NETWORKANDDATASECURITYPOLICY

07.300
Authority:

BoardofTrustees

History:

ApprovedbytheBoardofTrusteesAugust3,2007revisedJuly
18,2007reformattedMay25,2005approvedbytheBoardof
TrusteesOctober28,2004effectiveOctober28,2004.

Sourceof
Authority:

ConsolidatedUniversityofNorthCarolinaNetstudy Security
SubcommitteeBaselineRecommendations(Feb.16,2003)
InternationalStandardISO17799

RelatedLinks:
Responsible
Office:

InformationTechnologySystemsDivision

I. Introduction/Purpose
Thisdocumentprovidestheguidelinestoestablishasecurityframeworktoprotect
theuniversitynetworks,computingsystemsanddata.Throughthispolicy,the
universitywillencouragetheapplicationofindustrywidebestpracticestoassure
that:
A. Confidentiality,availabilityandintegrityofuniversityinstitutionaldatawillbe
maintainedatalltimes.
B. Stewardshipandcustodialresponsibilityofalluniversityinstitutionaldatawillbe
definedandthatdataownersandcustodiansidentifyandprotectsuchdatain
accordancewithStateandFederallawsandregulations.
C. Thelevelofsecurityappliedtonetworks,systemsanddataisappropriateforthe
levelofriskassociatedwithdisclosure,corruption,impropermodificationorloss
ofuniversityinstitutionaldata.
II. Scope/Coverage
Thispolicyappliestoeachadministratororuserof theuniversitysnetworksand
computers(enterpriseservers,departmentalservers,desktopsandmobilecomputing
devices).Administratorsofserversthatprocessinstitutionaldataareexpectedto
applyindustrybestpracticestoensureappropriatesecurityofthatdata.Network
administratorsareexpectedtoapply bestpracticestoensurethatthenetworkis
protected,availableandsecurefrombreach.Usersofuniversityinformation
technologyresourcesareexpectedtoapplybestpracticestopreventcorruption or

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 1of 13

unauthorizeddisclosureofuniversity institutionaldata,disruptionofuniversity
networksorlossofuniversitybusinesscontinuity.
III. PolicyStatement
A. RolesandResponsibilities
1. InformationTechnologySecurityOfficer
TheuniversitysInformationTechnologySecurityOfficerhasresponsibility
fordevelopment,practiceandenforcementoftheinformationsecuritypolicy
oftheuniversity.TheITSecurityOfficerwillalsocoordinatesecurityefforts
forotherdepartmentswithintheuniversity. Thispositionreportstoandis
supervisedbytheViceChancellorofInformationTechnologySystems
Division.
2. UniversityInstitutionalData
Universityinstitutionaldataisdatathatisrelevanttoplanningormanaging
anadministrativeoracademicfunctionoftheuniversity. Responsibilityfor
theintegrityandaccuracyofthatdataisthedataowner. Responsibilityof
applicationoftheprotectionsnecessarytoinsureconfidentialityand
availabilityofthatdataisthefunctionofthecustodiansofthatdata.
3. DataOwner
TheDataOwneristheentity,department,oradministrativeworkgroupthat
isresponsibleforenteringthatdata intouniversityinformationsystemsandis
responsibleforassurancethatthedataisaccurateandcomplete.TheData
Owner,duetolegal,legislative,orethicalconstraints,mayalso,after
consultationwithothers,makethedeterminationthataccesstocertain
elementsofthedataislimited.
4. Data/NetworkCustodian
Thecustodialresponsibilitiesofuniversityinstitutionaldatagenerally
comprisethefollowingareaswithintheuniversity:managersand
administratorsofcomputersystemsandserverswhereinstitutionaldata
residesmanagersandapplicationsprogrammersofsoftwaresystemsand
webapplicationsthatstore,modifyorprovideaccesstothatdataand
managersofnetworksthatprovideinternalandexternalaccesstothatdata.
Eachofthesegroupsshareacustodialresponsibilitytoassurethatthe
confidentiality,integrityandaccessibilityofuniversityinstitutionaldatais
maintainedatalltimeswithintheparametersdefinedbythedataowner,
universitypolicy,andStateandFederalrequirements.

