Information Technology (IT) Security Regulation 512

Regulation 512 Approved: October 29, 2021
UNIVERSITY OF NORTH CAROLINA SCHOOL OF THE ARTS
Information Technology Security
Regulation 512
Source of Authority: N.C.G.S. 116-34(a)
UNC Code § 502(A)
Revision Authority: Chancellor
History:

First Issued: February 3, 2021

Revised:  October 29, 2021

Related Policies: Business Continuity Plan Regulation 104;
Code of Conduct & Discipline Regulation 802;
Emergency Management Regulation 701;
Improper Activities Reporting Regulation 114;
IT Account Management Regulation 503;
Takedown Notice Regulation 507;
Virtual Private Network (VPN) Regulation 510
Responsible Offices: Information Technology Department
Effective Date: October 29, 2021

I. Purpose
This policy sets forth the security requirements for information resources of the University of North Carolina School of the Arts (UNCSA). This policy explains the administration of the university’s information security program, the development and maintenance of security plans, regulations and procedures, and specific security requirements necessary to comply with federal and state regulations, University of North Carolina System (UNC) policy, and contractual obligations.

II. Scope
This policy applies to all university information resources, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information. This includes data processed or stored and applications used by the university in hosted environments in which the university does not operate the technology infrastructure. All UNCSA employees, students, and affiliates must adhere to this policy.

III. Compliance
All UNCSA employees, students, and affiliates must adhere to this policy and related regulations, procedures, rules, standards, technical specifications, and any other guidance produced by the information security program. Failure to do so may result in disciplinary action, up to and including dismissal, suspension or expulsion, or termination of privileges. Reference: ISO 27002:2013-7.1.2, 7.2.3.

IV. Definitions

A. Affiliate. An affiliate is an individual who requires access to information resources to work in conjunction with the university, but is not a UNCSA employee or student.  Affiliates must have a sponsor who is an employee.  

B. Information Security Program. The information security program is a set of coordinated services and activities designed to protect information resources and manage the risks associated with those resources. It includes regulations, procedures, standards, assessments, protocols, and trainings to govern the storage, accessibility and security of information resources.

C. Information Resources. As used in UNC System Policy 1400.1, “information resources are information owned or processed by the university, or related to the business of the university, regardless of form or location, and the hardware and software resources used to electronically store, process or transmit that information.” Information resources expressly include data, software, and physical assets.  

D. The university has the following information resources classification levels: 

1. Level 1 (Confidential Data) – University data that are protected by federal, state, or local statutes and regulations, industry regulations, provisions in government research grants, or other contractual arrangements, which impose legal and technical restrictions on the appropriate use of institutional information.

2. Level 2 (Sensitive Data) – University data that may not be protected by law or regulation but are considered private and are subject to restricted treatment such as university data that may be protected by contracts, third-party agreements, or university policy. 

3.  Level 3 (Controlled Data) – University data that are proprietary or produced only for use by members of the university community who have a legitimate purpose to access such data.

4. Level 4 (Public Data) – University data that have few restrictions and/or are intended for public use.

V. Policy

A. Information Security Program. The university shall develop, implement, and maintain a comprehensive information security program to safeguard the security, confidentiality, accessibility, integrity, and availability of university information resources and to address specific security requirements defined by federal and state regulations, University of North Carolina System policies, and relevant contractual obligations.  Reference: UNC Policy 1400.2

B. The information security program shall comply with the prevailing information security standard adopted by the UNC Board of Governors. It will produce, at a minimum, regulations and procedures on the storage, use, and accessibility of information resources, operating standards and procedures to document additional technical security requirements, training requirements, regular risk assessments of existing information resources, strategies for prioritizing and managing identified security risks, and procedures for incident response planning and management.  Reference: UNC Policy 1400.2.

