甜瓜视频app

Information Security and Privacy Governance Policy

Initially Approved: June 24, 2013
Revised and approved: April 25, 2016
Revised and approved:  March 24, 2020
Technical Corrections: December 8, 2022
Revised and Approved:  January 27, 2026

Policy Topic: Information Technology
Administering Office: Office of CIO

I. POLICY STATEMENT

Institutional information is both a valuable asset and a potential liability. Every member of 甜瓜视频app (hereinafter 鈥淯niversity鈥� or 鈥淲CU鈥�) who accesses institutional data is responsible for its stewardship, security, and privacy. As an academic institution, WCU must encourage the free flow of information while protecting critical data.

II. PURPOSE

This Policy aims to:

1. Protect Enterprise-Level Data and prevent misuse.
2. Define categories of data and their protection requirements.
3. Establish a framework for appropriate data handling.
4. Clarify responsibilities for data governance and incident reporting.
5. Define information security and its role in enabling institutional information sharing.
6. To define who is responsible for ensuring that institutional data is handled in an appropriate manner, implement a governance structure for information security and privacy, and establish procedures for reporting information security incidents. 

III. SCOPE AND APPLICATION

This Policy applies to:

1. All Enterprise-level Data, including data used by Generative Artificial Intelligence (AI) tools.
2. Anyone responsible for institutional information or using WCU鈥檚 IT resources, regardless of location, ownership, or format (paper, digital, or other).
3. Access to and disclosure of data.
4. Related policies and standards that support this overarching Policy.

IV. DEFINITIONS

1. 鈥淚nformation Security鈥� is the ongoing process of protecting the confidentiality, integrity and availability of information and IT resources.
2. 鈥沦迟补苍诲补谤诲蝉鈥�&苍产蝉辫; means mandatory rules that support this Policy.
3. 鈥淚nformation Technology Resource鈥� means any system, media, or software used to transmit, store, or process data.
4. 鈥淓nterprise-level Data鈥� (or 鈥凄补迟补鈥�) means information generated, collected, maintained and/or owned by the University, including public and exempt records, in any format.
5. 鈥淚SO 27002鈥� means an international standard for information security controls.
6. 鈥淒ata Steward鈥� means the person responsible for classifying and managing access to Enterprise-level Data within their unit, department, or division.
7. 鈥淚nformation Privacy鈥� means ensuring appropriate technologies, policies, and permissions control access to electronic data.

V. SECURITY POLICY FRAMEWORK

WCU adopts ISO 27002 as its information security framework. This Policy serves as the umbrella for related policies and standards, which will reference ISO 27002 security clauses. 

VI. Information Security and Privacy Committee (ISPC)

The ISPC is established with the following members or their designee:

1. Chief Information Officer (Chair)
2. Chief Information Security and Privacy Officer
3. General Counsel / Chief Compliance Officer
4. HIPAA Compliance Officer
5. Assistant Vice Chancellor for Institutional Planning and Effectiveness
6. Director of HR Systems and Data Management
7. Internal Auditor
8. Director of Research Administration
9. Director of Student Financial Aid
10. Bursar
11. Senior Director of Advancement Services
12. Faculty representative (appointed by the Chancellor in consultation with the Faculty Senate Chair for a three-year renewable term)

The ISPC oversees implementation of this Policy, ensure campus data security and privacy policies and related standards and procedures are up-to-date, coordinates the review of campus data security and privacy practices, advises the campus on data security and privacy, and assists with risk assessments.

VII. RESPONSIBILITIES

1. The Chancellor and Executive Council are the University鈥檚 Data Stewards.
2. The Information Technology Division is responsible for maintaining and enforcing security and privacy policies.
3. The Office of Institutional Planning and Effectiveness (OIPE) oversees the University's reporting obligations and the movement of data between the campus and the University of North Carolina.
4. Department managers are responsible for ensuring training and enforcing information security policies and standards.
5. All members of the campus community are responsible for reporting information security incidents and assisting the Information Security Incident Response Team in investigating and mitigating computer security incidents.
6. The Chief Information Security and Privacy Officer, in consultation with the ISPC, is responsible for leading governance and compliance efforts.
7. All faculty, staff, employees, guests, consultants, vendors, volunteers, interns, student workers or temporary workers associated with the University must:
   1. Protect institutional data;
   2. Accept responsibility for their data handling decisions; and
   3. Report any suspicious or harmful activity to the IT Division.

VIII. DATA CATEGORIES

Enterprise-Level Data is classified into the following five sensitivity categories:

1. GREEN - Low Sensitivity
2. BLUE - Guarded Sensitivity
3. YELLOW - Elevated Sensitivity
4. ORANGE - High Sensitivity
5. RED - Severe Sensitivity

The categories are not mutually exclusive. Data must be handled according to the most sensitive category it falls under. Definitions and handling requirements are detailed in the Data Handling Procedures Related to the Information Security and Privacy Governance Policy. Authorized staff accessing YELLOW, ORANGE, OR RED data must sign a confidentiality statement.

IX. PENALTIES

Willful inappropriate access to or disclosure of data may result in disciplinary action, up to and including dismissal or legal action. In some cases, individuals may be personally liable.

X. REFERENCES

International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational Controls)

International Standards Organization (ISO/IEC 27701:2019, Clause 6 PIMS-specific guidance related to ISO/IEC 27002) 

University Policy 3, 鈥淚nformation Privacy Policy鈥�

University Policy 52, 鈥淩esponsible Use of Information Technology Resources鈥�

University Policy 106, 鈥淧rotecting the Privacy and Security of PII鈥�

Information Security Standards

Data Handling Procedures Related to the Information Security and Privacy Governance Policy