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 2of 13

B. DataClassification/PublicRecords
Alldataresidingonuniversitycomputers, oronbackupmediaretainedforthe
purposeofbusinesscontinuityanddisasterrecovery,issubjectto theN.C.Public
RecordsActwiththefollowingexceptions:datasubjecttotheexclusionofN.C.
G.S.1326.1(c)andothersubsectionscertain policerecordsandcriminal
investigativeinformationdatasubjecttoprotectionfromdisclosurebyStateor
FederalLegislation(e.g.N.C. PersonnelRecordsAct,FERPA,etc.)transactional
datasubjecttoFederal legislation(e.g.ECPA)andincidental communicationnot
relatedtoperformanceofanemployeesassignedduties.Itistheresponsibilityof
thedataownertoidentifyelementsofalldatarecordsforwhichthedata owner
hasresponsibilityofstewardshiptodeterminethelevelof protectionthatthedata
elementrequires.Ifadataelementrequires protectionfromaccessordisclosure,
itistheincumbentresponsibility of thedataownertoinformtheappropriatedata
custodiansofthatrequirement.
C. Nondisclosure
Asaconditionofemployment,datausersareexpectedtoaccessinstitutionaldata
onlyintheperformanceoftheirassignedduties,torespectandadheretothe
confidentialityandprivacyofindividualswhoserecordstheyaccessandtoabide
byallapplicablelawsorpolicieswithrespecttoaccess,useordisclosureof
information.Institutionaldatamaynotbedisclosedordistributedinanymedium
unlessrequiredbyanemployee'sassignedduties.Universityinstitutionaldata
maynotbeaccessedorusedforpersonalgainortosatisfypersonalcuriosity.
Certainemployeesmaybeexposedtoconfidentialinformationinnormal
performanceoftheirassignedduties.Theexposurecouldeitherbeincidentaltoor
materialinperformanceoftheirduties.Therefore,theuniversitymay,basedupon
thelikelihoodofexposuretoconfidentialinformation,requirethatcertain
employeesalsosignaconfidentialitystatement.
D. ApplicationofBestPracticestoCreateaSecureComputingandNetwork
Environment
1. NetworkManagement
a. Networkadministratorswillapplycurrentindustrystandardbestpractices
toprovideappropriatefirewallprotectiontotheuniversitynetwork
perimeterandtoassociatednetworksegmentsasappropriate.
b. Installationofnetworkoperatingsystemsandapplicationswillbecrafted
toprovidenetworkprotectionequivalenttothecurrentindustrystandard.
c. Unnecessaryopenportsandservicestoserverswillbeshutoff.Allopen
portsmustbeapprovedbytheDirectorofComputingServicesofthe
InformationTechnologySystemsDivisionanddocumented.

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 3of 13

d. OpenmailrelaysnotadministeredbyInformationTechnologySystems
Divisionwillbeeliminated.
e. Encryptedsessionswillbeusedforremoteadministration.
f. Regularvulnerabilityassessmentswillbeperformedtoensurethat
networksecuritycomponentsperformasexpected.
g. Network TimeProtocol(NTP)orotherauthorizedtimesynchronization
willbeusedtoassurethatalluniversitynetworktimestampingis
consistentandaccurate.
h. Networkloggingwillbeperformedconsistentwithuniversitypolicyand
logswillbereviewedregularly.
i. Retentionoflogdatawillconformtouniversitypolicyforlogdata
retention.
j. IntrusionDetectionSystems(IDS)willbeemployedwhereappropriate
andfeasible.
2. ServerManagement
a. Administratorsresponsibleformanagementofcentralordepartmental
serverswillincorporateantivirusprotectivemeasuresandwillkeepsuch
softwarecurrent.
b. Administratorsresponsibleformanagementofcentralordepartmental
serverswillincorporateanoperatingenvironmentpatchstrategyto
addresssecurityissuesasrequired.
c. Administratorsresponsibleformanagementofcentralordepartmental
serverswillinstituteaproceduretorequirestrongpasswordsofuser
accounts.
d. Administratorsresponsibleformanagementofcentralor departmental
serverswilluseuniversityapprovedsoftwarewhereappropriatetoaudit
passwordsandeffectremediationofweakpasswords.
e. Administratorsresponsibleformanagementofcentralordepartmental
serverswillemployandmonitorIntrusionDetectionsensors(IDS)and
hostbasedfirewallswhereappropriate.
f. Administratorsresponsibleformanagementofcentralordepartmental
serverswilluseNTPorotherauthorizedtimesynchronizationtoensure

