Information Security – University Policy Manual

1.Purpose

This policy specifies the principles and requirements the University of North Carolina at Greensboro (hereinafter “University”) has established to protect information assets owned by or in the care of the University.

2.Scope

This policy applies to all faculty, staff, students, and any parties who interact with, access, or store University information assets or information assets in the University’s care.

3.Definitions and Roles and Responsibilities

3.1Roles and Responsibilities

Chief Information Security Officer is responsible for providing interpretation of this and other related policies and disseminating related information.

System Administrators, Developers and Integrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care.

Users of the University’s information resources are responsible for the application of this and related policies to the systems, information, and other information resources which they use, access, transmit or store.

Third-party Affiliates with access to University systems and/or facilities are expected to abide by the University’s information security and privacy policies.

4.Policy

4.1

The University is committed to protecting information assets and acting as a responsible conservator of information assets entrusted to its care.

4.2

As such, the University shall comply with federal and state law, contractual obligations, and UNC System policies related to information security.

4.3

University business processes shall be consistent with the above principles, and, unless contrary to law, University policies or UNC System Policies, shall follow the UNCG Information Security Management Standards and procedures for implementation of those standards.

4.4

All University leadership, faculty, staff, and students, and relevant affiliates are required to actively support the above principles and are expected to take reasonable measures to protect information assets in their care.

5.Compliance and Enforcement

Information Technology Services (ITS), in cooperation with other University authorities and administrators, will enforce this Policy, and establish standards, procedures, and protocols in support of the policy.

Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook. For employees, violation of this policy will be subject to consideration as “misconduct” under EHRA policies (faculty and EHRA non-faculty) or “unacceptable personal conduct” under SHRA policies, including any appreal rights stated therein.

If violation of the policy also results in a violation of law, the violation may be referred for criminal or civil prosecution.

Additionally, violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or the University information infrastructure.

6.Additional Information

6.1Supporting Documents

6.2Related Policies

6.3Resources

The Code and UNC Policy Manual https://www.northcarolina.edu/apps/policy/index.php?tab=policy_manual Chapter 1400 Information Technology, Chapter 1400 Information Technology
Family Educational Rights and Privacy Act of 1974 (FERPA) https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Health Insurance Portability and Accountability Act of 1996 (HIPAA) https://www.hhs.gov/hipaa/index.html
University of North Carolina System Policy, Information Technology Chapter, Information Technology Governance http://www.northcarolina.edu/apps/policy/index.php
ISO/IEC 27002:2022 Information technology — Information security, cybersecurity and privacy protection — Information security controls. https://www.iso.org/standard/75652.html

6.4Approval Authority

The Chancellor is responsible for approval of this Policy.

6.5Contacts for Additional Information and Reporting

Responsible Executive: Donna R. Heath, Vice Chancellor for Information Technology Services and Chief Information Officer (CIO), [email protected]
Responsible Administrator: Casey J. Forrest, Chief Information Security Officer (CISO), [email protected]

Revisions

Revision Date	Revision Summary
07/19/2004	Adopted as Security of Networks and Networked Data
05/01/2010	Revised as Security of Networks and Networked Data
01/15/2002	Adopted as Wireless Communications
07/16/2012	Adopted as Information Security
08/09/2021	Revised
08/22/2023	Non-Substantive Edits completed no further review/revision necessary