This document provides the guidelines to establish a security framework to protect the University networks, computing systems and data. Through this policy, the University will encourage the application of industry-wide best practices to assure that:

Confidentiality, availability and integrity of University institutional data will be maintained at all times.

Stewardship and custodial responsibility of all University institutional data will be defined and that data owners and custodians identify and protect such data in accordance with State and Federal laws and regulations.

Scope/Coverage

Policy Statement

Roles and Responsibilities

1. Information Technology Security Officer

The University Information Technology Security Officer has responsibility for development, practice and enforcement of the information security policy of the University. The IT Security Officer will also coordinate security efforts for other departments within the University. This position reports to and is supervised by the Vice-Chancellor of Information Technology Systems Division.

2. University Institutional Data

University institutional data is data that is relevant to planning or managing an administrative or academic function of the University. Responsibility for the integrity and accuracy of that data is the data owner. Responsibility of application of the protections necessary to insure confidentiality and availability of that data is the function of the custodians of that data.

3. Data Owner

The Data Owner is the entity, department, or administrative workgroup that is responsible for entering that data into University information systems and is responsible for assurance that the data is accurate and complete. The Data Owner, due to legal, legislative, or ethical constraints, may also, after consultation with others, make the determination that access to certain elements of the data is limited.

4. Data/Network Custodian

The custodial responsibilities of University institutional data generally comprise the following areas within the University: managers and administrators of computer systems and servers where institutional data resides; managers and applications programmers of software systems and web applications that store, modify or provide access to that data; and managers of networks that provide internal and external access to that data. Each of these groups share a custodial responsibility to assure that the confidentiality, integrity and accessibility of University institutional data is maintained at all times within the parameters defined by the data owner, University policy, and State and Federal requirements.

 

Data Classification/Public Records

All data residing on University computers, or on backup media retained for the purpose of business continuity and disaster recovery, is subject to the N.C. Public Records Act with the following exceptions: data subject to the exclusion of N.C. G.S. 132-6.1(c) and other subsections; certain police records and criminal investigative information; data subject to protection from disclosure by State or Federal Legislation (e.g. N.C. Personnel Records Act, FERPA, etc.); transactional data subject to Federal legislation (e.g. ECPA); and incidental communication not related to performance of an employee’s assigned duties. It is the responsibility of the data owner to identify elements of all data records for which the data owner has responsibility of stewardship to determine the level of protection that the data element requires. If a data element requires protection from access or disclosure, it is the incumbent responsibility of the data owner to inform the appropriate data custodians of that requirement.

1.  Network Management

• Network administrators will apply current industry standard best practices to provide appropriate firewall protection to the University network perimeter and to associated network segments as appropriate.
• Installation of network operating systems and applications will be crafted to provide network protection equivalent to the current industry standard.
• Unnecessary open ports and services to servers will be shut off. All open ports must be approved by the Director of Computing Services of the Information Technology Systems Division and documented.
• Open mail relays not administered by Information Technology Systems Division will be eliminated.
• Encrypted sessions will be used for remote administration.
• Regular vulnerability assessments will be performed to ensure that network security components perform as expected.
• Network Time Protocol (NTP) or other authorized time synchronization will be used to assure that all University network time stamping is consistent and accurate.
• Network logging will be performed consistent with University policy and logs will be reviewed regularly.
• Retention of log data will conform to University policy for log data retention.
• Intrusion Detection Systems (IDS) will be employed where appropriate and feasible.

2.    Server Management

• Administrators responsible for management of central or departmental servers will incorporate anti-virus protective measures and will keep such software current.
• Administrators responsible for management of central or departmental servers will incorporate an operating environment patch strategy to address security issues as required.
• Administrators responsible for management of central or departmental servers will institute a procedure to require strong passwords of user accounts.
• Administrators responsible for management of central or departmental servers will use University approved software where appropriate to audit passwords and effect remediation of weak passwords.
• Administrators responsible for management of central or departmental servers will employ and monitor Intrustion Detection sensors (IDS) and host based firewalls where appropriate.
• Administrators responsible for management of central or departmental servers will use NTP or other authorized time synchronization to ensure that all University computer activity time stamping is consistent and accurate.
• System activity logging should be performed consistent with University policy and logs will be reviewed regularly. Retention of log data will conform to University policy for data retention.
• Some email may be considered official University institutional data. Such email will be retained by the owner of the email in accordance with N.C. records retention requirements.
• Where feasible, login or "first page banners" as provided by the U.S. Department of Justice, or as approved by the University, will accompany all login screens or entry pages to applications that allow access to data other than public inquiry.