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 4of 13

thatalluniversitycomputeractivitytimestampingisconsistentand
accurate.
g. Systemactivityloggingshouldbeperformedconsistentwithuniversity
policyandlogswillbereviewedregularly.Retentionoflogdatawill
conformtouniversitypolicyfordataretention.
h. Someemailmaybeconsideredofficialuniversityinstitutionaldata.Such
emailwillberetainedbytheowneroftheemailinaccordancewithN.C.
recordsretentionrequirements.
i. Wherefeasible,loginor"firstpagebanners"asprovidedbytheU.S.
Departmentof Justice,orasapprovedbytheuniversity,willaccompany
allloginscreensorentrypagestoapplicationsthatallowaccesstodata
otherthanpublicinquiry.
3. IndividualComputers,Laptops,PersonalDigitalAssistants(PDAs),andother
MobileComputingDevices
a. Usersofportablecomputingdevicesareresponsibleforthesecurityof
thedeviceanditscontent.
b. Confidentialorprotectedinformationonportablecomputersshouldbe
protectedusingencryption.
c. Confidentialorprotectedinformationmustnotbetransmittedtoorfroma
portablecomputingdeviceunlesssecureconnectionandtransmission
protocolsareused.
d. Usersofuniversityownedcomputersorcomputersthataccessuniversity
computersornetworkswilluseuniversityapprovedantivirusprotective
measuresandwillkeepsuchsoftwarecurrent.
e. Usersofuniversityownedcomputersorcomputersthataccessuniversity
computersornetworkswillensurethatthecomputersarekeptuptodate
withallsecuritypatches.
f. Remoteaccesstouniversitynetworkswilluseuniversityapproved
encryptedVPN.SuchVPNaccesswillconformtouniversitydefined
methodologytoensurethatunauthorizedaccesstouniversitynetworksis
prevented.Whenauniquesituationexiststhatrequiresanothertypeof
access(e.g.vendorsupport),accesswillbegrantedonlyfortheduration
ofthesessionandwillbemonitoredbytheserveradministrator.
g. Laptopcomputers,PDAs,andothermobilecomputingdevicesoffera
challengetothesecurityoftheuniversitysystemsandnetworks.While

