Standard for Security Requirements of Information Systems

I.  Purpose

The purpose of this standard is to establish the university’s obligation to ensure that information security is integrally tied to all university information systems throughout the life of any given system including any information systems which provide services over public networks. 

II.  Scope

It is the responsibility of all information system owners to ensure that security controls are considered for their information systems throughout the lifecycle, from initial planning to service retirement.  

III.  Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

IV.  Standard

Prior to implementation or enhancement

Information security requirements should be included in the considerations for any new information system or for the enhancement of any existing information system. For acquired systems/services, security requirements should be fully addressed in the contract and any risks considered prior to purchase. The following requirements should be addressed:

  • User authentication requirements
  • Access provisioning
  • Authorization processes (for end users and privileged accounts)
  • Communicated guidelines regarding user responsibilities when accessing the system
  • Protection of any associated data or assets including the availability, confidentiality and integrity of those assets
  • Logging, monitoring and authentication

NOTE:  The following checklists provide a starting point to review information security related to systems and services:

Services provided via the Internet or other public network

Extra care must be taken to protect information involved in application services which pass over the Web or other public networks. That care should include protection from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

NOTE: Any application involving payment transactions should be coordinated through the University Controller’s office and comply with the Payment (Credit/Debit) Card Processing Standard

Protecting application services transactions

Information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee   5/15/15
Updated   8/03/17