C. Regulations, procedures, rules, standards, technical specifications, and any other guidance produced by the information security program shall be in writing and shall contain additional technical requirements, identify the employees, students, and affiliates responsible for following such requirements, and will be an extension of this policy. These products will be regularly reviewed to ensure their continuing applicability and effectiveness. ISO 27002:2013-5.1.1,5.1.2

D. To ensure compliance with relevant university information security policies and standards, the Information Technology Networking and Information Security Department shall be responsible for providing information security services that help identify risks, establish protective measures, and validate conformance.

E. Guiding Principles. The information security program will be guided by the following principles:

1. ISO/IEC 27002 – The program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework for campuses of the University of North Carolina (UNC) System.  Reference: UNC Policy 1400.2

2. Legal, Contractual, and Policy Requirements – In relation to the management and protection of information resources, UNCSA shall conduct all business in accord with relevant federal and state regulations, University of North Carolina policies, and contractual requirements. The program shall incorporate these requirements into all plans, policies, standards, and procedures.

3. Proactive Risk Management – The development of policies, plans, standards, procedures, and other products of the information security program shall be driven by the identification, assessment, communication, and efficient and effective treatment of risks related to information resources.

4. The information security program will be administered in a manner consistent with the roles and responsibilities outlined in this policy.

VI. Roles and Responsibilities

A. The protection and security of information resources is a responsibility shared by all employees, students, and affiliates.  All employees, students, and affiliates must observe all information security-related policies, regulations, procedures, rules, standards, technical specifications, and any other guidance issued to secure university information resources and data. Reference: ISO 27002:2013-6.1.1 

B. Specific roles and responsibilities for university information security include:

1. University Employees, Affiliates, and Students – All university employees, affiliates, and students shall be responsible for:

a. Attending all required information security-related training.

b. Maintaining awareness and adherence to information security policies, regulations, procedures, rules, standards, technical specifications, and any other guidance issued to secure university information resources. Promptly reporting potential information security incidents to the IT Networking and Information Security Department.

2. Board of Trustees – The Board of Trustees shall be responsible for:

a. Overseeing information security. Reference: N.C.G.S § 116-40.22.(d); UNC Policy 1400.2

b. Approving the university information security policy. Reference: N.C.G.S § 116-40.22.(d); UNC Policy 1400.2

c. Ensuring that information security is addressed in the annual audit plan and risk assessments conducted by the internal auditor. Reference: UNC Policy 1400.2

d. Addressing emerging information security matters. Reference: UNC Policy 1400.2

3. Chancellor – The Chancellor shall be responsible for:

a. Approving the university information security regulation.

b. Providing executive oversight and support of the information security program.

c. Providing guidance concerning university risk tolerance levels.

d. Providing resources to meet approved security objectives.

e. Periodically reviewing the university’s information security posture.

4. Chief Information Officer (CIO) – The CIO shall be responsible for:

a. Monitoring the effectiveness of the information security program.1 

b. Maintaining alignment of Information Technology services with university risk tolerance levels.

c. Periodically reporting the information security posture to the Chancellor and Chancellor's Cabinet and the Board of Trustees Committee on Audit, Risk, and Compliance.

d. Preparing an annual report on the information security program and information technology security controls.  Reference: UNC Policy 1400.2

5. Director of Networking and Information Security– The Director of Networking and Information Security shall be responsible for:

a. Leading the development, execution, and enforcement of the university information security program.

b. Facilitating information security governance and collaboration.

c. Advising senior leadership on security needs and resource investments.

d. Leading the development of information security regulations, procedures, rules, standards, technical specifications, and any other guidance issued to secure university information resources and data.

e. Maintaining appropriate contacts with relevant authorities, special interest groups, other specialist security forums, and professional associations. Reference: ISO 27002:2013-6.1.4

6. Vice-Chancellors, Deans, Department Heads and Supervisors – Vice-Chancellors, Deans, Department Heads, and Supervisors shall be responsible for:

a. Ensuring that units and applicable affiliates adhere to information security policies, regulations, procedures, rules, standards, technical specifications, and any other guidance issued to secure university information resources and data. Reference: ISO 27002:2013-7.2.

b. Ensuring that staff and applicable affiliates receive any required security training. Reference: ISO 27002:2013-7.2.2

c. Ensuring that conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of information resources.   Reference: ISO 27002:2013-6.1.2

d. Maintaining appropriate contacts with relevant authorities, special interest groups, or other forums to meet unit contractual and compliance obligations.  Reference: ISO 27002:2013-6.1.3, 6.1.4

7. Office of Internal Audit – The Office of Internal Audit shall be responsible for:

a. Ensuring that information security is addressed in annual audit planning and risk assessment.

