Standard for Information Security Reviews

I.  Purpose

The purpose of this standard is to establish the university’s obligation to ensure information security is implemented and operated in accordance with university policies, standards, guidelines and procedures.

II.  Scope

It is the responsibility of any college or department owning an information system, to ensure the information security controls for that system are reviewed on a regular basis.    

III.  Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

IV.  Standard

Compliance with security policies and standards

Managers should regularly review the compliance of information processing and procedures within their area of responsibility.

Technical compliance reviews

Information systems should be regularly reviewed for compliance.Technical compliance reviews, whether manual or automated, should be performed and interpreted by a technician specialist. Vulnerability assessments should be planned, documented and implemented in such a way as to ensure they do not lead to compromise of the security of the system.

Independent review of information security

It is the responsibility of ITS Information Security Compliance, working with the Information Assurance Committee to facilitate a review of college and departmental information security objectives, controls, policies, processes and procedures through an annual campus IT Security Risk Assessment. Additional independent reviews of university information security should be conducted regularly or when significant changes occur.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee   5/15/15
Updated   1/5/17