3.    Individual Computers, Laptops, Personal Digital Assistants
(PDAs), and other Mobile computing Devices

• Users of portable computing devices are responsible for the security of the device and its content.
• Confidential or protected information on portable computers should be protected using encryption.
• Confidential or protected information must not be transmitted to or from a portable computing device unless secure connection and transmission protocols are used.
• Users of University-owned computers or computers that access University computers or networks will use University-approved anti-virus protective measures and will keep such software current.
• Users of University-owned computers or computers that access University computers or networks will ensure that the computers are kept up to date with all security patches.
• Remote access to University networks will use University-approved encrypted VPN. Such VPN access will conform to University defined methodology to ensure that unauthorized access to University networks is prevented. When a unique situation exists that requires another type of access (e.g. vendor support), access will be granted only for the duration of the session and will be monitored by the server administrator.
• Laptop computers, PDAs, and other mobile computing devices offer a challenge to the security of the University systems and networks. While they provide convenience and portatility, they also create a unique material risk to University data security. Loss or theft of a University laptop computer can result in disclosure of data that is protected by State or Federal regulation, or data that should be protected as proprietary for other reasons. Loss or theft or a University laptop computer can allow uncontrolled access to University systems through stored information such as passwords, cookies, etc. The University may, as a result of risk analysis, determine that certain individual computers constitute an elevated risk to the University through loss, and require that the computer be "hardened" through the use of internal recovery software and internal data encryption.
• Users of University computers will configure those systems to conform to University computer security standards. Users of personally owned computers that access University computers or networks should configure those systems to conform to University computer security standards.
• Users of any PDA or mobile computing device that accesses the University network, whether owned by the University or otherwise, will use VPN and University specified encryption when connecting to University networks.

4.    Physical Security

     a) Central Servers, Departmental Servers and Network Appliances

• Physical Access Controls will be implemented to prohibit access to these facilities by unauthorized personnel.
• Visitors and maintenance personnel should be escorted and monitored while they are in a secure area.
• All facilities housing central servers, departmental servers, and network appliances will have, where appropriate, fire sensing/extinguishing devices present.
• Where feasible, all facilities housing central servers, departmental servers and network appliances will utilize cipher locks or controlled access card entry systems.

     b) Desktop, Laptop and PDAs

• Users should log off computers when the user is not in the vicinity of the computer.
• All spaces housing personal computers and desktop equipment should be kept locked when not occupied by the employee(s) in order to reduce the occurrence of unauthorized entry and opportunity for theft.
• Laptops and PDAs used in openly accessible areas should be locked in secure cabinets when not in use. Offices containing laptops and PDAs should be locked when not occupied.

     c) General Physical Security Awareness

• Certain information relating to the campus network and information security infrastructure is protected from disclosure under the N.C. Public records exclusion N.C. 132-6.1(c). Information pertaining to network structure, password management, wireless access, etc. can be extremely useful to outside hackers and should not be divulged. Report any attempts by strangers trying to gain such information immediately to your supervisor or to IT Security. Supervisors receiving such reports will immediately notify the Office of IT Security of the event.
• Employees are expected to report any unauthorized access, entry or suspicious activity to supervisors and/or campus police immediately.
• Users will dispose of confidential waste carefully and securely to maintain confidentiality.