VII. Revision History
October 29, 2021 – Revised to include conforming edits with UNC System Policy 1400.2.

February 17, 2011 – Adopted by Board of Trustees as part of UNCSA Policy Manual

VIII. Related Regulatory and Policy References

A. Family Educational Rights and Privacy Act of 1974 (FERPA) (pertaining to the privacy of student information)

B. Gramm-Leach-Bliley Act of 1999 (GLBA) (pertaining to the privacy and safeguarding of consumer financial information)

C. Health Insurance Portability and Accountability Act of 1996 (HIPAA) (pertaining to the privacy and security of protected health information)

D. Payment Card Industry (PCI) Data Security Standard (DSS), v. 3.2.1 (pertaining to the security of credit card payment information)

E. North Carolina General Statutes § 116-40.22 (The University of North Carolina, management flexibility)

F. University of North Carolina System Policy, Information Technology Chapter, Information Technology Governance 1400.1

G. University of North Carolina System Policy, Information Technology Chapter, Information Security 1400.2

H. University of North Carolina System Policy, Information Technology Chapter, User Identity and Access Control 1400.3

I. ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls

-------------------------------------

1. On February 14, 2021, The University of North Carolina School of the Arts Chancellor designated the university Chief Information Officer as the senior official responsible for IT governance and information security at UNCSA pursuant to UNC System Policies 1400.1 and 1400.2.


UNIVERSITY OF NORTH CAROLINA SCHOOL OF THE ARTS
Information Technology (IT) Security Procedures
Procedure 512

I. Purpose
These procedures set out the information security control requirements for the mitigation of information security risks and protection of University of North Carolina School of the Arts (UNCSA) information resources.

II. Scope
These procedures apply to all university information resources, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information.  This includes data processed or stored and applications used by the university in hosted environments in which the university does not operate the technology infrastructure.

The university Chief Information Officer (CIO) or the Director of Networking and Information Security may establish additional regulations, procedures, rules, standards, technical specifications, and any other guidance or other requirements that exceed this procedure, as necessary, to secure university information resources.

III. Control Requirements 
Information security risks can be detected, prevented, or mitigated by a variety of security controls.  Key security requirements for regulatory, policy and contractual obligations will be addressed through existing controls, compensating controls, or prioritized implementation of new controls consistent with available resources. The following control requirements will be implemented to protect university information resources.

A. Risk Management

1. Identification and Analysis – UNCSA will regularly identify and analyze risks for information resources.

2. Mitigation – UNCSA will implement appropriate controls to mitigate the identified risks.

3. Communication – UNCSA will communicate appreciable risks and treatment options regularly for decision review. Reference: ISO 27002:2013-6.1.1; GLBA Safeguards Rule, 16 C.F.R. §314.4; HIPAA Security Rule, 45 C.F.R. §164.308(a)(1)(ii)(A); PCI-DSS 3.2.1-12.2

B. Human Resource Security

1. Screening/Background Checks – Prospective employees who receive an offer of employment with the university will be vetted by processes managed by Human Resources. Reference: ISO 27002:2013-7.1.1; HIPAA Safeguards Rule, 45 C.F.R. §164.308(a)(3)(ii)(B); PCI-DSS 3.2.1-12.7

2. Security Awareness Training – All university employees will receive regular security awareness training.  Employees with certain job responsibilities or roles will receive additional training as required by the information security program.  Reference: ISO 27002:2013-7.2.2; GLBA Safeguards Rule, 16 C.F.R. §314.4; HIPAA Safeguards Rule, 45 C.F.R. §164.308(a)(5)(i); PCI-DSS 3.0-12.6

