Responsible University Officer
Information Security Liaison Chief Information Officer
Policy Responsible Office
Information Technology Services
This policy applies to all Deans and Vice Chancellors who oversee university
business units that maintain and manage their own Information Technology. This
policy also applies to employees designated as Security Liaisons who must abide
by the Rules and Responsibilities listed in the policy.
This policy applies to all employees designated as Security Liaisons as well as
Deans and Division Heads of University business units that maintain and
manage their own Information Technology.
Deans or Division Heads, who oversee university business units which maintain
and manages their own Information Technology, must designate employees as
Information Security Liaisons. Information Security Liaisons act as important
intermediaries between the Information Security Office and their respective
university business unit. An Information Security Liaison will assist the university
business unit in implementing information security policies and information
security initiatives as well as act as coordinate with the Information Security
Office with regard to incident management.
Failure by a Security Liaison to comply with the role and responsibilities specified
by this policy may result in disciplinary action, in line with the experience of the
Failure by a Dean or Division Head to name a Security Liaison consistent with
the rules of this policy may have similar disciplinary consequences.
Exceptions to these policies will be rare. Any requests for exceptions to these
policies should be submitted in writing to the Information Security Office for
UNC Information Technology Services Page 1
Reason for Policy
In decentralized environments, such as the University of North Carolina at
Chapel Hill, it is necessary to coordinate security initiatives, incident
management and implementation of policies as well as standards in a consistent
and effective fashion. Those managing the university’s information technology
resources have information security responsibilities that come with managing a
university business unit’s information technology. Given the extraordinary risk
frequently associated with information security incidents, as well as its
implications on compliance it is essentials for deans and department heads to be
aware of information security risk and assume their responsibility for their
Due to the growing number of security intrusions and compromises of sensitive
data, the University of North Carolina at Chapel Hill has enacted a policy
framework that safeguards electronic and non-electronic resources containing
sensitive information. Within this policy framework, the Security Liaison Policy
provides guidance as to the duties and responsibilities of employees designated
as Information Security Liaisons as well as defining which working units must
establish Security Liaisons. Security Liaisons play a vital role in protecting the
Information Security assets of UNC-Chapel Hill.
The failure to protect sensitive data can result in significant fines for the
University by regulatory authorities and may also result in significant breach
notification costs and/or legal action. Security Liaisons play an important role in
safeguarding the University’s sensitive information.
Role of the Information Security Liaison
In line with Information Security Liaison roles and responsibilities at other
universities, Information Security Liaisons and back-up Information Security
Liaison are required for each university business unit that maintains and
manages its own Information Technology (IT). If a department outsources the
management of its IT, it must also ensure that there is a named Information
Security Liaison as well as back-up Information Security Liaison on file with the
Information Security Office. Information Security Liaisons serve as a single point
of contact for the Information Security Office regarding security efforts and
information security incidents affecting their respective university business unit.
Information Security Liaisons aid the Information Security Office in improving
Information Security at UNC Chapel Hill by coordinating with the ISO on security
UNC Information Technology Services Page 2
The Information Security Liaison will work with the Information Security Office in
incident management and response as well as assist, as needed, the Information
Security Office in certain activities including the ones described below. The
Information Security Liaison will act as the primary point of contact for their
respective university business unit for the Information Security Office when
handling security intrusions.
Specifically, the Information Security Liaison will coordinate with the Information
Security Office with the following:
• Ensure the proper identification and classification of computer resources
storing Sensitive Information or deemed mission critical within their area.
• Advise their unit’s systems development and application Data Stewards of
the implementation of appropriate security controls for information on
systems, from the point of system design, through testing and production
• Meet periodically with Information Security Office staff to move forward
enterprise security initiatives for their respective university business units.
• Maintain an up-to date list of staff with access to sensitive information in
their working group and promptly notify the Information Security Office of
any personnel changes, including transfers within the University. Provide
basic security advice for all assigned systems and user. Ensure timely
compliance with the departmental security awareness requirements,
including yearly refresher training as well as training of new employees.
The Data Steward, in consultation with the Information Security Liaison,
will work towards ensuring that the department or working group is
compliant with applicable state and federal laws as well as University
policies, such as the Information Security Policy. The Liaison may perform
periodic assessments for their respective university business unit to
determine compliance with any applicable security policies, procedures,
• Ensure that any detected vulnerabilities are remediated in a timely manner
consistent with the Vulnerability Management Policy.
• The Information Security Liaison will advise their university business unit
and/or their respective other assigned areas of responsibility regarding the
implementation of appropriate security controls consistent with the
University’s Information Security Policy.
• Collect incident response information and metrics, including development
and maintaining the department’s or university business unit’s incident
UNC Information Technology Services Page 3
response plan. The Information Security Liaison must ensure a timely
notification of the University’s Information Security Office regarding any
information security incidents for their respective university business unit
consistent with the Incident Management Policy. In addition, the
Information Security Liaison must ensure a timely and comprehensive
response to information security incidents in coordination with the
University’s Information Security Office.
• Report incident and incident metrics to the University’s Information
Security Office consistent with the Incident Management Policy.
• Coordinate with the Information Security Office regarding the University’s
Information Security strategic Initiatives, including security improvements
for the liaison’s university business unit or department. Periodically report
to University administrators/deans/division heads/University Information
Security Office regarding the entity’s status with respect to information
security initiatives and policy compliance.
As necessary, deans and division heads must ensure that Security Liaisons are
appointed and employee time is allocated to perform the duties of a Security
Liaison. In addition, deans and division heads may incur additional costs
associated with the work of Security Liaisons, such as time set aside for
awareness training and inventory of critical assets. Security Liaisons must
incorporate the roles and responsibilities of the Information Security Liaison as
defined in this policy as part of their current responsibilities and must cooperate
with the University Information Security Office on topics such as incident
handling, vulnerability management or awareness training in their respective
university business unit.
In many cases, some or all of these responsibilities as defined in this policy may
already be carried by university business unit personnel.
Information Security Policy
Vulnerability Management Policy
Glossary and Definitions
For an explanation of the terminology relevant to the Information Security
UNC Information Technology Services Page 4
Policies at UNC-Chapel Hill, refer to website http://xxxxxxxx.
Subject Contact Telephone FAX/E-mail
Policy Questions The University’s
Report a Violation The University’s
Request Information The University’s
Security Consulting Information
Next Review Date:
UNC Information Technology Services Page 5