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 5of 13

theyprovideconvenienceandportability,theyalsocreateaunique
materialrisktouniversitydatasecurity.Lossortheftofauniversity
laptopcomputercanresultindisclosureofdatathatisprotectedbyState
orFederalregulation,ordatathatshouldbeprotectedasproprietaryfor
otherreasons.Lossortheftorauniversitylaptopcomputercanallow
uncontrolledaccesstouniversitysystemsthroughstoredinformationsuch
aspasswords,cookies,etc.Theuniversitymay,asaresultofrisk
analysis,determinethatcertainindividualcomputersconstitutean
elevatedrisktotheuniversitythroughloss,andrequirethatthecomputer
be"hardened"throughtheuseofinternalrecoverysoftwareandinternal
dataencryption.
h. Usersofuniversitycomputerswillconfigurethosesystemstoconformto
universitycomputersecuritystandards.Usersofpersonallyowned
computersthataccessuniversitycomputersornetworksshouldconfigure
thosesystemstoconformtouniversitycomputersecuritystandards.
i. UsersofanyPDAormobilecomputingdevicethataccessesthe
university network,whetherownedbytheuniversity orotherwise,will
useVPNanduniversityspecifiedencryptionwhenconnectingto
universitynetworks.
4. PhysicalSecurity
a. CentralServers,DepartmentalServersandNetworkAppliances
1)PhysicalAccessControlswillbeimplementedtoprohibitaccessto
thesefacilitiesbyunauthorizedpersonnel.
2)Visitorsandmaintenancepersonnelshouldbeescortedandmonitored
whiletheyareinasecurearea.
3)Allfacilitieshousingcentralservers,departmentalservers,and
networkapplianceswillhave,whereappropriate,fire
sensing/extinguishingdevicespresent.
4)
Wherefeasible,allfacilitieshousingcentralservers,departmental
serversandnetworkapplianceswillutilizecipherlocksorcontrolled
accesscardentrysystems.
b. Desktop,LaptopandPDAs
1)Usersshouldlogoffcomputerswhentheuserisnotinthevicinityof
thecomputer.

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 6of 13

2)Allspaceshousingpersonalcomputersanddesktopequipmentshould
bekeptlockedwhennotoccupiedbytheemployee(s)inorderto
reducetheoccurrenceofunauthorizedentryandopportunityfortheft.
3)LaptopsandPDAsusedinopenlyaccessibleareasshouldbelockedin
securecabinetswhennotinuse.OfficescontaininglaptopsandPDAs
shouldbelockedwhennotoccupied.
c. GeneralPhysicalSecurityAwareness
1)Certaininformationrelatingtothecampusnetworkandinformation
securityinfrastructureisprotectedfromdisclosureundertheN.C.
PublicrecordsexclusionN.C.1326.1(c).Informationpertainingto
networkstructure,passwordmanagement,wirelessaccess,etc.canbe
extremelyusefultooutsidehackersandshouldnotbedivulged.Report
anyattemptsbystrangerstryingtogainsuchinformationimmediately
toyoursupervisorortoITSecurity.Supervisorsreceivingsuchreports
willimmediatelynotifytheOfficeofITSecurityoftheevent.
2)Employeesareexpectedtoreportanyunauthorizedaccess,entryor
suspiciousactivitytosupervisorsand/orcampuspoliceimmediately.
3)Userswilldisposeofconfidentialwastecarefullyandsecurelyto
maintainconfidentiality.
5. BusinessContinuity
a. Administratorsresponsibleformanagementofcentralordepartmental
serverswillcreateafunctionaldisasterrecoveryplancontaining
sufficientinformationtoallowathirdpartypersontoaccessbackup
mediaandrestorethesystemtooperationalstatus.Theplanshould
considernotonlycriticalITresources,butalsopersonnelnecessaryto
effectasuccessfulrecoveryofthesystem(s)anddata.Critical
informationassetsmustbeidentifiedsothatessentialbusinessactivities
arerestoredquicklytofunctionallevels.Thisplanshouldbereviewed
andtestedmanuallyandmodifiedasnecessary.
b. Administratorsresponsibleformanagementofcentralordepartmental
serversor datawillcreatemultigenerationalbackupsofsystemsanddata
onaregularpredefinedschedule.
c. Administratorsresponsibleformanagementofcentralordepartmental
serverswillsecurethecurrentsystemanddatabackupinasecure,
protectedoffsitelocation.Includedwiththatbackupwillbeahardcopy
listingofthecontentsofthebackup,thecurrentversionandhardwareof
thesystemfromwhichthebackupwasobtainedandacopyofthedisaster