3. Sanctions – Employee and student disciplinary processes and affiliate agreements will include applicable provisions to sanction violations of information security policies, standards, and procedures or other requirements, which may include loss of information resource access privileges, administrative sanctions, and disciplinary actions.  Employees, affiliates, and students are cautioned that egregious violations may also result in personal civil and criminal liability. Reference: ISO 27002:2013 - 7.2.3; HIPAA Security Rule, 45 C.F.R. §164.308(a)(1)(ii)(C)

4. Change in Position or Duties – Supervisors will review and make necessary changes to an employee’s access to information resources when the employee leaves a position or duties are changed. Reference: ISO 27002:2013-9.2.2

5. Termination of Employment or Affiliate Access – Access to information resources, work areas, and secure areas will be revoked, and resources returned, upon full separation from the university. Reference: ISO 27002:2013-7.3, 8.1.4, 9.2; HIPAA Security Rule, 45 C.F.R. § 164.308(a)(4)(ii)(C); PCI-DSS 3.2.1-8.1.3; 9.3

C. Information Resource Management

1. Data Governance – All information resources and data are the property of UNCSA unless ownership is assigned to another party by regulation or contractual agreement. The university will define standards to secure and effectively manage information resources and data.

2. Data Classification – Information resources and data must be safeguarded throughout its life cycle, from creation to archival or destruction.  The university uses four data classifications defined in section IV. G of the Information Technology Security Regulation. The university will issue guidance to further define and address associated business needs and risks related to sharing or restricting access to information resources and data. Reference: ISO 27002:2013-8.2.1, 8.2.2

3. Acceptable Use and Security Requirements – Appropriate use of information resources, from on or off-campus, will be clearly defined, including secure practices for handling classified data. Reference: ISO 27002:2013-6.2.2, 8.1.3, 8.2.3; PCI-DSS 3.2.1-3.2 

4. Inventory of Information Resources – An inventory of all information resources will be maintained and indicate their owner, location, and other information necessary for proper management of the resources. Reference: ISO 27002:2013-8.1.1,8.1.2; HIPAA Security Rule, 45 C.F.R. §164.310(d)(2)(iii); PCI-DSS 3.2.1-2.4 

5. Removable Media – Removable media must be managed in accordance with related security standards.  Reference: ISO 27002:2013-8.3.1; HIPAA Security Rule, 45 C.F.R. §164.310(d)(2)(i); PCI-DSS 3.2.1-9.5

6. Information Resource Transfer and Destruction – Information resources, excluding public data, must be returned upon separation from the university.  Information resources will be appropriately retained and safeguarded for future use.  Physical resources will be reliably rebuilt and re-commissioned before transfer to another employee.   Physical resources will have software and data rendered unreadable before a sale or other disposition. Reference: ISO 27002:2013-8.1.4,8.3.2, 8.3.3,11.2.7; HIPAA Security Rule, 45 C.F.R. §164.310(d)(2)(i), §164.310(d)(2)(ii); PCI-DSS 3.2.1-9.8

D. Access Control

1. Role-Based Access Control – The university will define appropriate roles associated with the fulfillment of legitimate business needs. These roles will have associated access control rules, access rights, and restrictions that limit access to confidential and sensitive data while efficiently accomplishing institutional needs.  Assignments to these roles and the associated access will be periodically reviewed. Reference: ISO 27002:2013-9.1.1, 9.2.5, 9.4.1; HIPAA Security Rule, 45 C.F.R. §164.312(a)(1); PCI-DSS 3.2.1-7.1

2. Network Access Control – Local and remote access to university networks and information resources will be limited to authorized individuals with legitimate business needs. Reference: ISO 27002:2013-9.1.2; HIPAA Security Rule, 45 C.F.R. §164.312(a)(1); PCI-DSS 3.2.1-9.1.2

