The purpose of this standard is to establish the university’s obligation to ensure that information security is integrally tied to all university information systems throughout the life of any given system including any information systems which provide services over public networks.
It is the responsibility of all information system owners to ensure that security controls are considered for their information systems throughout the lifecycle, from initial planning to service retirement.
Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliancefirstname.lastname@example.org.
Prior to implementation or enhancement
Information security requirements should be included in the considerations for any new information system or for the enhancement of any existing information system. For acquired systems/services, security requirements should be fully addressed in the contract and any risks considered prior to purchase. Use of the university’s centrally managed authentication services is required. If an information system is unable to integrate with the centrally managed authentication services, an official exception must be approved by ITS.
The following requirements should be addressed:
- User authentication requirements
- Access provisioning
- Authorization processes (for end users and privileged accounts)
- Communicated guidelines regarding user responsibilities when accessing the system
- Protection of any associated data or assets including the availability, confidentiality and integrity of those assets
- Other security control mandates such as required interfaces to logging and monitoring systems
NOTE: The following checklists provide a starting point to review information security related to systems and services:
Services provided via the Internet or other public network
Extra care must be taken to protect information involved in application services which pass over the Internet or other public networks. That care should include protection from fraudulent activity, contract dispute, and unauthorized disclosure or modification.
NOTE: Any application involving payment transactions should be coordinated through the University Controller’s office and comply with the Payment (Credit/Debit) Card Processing Standard
Protecting application services transactions
Information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Initially approved by Information Assurance Committee 5/15/15