Standard for Information Security Oversight
I. Purpose
The purpose of this standard is to establish the university’s obligation to maintain a framework to initiate and control the implementation and operation of information security within the university.
II. Scope
It is important for individuals using, accessing, storing, transmitting, or overseeing University information resources to understand information security responsibilities. These individuals should understand the need for segregating responsibilities, contact with authorities and special interest groups as well as the need for information security in project management.
III. Contacts
Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.
IV. Standard
Information security roles and responsibilities
Though all individuals using, accessing, storing, transmitting, or overseeing University information resources should understand their responsibility for the protection of those resources, some individuals provide additional support to the information security program at UNC Charlotte. These roles are defined in Information Security Roles and Responsibilities.
Segregation of duties
Conflicting duties and areas of responsibility should be segregated to reduce opportunities for accidental or deliberate modification or misuse of the university’s information resources. Steps which should be considered include:
- Ensuring that no one person can access, modify or use assets without authorization or detection.
- Initiation of an event should be separated from its authorization.
- When segregation is difficult, mitigation measures should include monitoring activities, audit trails and management supervision.
Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained as a way to improve knowledge and stay up to date with relevant security information and share and exchange information about new technologies, products, threats, or vulnerabilities.
Information security in project management
Information security should be addressed in project management, regardless of the type of project. Controls needed to ensure information security should be identified early in the project and information security should be a part of all project phases.
Related Resources
- University Policy 311 Information Security
- Information Security Roles and Responsibilities
- ISO/IEC 27002
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Revision History
Initially approved by Information Assurance Committee 5/4/15
Updated 9/7/23