3. User Access Management – Formal user provisioning and de-provisioning processes will be implemented to ensure that the creation of new accounts is authorized, users are uniquely identified, and that user IDs are disabled when no longer required. Reference: UNC Policy 1400.3; ISO 27002:2013-9.2.1,9.2.2, 9.2.6; HIPAA Security Rule, 45 C.F.R. §164.308(a)(4), §164.312(a)(2)(i), §164.312(a)(2)(d); PCI-DSS 3.2.1-8.1 

4. Management of Privileged Access – Privileged access rights will be appropriately evaluated, approved, periodically reviewed, and limited to only those users and applications with legitimate and sufficient business needs. Utility programs capable of overriding system and application controls will be restricted and controlled. Reference: ISO 27002:2013-9.2.3,9.4.4; PCI-DSS 3.2.1-7.1

5. Password Management – Passwords and other authentication methods used to access information resources will be established and managed in a formally approved and consistently secure manner. Reference: ISO 27002:2013-9.2.4,9.3.1, 9.4.3; HIPAA Security Rule, 45 C.F.R. §164.308(a)(5)(ii)(D), PCI-DSS 3.2.1-8.2 

6. Secure Logon – Common secure logon practices will be defined and implemented to ensure that means of access to information resources effectively minimize the risks of unauthorized access threats. Reference: ISO 27002:2013-9.4.2; HIPAA Security Rule, 45 C.F.R. §164.312(a)(2)(iii); PCI-DSS 3.2.1-8.2 

E. Cryptographic Security (Encryption)

1. Use of Cryptographic Controls – Risks related to the confidentiality and integrity of confidential and sensitive data and non-repudiation of electronic transactions with information resources will be addressed with cryptographic controls. Reference: ISO 27002:2013-10.1.1, 18.1.5; HIPAA Security Rule, 45 C.F.R. §164.312(a)(2)(iv), §164.312(e)(1)(ii); PCI DSS 3.2.1-3.4

2. Key Management – University cryptographic keys will be generated, stored, and managed in a secure and approved manner. Reference: ISO 27002:2013-10.1.2; PCI-DSS 3.2.1-3.5,3.6


F. Physical and Environmental Security

1. Physical Security Perimeters and Controls – Secure areas will have well-defined physical boundaries and implement sufficient controls to prevent unauthorized entry and physical access. Reference: ISO 27002:2013-11.1.1,11.1.2, 11.1.6; HIPAA Security Rule, 45 C.F.R. §164.310(a)(1); PCI-DSS 3.2.1-9.1, 9.4

2. Environmental Threats – Secure areas will be protected against natural disasters and damage from environmental accidents. Reference: ISO 27002:2013-11.1.4, 11.2.1

3. Safety and Security – Work conducted in secure areas will adhere to all documented safety and security requirements. Reference: ISO 27002:2013-11.1.3, 11.1.5, 11.2.9

4. Removal of Physical Assets – Removal of equipment will be consistent with university policy and will not be taken off-campus without prior authorization. Security will be applied to off-campus assets, taking into account the different risks of working outside the organization’s premises. Reference: ISO 27002:2013-6.2.2,11.2.5,11.2.6; HIPAA Security Rule, 45 C.F.R. §164.310(d)(1)

5. Unattended Equipment – Unattended user equipment will have appropriate protection controls and measures to prevent unauthorized use. Reference: ISO 27002:2013-11.2.8, 11.2.9; PCI-DSS 3.2.1-8.1.8

G. Operations Security

1. Change Management – Changes to information resources and associated processes that impact university information security will be appropriately identified, evaluated, communicated, and controlled. Reference: ISO 27002:2013-12.1.2; PCI-DSS 3.2.1-6.4

2. Capacity Management – The utilization of critical information resources will be monitored, assessed, and optimized to maximize availability in conjunction with appropriate controls. Reference: ISO 27002:2013-12.1.3

3. Malware Protection – Detection, prevention, and recovery measures will be established to protect information resources against malicious software applications. Reference: ISO 27002:2013-12.2; HIPAA Security Rule, §164.308(a)(5)(ii)(B); PCI-DSS 3.2.1-5.1

