This policy specifies the principles and requirements the University of North Carolina at Greensboro (hereinafter “University”) has established to protect information assets owned by or in the care of the University.
This policy applies to all faculty, staff, students, and any parties who interact with, access, or store University information assets or information assets in the University’s care.
3.Definitions and Roles and Responsibilities
3.1Roles and Responsibilities
Chief Information Security Officer is responsible for providing interpretation of this and other related policies and disseminating related information.
System Administrators, Developers and Integrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care.
Users of the University’s information resources are responsible for the application of this and related policies to the systems, information, and other information resources which they use, access, transmit or store.
Third-party Affiliates with access to University systems and/or facilities are expected to abide by the University’s information security and privacy policies.
The University is committed to protecting information assets and acting as a responsible conservator of information assets entrusted to its care.
As such, the University shall comply with federal and state law, contractual obligations, and UNC System policies related to information security.
University business processes shall be consistent with the above principles, and, unless contrary to law, University policies or UNC System Policies, shall follow the UNCG Information Security Management Standards and procedures for implementation of those standards.
All University leadership, faculty, staff, and students, and relevant affiliates are required to actively support the above principles and are expected to take reasonable measures to protect information assets in their care.
5.Compliance and Enforcement
Information Technology Services (ITS), in cooperation with other University authorities and administrators, will enforce this Policy, and establish standards, procedures, and protocols in support of the policy.
Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook. For employees, violation of this policy will be subject to consideration as “misconduct” under EHRA policies (faculty and EHRA non-faculty) or “unacceptable personal conduct” under SHRA policies, including any appreal rights stated therein.
If violation of the policy also results in a violation of law, the violation may be referred for criminal or civil prosecution.
Additionally, violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or the University information infrastructure.
- The Code and UNC Policy Manual https://www.northcarolina.edu/apps/policy/index.php?tab=policy_manual Chapter 1400 Information Technology, Chapter 1400 Information Technology
- Family Educational Rights and Privacy Act of 1974 (FERPA) https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) https://www.hhs.gov/hipaa/index.html
- University of North Carolina System Policy, Information Technology Chapter, Information Technology Governance http://www.northcarolina.edu/apps/policy/index.php
- ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls. https://www.iso.org/standard/54533.html
The Chancellor is responsible for approval of this Policy.
6.5Contacts for Additional Information and Reporting
- Responsible Executive: Donna R. Heath, Vice Chancellor for Information Technology Services and Chief Information Officer (CIO), firstname.lastname@example.org
- Responsible Administrator: Casey J. Forrest, Chief Information Security Officer (CISO), email@example.com
|Revision Date||Revision Summary|
|07/19/2004||Adopted as Security of Networks and Networked Data|
|05/01/2010||Revised as Security of Networks and Networked Data|
|01/15/2002||Adopted as Wireless Communications|
|07/16/2012||Adopted as Information Security|