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 7of 13

recoveryplanneededtorestorethecontentsofthe backuptooperational
status.
6. PrivacyIssues
Theuniversitywillnotreleasepersonalinformationtopartiesoutsidethe
universitywithoutpriorconsentunlessthatdisclosureispermittedby
applicablelaworuniversity policy.Individualswithintheuniversitywill
onlybegrantedaccesstopersonalinformationifthereisademonstratedand
legitimateneedtoknow,baseduponnormaljobduties,andfallingwithinthe
purposeandscopeforwhichthedatawerecollected.
Theuniversitymaypermittheinspection,monitoring,ordisclosureof
universitydatawhenaccessordisclosureisallowedorrequiredbyapplicable
law.Thisdatacanincludetransactionlogs,communicationlogs,pertinent
emailsubjecttodisclosure,orotherrecordsdevelopedinthecourseof
server,systemsandnetworkmanagement.
7. IncidentResponse
Asecurityincidentisaneventthatcausesdisruptiontonormalbusiness
activityandthatisprecipitatedbymaliciousoraccidentalactions.Examples
ofincidentsincludedenialofserviceattacks,computerintrusionsor
suspectedintrusions,hackerepisodes,misuse,unauthorizedaccesstoIT
resourcesorinformation,reportsofviolationsofuniversityITpolicy,State
orFederallawsandcomputervirusesorworms.
a. Virusesandworms
1)Itistheresponsibilityof theowneroradministratorofuniversity
computerstodetect,isolateandrepairanyincidenceofinfectionby
virus,Trojan,orworm.
2)Intheeventofinfectiontheowneroradministratorshouldfirstshut
downtheaffectedcomputerandreviewtheTechnologyAssistance
Centerviruswebpageforassistance. Usersmayalsocontactthe
TechnologyAssistanceCenterforfurtherassistanceifneeded.
b. Computerintrusionsorsystemcompromise
1)Incidentsofcomputerintrusionorsystemcompromisewillbereported
totheuniversity InformationTechnologySecurityOfficeortothe
TechnologyAssistanceCenterwhichwillforwardtheinformationto
theInformationTechnologySecurityOffice.

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 8of 13

2)Incidentsofcomputerintrusionorsystemcompromisewillbe
investigatedincoordinationwiththeInformationSecurityOffice.
3)Awrittenincidentlogoftheeventwillbemaintained(datesandtimes,
personscontacted,systemsinvolved)foralleventsunder
investigation.Thisisacriticalcomponent,particularlyinsituations
whereacriminalinvestigationmayresult.
4)Theseverityofthecompromisewillbeassessed.Iftheincidentis
affectingothersystems,damagingdata,orinvolvingaknownroot
compromise,theincidentwillbeconsideredcritical.
5)Ifthecompromiseiscritical,thesystemwillbedisconnectedfromthe
campusnetworkandtheowneroradministratoroftheaffected
computerwillbenotifiedofthedisconnection.
6)Thecompromisedsystemwillbebackedupforensicallytocreatea
systemsnapshotinthecompromisedstate.Thisbackupwillbe
consideredevidentiaryinnatureandwillbehandledandstoredusing
forensicbestpracticesforevidencehandling.
7)Thesystemwillberestoredtoanoperationalstatebeforereconnection
totheUniversitynetwork.
c. Otherincidents
1)OthersecurityincidentswillbereportedtotheInformationSecurity
Office.
2)TheInformationSecurityOfficewillconductaninvestigationofthe
incidentandcoordinateresolutionoftheincidentwithHuman
Resources,theDeanofStudents,CampusPolice,orothercampus
entityasappropriate.
8. Wirelessaccess
a. Allwirelessaccesspointswillbecentrallymanagedandsubjectto
periodicauditsandpenetrationtesting.
b. Wirelessinfrastructurewillbesegmentedfromthecampusnetworkusing
afirewall,VPNappliance,routeraccesscontrollist,orsimilar
technology.
c. UsersofthewirelessnetworkmustbeauthenticatedwithuniqueIDsand
passwords.