4. Information Backups – Backup copies of information resources and data will be regularly created, retained, stored securely, validated, and periodically tested for recoverability. Reference: ISO 27002:2013-12.3; HIPAA Security Rule, 45 C.F.R. §164.310(d)(2)(4); PCI-DSS 3.2.1-9.5.1

5. Logging and Monitoring – Records of important events related to information resources will be reliably retained, reviewed, and protected from tampering and unauthorized access. Reference: ISO 27002:2013-12.4.1,12.4.2,12.4.3; HIPAA Security Rule, 45 C.F.R. §164.312(b); PCI-DSS 3.2.1-10

6. Clock Synchronization – Clocks of university information systems will be synchronized against a single authoritative reference time source. Reference: ISO 27002:2013-12.4.4

7. Vulnerability Management – Security vulnerabilities related to information resources will be promptly identified, assessed, and remediated according to the associated risks they present to the university. Reference: ISO 27002:2013-12.6

H. Communications Security

1. Network Service Authority – The management and provisioning of university network connections, services, and devices will be limited to staff authorized by Information Technology only. Reference: ISO 27002:2013-13.1.1,13.1.2

2. Information Transfer – Transfer methods and controls will be defined and adhered to in order to protect confidential and sensitive information traversing all forms of communication channels to both internal and external senders and recipients. Reference: ISO 27002:2013-13.2.1, 13.2.2; GLBA Safeguards Rule, 16 C.F.R. § 314.4(b)(2); HIPAA Security Rule, 45 C.F.R. §164.312(e)(1)

3. Electronic Messaging – Protection measures will be established to safeguard university electronic messaging solutions from unauthorized access, modification, or denial of service. Retention of electronic messaging communication will be maintained in an approved manner. Reference: ISO 27002:2013-13.2.3

4. Confidentiality Agreements – Confidentiality agreements will be used to establish legally enforceable terms of utilization and access for confidential information for both employees and affiliates. Reference: ISO 27002:2013-13.2.4

I. Information Resource Acquisition, Development, and Maintenance

1. Security Requirements Analysis – The development and acquisition of information resources will include the regular evaluation of security requirements in the earliest possible stages of related projects. Reference: ISO 27002:2013-6.1.5,14.1.1

2. Secure Development – Secure programming techniques and modeling methods will be employed to ensure that coding practices adhere to best practices. Reference: ISO 27002:2013-14.2.1

3. Information Resource Change Control – Change control procedures will be documented and enforced to ensure the confidentiality, integrity, and availability of information resources throughout maintenance efforts. Reference: ISO 27002:2013-14.2.2

J. Supplier Relationship

1. Supplier Security Agreements – Security requirements will be documented and agreed upon with each supplier/external entity that may access information resources, process, store, or communicate university data.  Reference: ISO 27002:2013-13.2.2,15.1.1,15.1.2; GLBA Safeguards Rule, 16 C.F.R. § 314.4(d)(1); 16 C.F.R. § 314.4(d)(2)

2. Monitoring and Review of Supplier Services – Periodic review of supplier services will be conducted to ensure that related security agreements are being adhered to and enforced.  Hosting providers or other external entities that access, process, store, or communicate university data must provide evidence of compliance with this policy or other approved standards.  Reference: ISO 27002:2013-15.2.1

K. Information Security Incident Management

1. Reporting of Information Security Events – Information security weaknesses and/or events will be reported through an approved channel and reviewed promptly by authorized employees. Reference: ISO 27002:2013-16.1.2,16.1.3; HIPAA Security Rule, 45 C.F.R. §164.308(a)(6)

2. Management of Information Security Incidents – Response actions related to security incidents will adhere to a documented set of procedures, including appropriate communication and coordination of efforts. Methods to preserve electronic evidence will follow adequate standards of discovery and preservation to prevent spoliation. Knowledge gained during the analysis of security incidents will be captured, reviewed, and appropriately shared to identify security corrections or control measures that may help address similar events. Reference: ISO 27002:2013-16.1.4, 16.1.5,16.1.6,16.1.7; GLBA Safeguards Rule, 16 C.F.R. § 314.4(b)(3); HIPAA Security Rule, 45 C.F.R. §164.308(a)(6)