5.    Business Continuity

• Administrators responsible for management of central or departmental servers will create a functional disaster recovery plan containing sufficient information to allow a third-party person to access backup media and restore the system to operational status. The plan should consider not only critical IT resources, but also personnel necessary to effect a successful recovery of the system(s) and data. Critical information assets must be identified so that essential business activities are restored quickly to functional levels. This plan should be reviewed and tested manually and modified as necessary.
• Administrators responsible for management of central or departmental servers will create multi-generational backups of systems and data on a regular predefined schedule.
• Administrators responsible for management of central or departmental servers will secure the current system and data backup in a secure, protected off-site location. Included with that backup will be a hard-copy listing of the contents of the backup, the current version and hardware of the system from which the backup was obtained and a copy of the disaster recovery plan needed to restore the contents of the backup to operational status.

6.    Privacy Issues

The University will not release personal information to parties outside the University without prior consent unless that disclosure is permitted by applicable law or University policy. Individuals within the University will only be granted access to personal information if there is a demonstrated and legitimate need to know, based upon normal job duties, and falling within the purpose and scope for which the data were collected.

The University may permit the inspection, monitoring, or disclosure of University data when access or disclosure is allowed or required by applicable law. This data can include transaction logs, communication logs, pertinent email subject to disclosure, or other records developed in the course of server, systems and network management.

7.    Incident Response

A security incident is an event that causes disruption to normal business activity and that is precipitated by malicious or accidental actions. Examples of incidents include denial of service attacks, computer intrusions or suspected intrusions, hacker episodes, misuse, unauthorized access to IT resources or information, reports of violations of University IT policy, State or Federal laws and computer viruses or worms.

     a) Viruses and worms

• It is the responsibility of the owner or administrator of University computers to detect, isolate and repair any incidence of infection by virus, Trojan, or worm.
• In the event of infection the owner or administrator should first shut down the affected computer and review the Technology Assistance Center virus web page for assistance. Users may also contact the Technology Assistance Center for further assistance if needed.

     b) Computer intrusions or system compromise

• Incidents of computer intrusion or system compromise will be reported to the University Information Technology Security Office or to the Technology Assistance Center which will forward the information to the Information Technology Security Office.
• Incidents of computer intrusion or system compromise will be investigated in coordination with the Information Security Office.
• A written incident log of the event will be maintained (dates and times, persons contacted, systems involved) for all events under investigation. This is a critical component, particularly in situations where a criminal investigation may result.
• The severity of the compromise will be assessed. If the incident is affecting other systems, damaging data, or involving a known root compromise, the incident will be considered critical.
• If the compromise is critical, the system will be disconnected from the campus network and the owner or administrator of the affected computer will be notified of the disconnection.
• The compromised system will be backed up forensically to create a system snapshot in the compromised state. This backup will be considered evidentiary in nature and will be handled and stored using forensic best practices for evidence handling.
• The system will be restored to an operational state before reconnection to the University network.

     c) Other incidents

• Other security incidents will be reported to the Information Security Office.
• The Information Security Office will conduct an investigation of the incident and coordinate resolution of the incident with Human Resources, the Dean of Students, Campus Police, or other campus entity as appropriate.

8.    Wireless access

• All wireless access points will be centrally managed and subject to periodic audits and penetration testing.
• Wireless infrastructure will be segmented from the campus network using a firewall, VPN appliance, router access control list, or similar technology.
• Users of the wireless network must be authenticated with unique IDs and passwords.
• Confidential data will not be transmitted over a wireless connection unless over an encrypted session.

9.    Modem Access and Standards

Modems should only be connected to systems as required to perform system administration, vendor support, or as a part of an administrated application. Modems should only be active during times of use or as needed by an application. The responsibility for periodic audits and penetration testing of modems is the responsibility of the system administrator or application support personnel for the system to which the modem is connected. Periodic audits and/or penetration testing of modems may also be done by Information Technology Systems Division personnel.

10.    Lifecycle replacement and Data Destruction

• All University computers will be examined prior to disposal to assure that no institutional or protected data, proprietary software, or software not licensed to be transferred with the computer resides on media attached to the computer.
• Removal of institutional or protected data, proprietary software, or software not licensed to be transferred with the computer will be accomplished by use of University-approved data destruction software or by physical destruction of the media.
• All University computers that contain, or have contained protected data, proprietary software, or software not licensed to be transferred with the computer will be certified as “sanitized” prior to disposal or transfer to another department or work unit.

