Top Searches:

Emerging Choreographers Nov 19-23, 2024

School of Filmmaking Symposium Nov 22-22, 2024

Piano Friday: Guest Pianist Angela Cheng Nov 22, 2024

UNCSA Voice Studio Recital: American Style Nov 24, 2024

UNCSA Percussion Studio Recital: The Whole Shebang Nov 24, 2024

UNCSA Trumpet Studio Recital Nov 25, 2024

See All Events
 
Home > UNCSA Policy Manual > 500. Information Technology > Information Technology (IT) Security Regulation 513

Information Technology (IT) Security Regulation 513

Regulation 513 Approved: June 5, 2023
UNIVERSITY OF NORTH CAROLINA SCHOOL OF THE ARTS
Information Technology Data Governance and Management
Regulation 513
Source of Authority: UNC System adoption of ISO/IEC 27002
ISO/IEC 27002:2013 8.2 Classification of Information
UNC System Policies 1400 Series on Information Technology
Revision Authority: Chancellor
History:

First Issued: June 5, 2023
Related Policies: Information Technology Security Regulation 512
Responsible Offices:

Office of Information Technology

Office of Institutional Research
Effective Date: June 5, 2023

I. Purpose

The purpose of this regulation is to define the Data Governance Program used at the University of North Carolina School of the Arts (UNCSA) to ensure the formal management of university information resources and data.

II. Scope

This regulation applies to any person or entity using university information resources and data, including but not limited to all university faculty, staff, students, affiliates, contractors, vendors, and consultants. As such, all users of university information resources and data must be familiar with and comply with this regulation and related procedures, rules, standards, technical specifications, and any other guidance issued by the university in support of this regulation.

This regulation further applies to all university information resources and data, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit data. This includes data processed or stored and applications used by the university in hosted environments in which the university does not operate the technology infrastructure.

III. Definitions

A. Affiliate: An affiliate is an individual who requires access to information resources to work in conjunction with the university, but is not a UNCSA employee or student.

B. Data Classification: Data classification refers to the categorization of information resources and data, and consistent application of security standards based on such categorization. University data will be classified according to the UNCSA Information Technology (IT) Security Regulation 512.

C. Data Handling: Data Handling refers to the actions that Data Users should take to use, process, transmit, store, archive, and destroy university data in a secure manner that aligns with the classification of the data.

D. Data Lifecycle: The data lifecycle is the progression of stages in which a piece of information may exist between its original creation or collection and final archival or destruction.

E. Information Resources: As used in the University of North Carolina (UNC) System Policy 1400.1, “information resources are information owned or processed by the university, or related to the business of the university, regardless of form or location, and the hardware and software resources used to electronically store, process or transmit that information.” Information resources expressly include data, software, and physical assets. The term university data may be used interchangeably with the term information resources in this regulation.

IV. Regulation

A. University Authority. The university has authority over the use of its information resources and data and is the legal custodian of all university information resources and data. University information resources and data are valuable assets, the use of which must be aligned with the administrative, educational, and institutional research functions of the university.

B. Data Governance Program. The university shall establish a Data Governance Program to guide the strategic use, management, and reporting of university data. The Data Governance Program shall ensure that university data is used in compliance with federal, state, and local regulations, applicable university policies and regulations, and relevant contractual obligations. The Data Governance Program shall be established by a charter that lays out the objectives of the program, program structure and organization, data governance roles and responsibilities, and program metrics.

C. Data Classification. All university information resources and data must be classified and can have only one classification. The university uses four data classification levels based on the nature of the information resources, data, and relevant compliance requirements:

i. Level 1 (Confidential Data) – University data that are protected by federal, state, or local statutes and regulations, industry regulations, provisions in government research grants, or other contractual arrangements, which impose legal and technical restrictions on the appropriate use of institutional information.

ii. Level 2 (Sensitive Data) – University data that may not be protected by law or regulation but are considered private and are subject to restricted treatment such as university data that may be protected by contracts, third-party agreements, or university regulation. 

iii. Level 3 (Controlled Data) – University data that are proprietary or produced only for use by members of the university community who have a legitimate purpose to access such data.

iv. Level 4 (Public Data) – University data that have few restrictions and/or are intended for public use.

D. Data Lifecycle and Data Handling. All university faculty, staff, students, affiliates, contractors, vendors, and consultants are collectively responsible for the management of all university data throughout the data lifecycle. The university shall issue regulations, procedures, rules, and standards as appropriate that address the quality, consistency, usability, accessibility, availability, and protection of university information resources and data throughout its lifecycle and according to classification level. (References: UNC System Policy 1400.1; UNC General Records Retention and Disposition Schedule; UNCSA Records Retention Policy.)

V. Roles and Responsibilities

All university employees are responsible for supporting data governance. This includes not only individuals with management and oversight roles defined by the Data Governance Program but also any user of university information resources and data. Specific roles and responsibilities regarding university data include:

A. Chancellor: The Chancellor has final authority over all university information resources and data. The Chancellor and Chancellor’s designees are responsible for overseeing the protection of university data according to the security level assigned. The Chancellor makes the following delegations in support of this regulation:

i. The Executive Team shall serve as the executive sponsors for the university Data Governance Program and have the responsibilities set forth in the Data Governance Program charter.

ii. The Chief Information Security Officer (CISO) and the Director of Institutional Research shall serve as the university officials responsible for administering the Data Governance Program in accordance with this regulation and the Data Governance Program charter.

B. Data Governance Committee: The Data Governance Committee, with membership consisting of the Data Stewards and other individuals determined by the committee co-chairs, is an inter-departmental group accountable to the Executive Team, with the authority to make decisions on all aspects of data governance for the university. The Data Governance Committee is tasked with overseeing data governance strategy, policy, risk management, and data management, ensuring engagement across the institution, and promoting a culture that embraces the responsible use of data and resources to achieve institutional goals.

C. Data Governance Committee Co-Chairs: The Director of Institutional Research and the Chief Information Security Officer (CISO) are the co-chairs of the Data Governance Committee. The co-chairs lead the Data Governance Program, report to the Executive Team on program activities, and, in consultation with the Executive Team, mediate conflicts and discrepancies between the interests of the Data Stewards and the needs and interests of the university.

D. Data Stewards: Data Stewards are delegated by and accountable to the Executive Team for the accuracy, privacy, and security of the institutional data under their responsibility. As a collective group, the data stewards comprise the Data Governance Committee.

E. Data Administrators: Data Administrators are university employees who are information technology experts assigned specific data management, access management, and information security responsibilities by the appropriate Data Steward. 

F. Data Users: Data Users are all users granted access to university information resources and data, including but not limited to university employees, affiliates (e.g., contractors, partners, volunteers), and students.

VI. Enforcement / Addressing Concerns

All users of university information resources and data must be familiar with and comply with this regulation and related standards, guidelines, and procedures issued by the university in support of this regulation. Failure to comply with the requirements of this regulation and related documents may result in harm to individuals, organizations, or the university. Failure to comply with the requirements of this regulation may result in university discipline, termination of volunteer service, or a determination that the user has materially breached an agreement, and in some cases may be subject to civil lawsuit liability and criminal prosecution.

Questions about this regulation, the university’s Data Governance Program, and any related standards, guidelines, and procedures issued by the university in support of this regulation should be addressed to:

Information Technology Services, technologysupport@uncsa.edu

VII. Revision History

June 5, 2023 – Adopted by the Chancellor as part of the UNCSA Policy Manual

VIII. Related Regulatory and Policy References

VIX. Data Governance Responsibilities by Role

Role Representation Responsibility
Executive Team

Executive level program sponsors
  1. Appointed by the Chancellor to provide strategic program oversight and ensure resources are available for the institution-wide Data Governance Program.
  2. Provide executive leadership in promoting the program throughout the institution and removing barriers to the implementation and ongoing operations of the program.
  3. Provide policy-level endorsement for data governance.
  4. Align data governance strategy with institutional strategy and provide high-level project approval and prioritization.
  5. Provide guidance and resolution on risk tolerance questions.

Data Governance Committee (DGC)

Campus leaders with data decision authority, as determined by the DGC co-chairs, with approval from the Executive Team

Program leadership (CISO, IR)
  1. Serve as the primary data governance program group with management and compliance responsibility for defined institutional data sets.
  2. Oversee data governance strategy, policy, risk management, and data management.
  3. Provide oversight of data management related to university functions for their departments/units.
  4. Provide periodic updates to Executive Team as needed, including updates to the roster of data stewards.
  5. Select data stewards for the DGC who have knowledge of departmental or institutional data and decision authority.
  6. Work closely with executive team, data administrators, and data users to ensure engagement across the institution.
  7. Promote a culture that embraces the responsible use of data and resources to achieve institutional goals.
  8. Ensure that data stewards for specific departmental/institutional data sets receive training, meet applicable contractual and compliance obligations, and follow data management practices.
  9. Develop campus processes to support data accessibility and effective use of data that meet operational needs.
  10. Maintain a list of data steward assignments, designated institutional data set(s), and associated data classifications, and publish as appropriate.
  11. Develop an institutional data dictionary with inputs from all areas of the institution.
  12. Assess and prioritize data issues for resolution, resolving cross-departmental issues.
  13. Ensure education is provided on appropriate use and protection of institutional data.

Data Stewards

Department leaders or stakeholders with primary responsibilities for the use, accuracy, privacy, and security of a designated set of institution data
  1. Data Stewards are accountable to the Executive Team for a designated institutional data set. As a collective group, the data stewards comprise the Data Governance Committee.
  2. View data as an institutional resource and maintain broad institutional knowledge of data.
  3. Promote appropriate data use, data quality, and management procedures.
  4. Responsible for deeply understanding data sets in their responsibility area, as well as how that data may be used across the university.
  5. Responsible for promoting the sharing of knowledge and institutional data practices and processes across campus departments and units.
  6. Assist in developing and implementing data regulations, procedures, rules, standards, technical specifications, and guidelines.
  7. Manage processes for access control, data quality, retention, and disposal in accordance with regulations and standards. Ensure separation of duties.
  8. Help facilitate consistent (or create functional) data definitions and use guidelines to ensure that data elements within institutional data sets are assigned an appropriate data classification level and used appropriately to meet regulatory compliance and institutional policy.
  9. Facilitate communication regarding all process changes that may affect systems or analytics relating to specific data elements.
  10. Work effectively with other data stewards to broadly educate users on appropriate use and protection of institutional data.
  11. Ensure that data custodians and data users receive training and follow data management practices.

Data Administrators

Employees with specific data management responsibilities (usually UNCSA employees who are information technology experts)
  1. Responsible for understanding campus needs and operationally ensuring procedures are consistent with institutional policy.
  2. Provide appropriate technology protections, approving user access for data maintenance roles, and performing activities required to keep the data intact and available to data users.
  3. Work with other data administrators and data stewards to implement, update, and monitor operational standards and procedures.
  4. Document operational standards, procedures, and changes in data set elements and processes.
  5. Maintain technical solutions and perform functions such as data security, physical security, backup, and recovery in compliance with relevant institutional policies, regulations, procedures, rules, standards, and data steward requirements.
  6. Manage data user access and modification requests as authorized by appropriate data stewards.

Data Users

All university employees, affiliates, and students

Users granted access to institutional data

Information resource user (when using information resources, you have these information security responsibilities)
  1. Complete any university data use training as well as any specialized training required for access to specific data sets, including but not limited to data controlled by federal and state regulations, University of North Carolina System policies, and relevant contractual obligations.
  2. Use institutional data only as required for the conduct of university business and protect the confidentiality and privacy of such data (see Regulation 501 and other related IT regulations).
  3. Follow regulations and procedures established to store data under secure conditions.
  4. Comply with federal and state laws and regulations as well as university policies, regulations, procedures, rules, and standards associated with data privacy.
  5. Implement safeguards prescribed for classified data.
  6. Help ensure the appropriateness, accuracy, and timeliness of institutional data used for the conduct of university business.
  7. Immediately report any unauthorized access, data misuse, or potential security incidents to the Information Technology Networking and Information Security Department at technologysupport@uncsa.edu (see Regulation 512).
  8. Promptly report any potential data quality issues to the appropriate data steward for remediation.