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 9of 13

d. Confidentialdatawillnotbetransmittedoverawirelessconnection
unlessoveranencryptedsession.
9. ModemAccessandStandards
Modemsshouldonlybeconnectedtosystemsasrequiredtoperformsystem
administration,vendorsupport,orasapartofanadministratedapplication.
Modemsshouldonlybeactiveduringtimesofuseorasneededbyan
application.Theresponsibilityforperiodicauditsandpenetrationtestingof
modemsistheresponsibilityofthesystemadministratororapplication
supportpersonnelforthesystemtowhichthemodemisconnected.Periodic
auditsand/orpenetrationtestingofmodemsmayalsobedonebyInformation
TechnologySystemsDivisionpersonnel.
10. LifecyclereplacementandDataDestruction
a. Alluniversitycomputerswillbeexaminedpriortodisposaltoassurethat
noinstitutionalorprotecteddata,proprietarysoftware,orsoftwarenot
licensedtobetransferredwiththecomputerresidesonmediaattachedto
thecomputer.
b. Removalofinstitutionalorprotecteddata,proprietarysoftware,or
softwarenotlicensedtobetransferredwiththecomputerwillbe
accomplishedbyuseofuniversityapproveddatadestructionsoftwareor
byphysicaldestructionofthemedia.
c. Alluniversitycomputersthatcontain,orhavecontainedprotecteddata,
proprietarysoftware,orsoftwarenotlicensedtobetransferredwiththe
computerwillbecertifiedassanitizedpriortodisposalortransferto
anotherdepartmentorworkunit.
11. DataRetention
Retentionofdataonbackupmediashouldbedeterminedbythetypeofdata
thatisbeingstored:
a. Researchdataretentionmustconformtotherequirementsofthegrant
agency(NIH,NIST,NIMH,DOD,etc.).
b. Users(faculty,staffandstudents)areresponsibleforthesecurityand
backupofalldatastoredontheirindividualdesktops/laptops(including,
butnotlimitedto,emailandofficefiles).Dataistobebackedupon
mediaseparatefromtheinternalharddrive(suchasUSBdrive,external
harddrive,orotherremovablemedia).Theuserisresponsibleforthe
safeandsecurestorageofallexternalbackupmedia. Datastoredon
centrallymanagedserversisautomaticallybackedup.

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 10 of 13

c. InstitutionaldatagovernedbyFederalregulationmustconformtothe
requirementsoftheagencythatregulatesthatdata(N.C.StatePersonnel
Act,FERPA,etc.).
d. Datarelatedtostudentcourseworkwillberetainedinconformancewith
theuniversitypolicyonstudentdataretention.
e. OtherinstitutionaldatawillberetainedinaccordancewithStaterecords
retentionrequirementsofN.C.G.S.132andN.C.G.S.121orother
applicableState legislation,oruniversityrecordretentionpolicy.
12. Employeeterminationandexitprocedures
a. Uponnotificationthatanemployeeintendstovoluntarilyseparatefrom
theuniversity,theemployeessupervisorwilltakethestepsnecessaryto
ensurethat:
b. Nounauthorizedtransferofuniversityinstitutionaldataismadefrom
universityserversorothercomputerstoanypersonalcomputer,mobile
computer,storagedeviceorportablemedia.
c. Nounauthorizedtransferofuniversityinstitutionaldataismadefrom
universityserversorothercomputerstoanyothercomputersviathe
network.
d. Nosoftwarelicensedbytheuniversityiscopiedortransferredtothe
employeeunlesstheemployeehasalicensetopersonallypossessthat
softwareor thesoftwareisinthepublicdomain.
e. Anytransferofpersonaldataorinformationfromacomputerownedby
theuniversity shallbemadeundersupervisionatalltimes.
f. Uponinvoluntaryterminationofanemployee,theemployeessupervisor
willtakethestepsnecessarytoensurethatallaccesstouniversity
computers,includingdesktopsandmobilecomputingdevices,isdenied.
13. Nonaffiliateaccess
Therearebusinessneedsfortheuniversitytoprovidevendorsandothernon
affiliatedthirdpartiesaccesstotheuniversitysinformationtechnology
resourcesandnetworks.Forexample,vendorsassistinsupportof
informationtechnologyresourcescontractorsmayneednetworkaccessto
supportmajorprojectdevelopmentandadjunctfacultymayassistin
importantuniversityresearch.Nonaffiliateaccessissubjecttothefollowing
restrictions:

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 11 of 13

a. NonaffiliateaccesstouniversityITresourcesmustbeauthorizedbyan
appropriateDean,DepartmentChair,orhigherpositionwithinthe
university.
b. Thelevel ofaccessgrantedwillbelimitedtothoseITresourcesthatare
requiredtocarryoutthespecifiedbusinessorresearchneedofthe
university.
c. Theaccessmustbeenabledforspecifiedtasksandfunctions,andlimited
tospecificindividualsandonlyforthetimeperiodrequiredtoaccomplish
approvedtasks.
d. Nonaffiliateaccessmustbeuniquelyidentifiable,andpassword
managementmustconformtouniversitypolicies.
e. ThenonaffiliatemustagreetocomplywithallapplicableFederaland
Statestatuesanduniversitypoliciesconcerningacceptableuseof
universityITresourcesandpoliciesconcerningthepreservationofthe
confidentialityoftheinformationtowhichtheyhaveaccess.
f. Theuniversitymay,baseduponthelikelihoodofexposuretoconfidential
information,requirethatthenonaffiliateagreestoaninstrumentof
confidentiality.
IV. EnforcementPenalties
Theuniversityreservestherighttoplacerestrictionsontheuseofitselectronic
resourcesinresponsetocomplaintsthatpresentevidenceofviolationsof university
policies,rules,regulationsorcodes,orlocal,StateorFederallawsandregulations.
Actionsthatviolatethesepoliciescanresultinimmediatedisabling,suspension
and/orrevocationoftheaccountowner'sprivilegespendingreviewforfurtheraction.
Suchunauthorizedorillegitimateuseofelectronicresourcesincludingcomputer
accounts,resourcesorfacilitiesmaysubjecttheviolatorstoappropriatedisciplinary,
criminaland/orlegalactionbytheuniversityand/ortheState.Ifevidenceis
established,theuniversityauthoritiesresponsibleforoverseeingthesepoliciesand
codeswillbeconsultedontheappropriatenessofspecificactions.
Individualswhohaveconcernsabouttheconductofamemberoftheuniversity
communityortheproprietyofagivensituationoractivityshouldnotifytheir
departmentchair,dean,director,oranadministratorintheirsupervisorychainata
levelsufficienttoallowobjectivityinevaluatingthesubjectofconcern.Ifactionis
deemedwarrantedbythisofficial,themattershallbereferredtotheappropriateVice
ChancellororSeniorOfficer.Ifdisciplinaryactionisconsidered,theViceChancellor
orSeniorOfficerwillconsultwithHumanResources.Priortotakingaction,theVice
ChancellororSeniorOfficerresponsibleforthesituationoractivityatissueshall

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 12 of 13

consultwiththeViceChancellorforInformationTechnologySystemsDivision,who
shall,asappropriate,consultwiththeuniversity'sGeneralCounsel.Theresponsible
officialshall thenrespondtouniversitycommunitymemberswhoexpressconcerns
aboutsuchactivitiesorincidents.
Whenconcernaboutagivensituationoractivityinvolvesanimminentthreatto
individuals,systems,orfacilities,usersshouldimmediatelycommunicatetheconcern
directlytotheOfficeoftheViceChancellorofInformationTechnologySystems,the
UniversityPoliceandtotheInformationTechnologySecurityoffice.

07.300UNCWNETWORKANDDATASECURITYPOLICY

Page 13 of 13