11.    Data Retention

Retention of data on backup media should be determined by the type of data that is being stored:

• Research data retention must conform to the requirements of the grant agency (NIH, NIST, NIMH, DOD, etc.).
• Users (faculty, staff and students) are responsible for the security and back-up of all data stored on their individual desktops/laptops (including, but not limited to, e-mail and office files). Data is to be backed-up on media separate from the internal hard drive (such as USB drive, external hard drive, or other removable media). The user is responsible for the safe and secure storage of all external back-up media. Data stored on centrally managed servers is automatically backed up .
• Institutional data governed by Federal regulation must conform to the requirements of the agency that regulates that data (N.C. State Personnel Act, FERPA, etc.).
• Data related to student coursework will be retained in conformance with the University policy on student data retention.
• Other institutional data will be retained in accordance with State records retention requirements of N.C.G.S. 132 and N.C.G.S. 121 or other applicable State legislation, or University record retention policy.

12.    Employee termination and exit procedures

• Upon notification that an employee intends to voluntarily separate from the University, the employee’s supervisor will take the steps necessary to ensure that:
• No unauthorized transfer of University institutional data is made from University servers or other computers to any personal computer, mobile computer, storage device or portable media.
• No unauthorized transfer of University institutional data is made from University servers or other computers to any other computers via the network.
• No software licensed by the University is copied or transferred to the employee unless the employee has a license to personally possess that software or the software is in the public domain.
• Any transfer of personal data or information from a computer owned by the University be made under supervision at all times.
• Upon involuntary termination of an employee, the employee’s supervisor will take the steps necessary to ensure that all access to University computers, including desktops and mobile computing devices, is denied.

13.    Non-affiliate access

There are business needs for the University to provide vendors and other non-affiliated third parties access to the University’s information technology resources and networks. For example, vendors assist in support of information technology resources; contractors may need network access to support major project development; and adjunct faculty may assist in important University research. Non-affiliate access is subject to the following restrictions:

• Non-affiliate access to University IT resources must be authorized by an appropriate Dean, Department head, or higher position within the University.
• The level of access granted will be limited to those IT resources that are required to carry out the specified business or research need of the University.
• The access must be enabled for specified tasks and functions, and limited to specific individuals and only for the time period required to accomplish approved tasks.
• Non-affiliate access must be uniquely identifiable, and password management must conform to University policies.
• The non-affiliate must agree to comply with all applicable Federal and State statues and University policies concerning acceptable use of University IT resources and policies concerning the preservation of the confidentiality of the information to which they have access.
• The University may, based upon the likelihood of exposure to confidential information, require that the non-affiliate agrees to an instrument of confidentiality.

Enforcement Penalties

The University reserves the right to place restrictions on the use of its electronic resources in response to complaints that present evidence of violations of University policies, rules, regulations or codes, or local, State or Federal laws and regulations. Actions that violate these policies can result in immediate disabling, suspension and/or revocation of the account owner's privileges pending review for further action. Such unauthorized or illegitimate use of electronic resources including computer accounts, resources or facilities may subject the violators to appropriate disciplinary, criminal and/or legal action by the University and/or the State. If evidence is established, the University authorities responsible for overseeing these policies and codes will be consulted on the appropriateness of specific actions.

Individuals who have concerns about the conduct of a member of the University community or the propriety of a given situation or activity should notify their department chair, dean, director, or an administrator in their supervisory chain at a level sufficient to allow objectivity in evaluating the subject of concern. If action is deemed warranted by this official, the matter shall be referred to the appropriate Vice Chancellor or Senior Officer. If disciplinary action is considered, the Vice Chancellor or Senior Officer will consult with Human Resources. Prior to taking action, the Vice Chancellor or Senior Officer responsible for the situation or activity at issue shall consult with the Vice Chancellor for Information Technology Systems Division, who shall, as appropriate, consult with the University's General Counsel. The responsible official shall then respond to University community members who express concerns about such activities or incidents.

When concern about a given situation or activity involves an imminent threat to individuals, systems, or facilities, users should immediately communicate the concern directly to the Office of the Vice Chancellor of Information Technology Systems, the University Police and to the Information Technology Security office.