicable information security policies and standards. 

Employees and affiliates will receive regular information security education. Education and awareness programs will be role-based and may include online training modules, in-person training, newsletters, and/or online resources for specialized topics. General user education and awareness will address common information and security responsibilities for all employees and affiliates to promote awareness and adherence to information security policies and standards. Employees or affiliates with specific jobs or roles, such as elevated or privileged access permissions, will receive additional training as required by applicable policies and standards. A student awareness program will address student responsibilities in adhering to information security policies and standards.  

The tools and services that collectively form information security operations must adequately cover all phases of cybersecurity activities (identification, protection, detection, response, and recovery) and information security domains as specified in the ISO/IEC 27002 standard. A combination of hosted, shared services and in-house expertise will be utilized to create an effective and efficient security operations model. 

A set of program metrics will be developed and used to determine the overall success and continual improvement of the Information Security Program. 

The protection and security of information resources is a responsibility shared by all employees, students, and affiliates. In addition to the roles and responsibilities specified in the Information Security Regulation (512), added responsibilities include: 

1. Supervisors, department, unit, and division leaders are responsible for overseeing information security for their respective areas of responsibility and ensuring compliance with all information security policies, regulations, rules, and related guidance.  

2. University leadership is responsible for executive oversight and support, policy and regulation approval, and risk management.  

3. The Division of Information Technology is responsible for administering the Information Security Program, and providing information security services that help identify risks, establish protective measures, and validate conformance. 

• UNC System Policy 1400.2 Information Security 
• 2020 UNC CIO Council Strategic Plan