L. Business Continuity Management

1. Information Security Continuity – Continuity plans will be developed, reviewed, and tested for information resources that are critical for ongoing operations.  Periodic verification of these plans will be performed. Reference: ISO 27002:2013-17.1.1,17.1.2,17.1.3; HIPAA Security Rule, 45 C.F.R. §164.308(a)(7)

2. Resilient Information Resources – Information software and hardware resources will be implemented with sufficient resiliency to meet identified and documented availability needs. Assessment of these needs will be included in the implementation process.  Reference: ISO 27002:2013-17.2

M. Compliance Management

1. Information Security Compliance – The Director of Networking and Information Security, in consultation with the CIO, shall have primary responsibility for the enforcement of information security policies, regulations, procedures, and rules.  The CIO, Director of Networking and Information Security, and the appropriate Vice-Chancellors, Deans, Department Heads and Supervisors,  will address policy violations in accordance with standard university disciplinary processes.

2. Identification of Compliance Requirements – Regular periodic review will be conducted to ensure that relevant legal, policy, and contractual requirements are identified for the university and relevant information resources. Reference: ISO 27002:2013-18.1.1

3. Intellectual Property Rights – Procedures will be implemented to ensure compliance with applicable legal, policy, and contractual requirements related to intellectual property rights and use of proprietary information resources. Reference: ISO 27002:2013-18.1.2

4. Protection of Records – Information resources and data will be protected from loss, destruction, falsification, and unauthorized release in accordance with legal, policy, and contractual requirements. Reference: ISO 27002:2013-18.1.3

5. Privacy and Protection of Personally Identifiable Information (PII) – The privacy and protection of personally identifiable information will be ensured as required in relevant legal and policy frameworks. Reference: ISO 27002:2013-18.1.4

N. Information Security Review

1. Independent Review of Information Security – A qualified independent third party will periodically assess the university's identification and management of information security objectives. Reference: ISO 27002:2013-18.2.1

2. Compliance with Security Regulations and Procedures – Periodic assessments will be conducted to review the adherence of university units and employees to applicable information security policies, regulations, procedures, rules, technical specifications, and other information security requirements published by the CIO and his or her designee. Reference: ISO 27002:2013-14.2.8, 18.2.2; HIPAA Security Rule, 45 C.F.R. §164.308(a)(8)

3. Technical Compliance Evaluations – Periodic technical evaluations, including both automated and manual security assessments such as vulnerability and confidential information scanning, will be performed to ensure that technical controls and security measures adhere to applicable information security policies and standards. Vulnerable systems shall be promptly remediated or managed by approved compensating controls.  Reference: ISO 27002:2013-14.2.8, 18.2.3; GLBA Safeguards Rule, 16 C.F.R. § 314.4(e); HIPAA Security Rule, 45 C.F.R. §164.308(a)(8)

IV. Procedure Revision History
October 11, 2021 – Revised to include conforming edits with UNC System Policy 1400.2.

February 17, 2011 – Adopted by Board of Trustees as part of UNCSA Policy Manual

V. Related Regulatory and Policy References

A. Family Educational Rights and Privacy Act of 1974 (FERPA) (pertaining to the privacy of student information)

B. Gramm-Leach-Bliley Act of 1999 (GLBA) (pertaining to the privacy and safeguarding of consumer financial information)

C. Health Insurance Portability and Accountability Act of 1996 (HIPAA) (pertaining to the privacy and security of protected health information)

D. Payment Card Industry (PCI) Data Security Standard (DSS), v. 3.2.1 (pertaining to the security of credit card payment information)

E. North Carolina General Statutes § 116-40.22 (The University of North Carolina, management flexibility)

F. University of North Carolina System Policy, Information Technology Chapter, Information Technology Governance 1400.1

G. University of North Carolina System Policy, Information Technology Chapter, Information Security 1400.2

H. University of North Carolina System Policy, Information Technology Chapter, User Identity and Access Control 1400.3

I. ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls