Standard for Information Security Oversight

I.  Purpose

The purpose of this standard is to establish the university’s obligation to maintain a framework to initiate and control the implementation and operation of information security within the university.

II.  Scope

It is important for individuals using, accessing, storing, transmitting, or overseeing University information resources to understand information security responsibilities.  These individuals should understand the need for segregating responsibilities, contact with authorities and special interest groups as well as the need for information security in project management.    

III.  Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

IV.  Standard

Information security roles and responsibilities

Though all individuals using, accessing, storing, transmitting, or overseeing University information resources should understand their responsibility for the protection of those resources, some individuals provide additional support to the information security program at UNC Charlotte.These roles are defined in Information Security Roles and Responsibilities.   

Segregation of duties

Conflicting duties and areas of responsibility should be segregated to reduce opportunities for accidental or deliberate modification or misuse of the university’s information resources. Steps which should be considered include:

  • Ensuring that no one person can access, modify or use assets without authorization or detection.
  • Initiation of an event should be separated from its authorization.
  • When segregation is difficult, mitigation measures should include monitoring activities, audit trails and management supervision.

Contact with special interest groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained as a way to improve knowledge and stay up to date with relevant security information and share and exchange information about new technologies, products, threats, or vulnerabilities.

Information security in project management

Information security should be addressed in project management, regardless of the type of project. Controls needed to ensure information security should be identified early in the project and information security should be a part of all project phases.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initial Draft   5/4/15
Information Assurance Committee Approval   5/15/15