Information Security and Privacy Governance
Approved by: Executive Council: March 5, 2007
Posted: March 22, 2007
Revised: April 25, 2016
Revised: February 21, 2018
Revised: March 24, 2020
Revised and Renamed: November 15, 2022
Revised: September 24, 2024
Policy Topic: Information Technology
Administering Office: Office of CIO
Institutional data is both a valuable asset and a potential liability to the University.
As such, the security and privacy of university data are important responsibilities
for every member of the university that has access to it. As an academic institution
we must encourage the free flow of most information, while protecting critical operational
information.
I. PURPOSE
- To protect the university’s data and to protect the University from misuse of its
data.
- To establish categories of data and their definitions.
- To provide a framework defining the appropriate protection required for each category
of data.
- To define who is responsible for ensuring that data is handled in an appropriate manner
and a governance structure for information security and privacy. This policy addresses
university data fed into or utilized by Generative Artificial Intelligence (AI) tools.
II. SCOPE
- The Policy and the related Data Handling Procedures applies to all university enterprise-level
data as defined below, including data provided to or utilized by Generative Artificial
Intelligence (AI) tools.
- The Policy applies to data housed on the campus itself or hosted on an outsourced
system.
- The Policy applies to data in physical form, including but not limited to paper, as
well as data in a digital format.
- The policy addresses both access to and disclosure of data.
III. DEFINITIONS
- The terms “enterprise-level data” or “data” shall mean any and all information generated by, owned by, created by, or otherwise
managed by Western Carolina University, including that created by students, faculty,
and/or staff pursuant to the university related duties or obligations. Data may exist
in physical form, including but not limited to paper, as well as in a digital form.
Data shall include both public records as well as records exempt from the North Carolina
Public Records Act.
- The term “campus” shall mean all colleges, schools, departments, units, or other subdivision(s) of
Western Carolina University.
IV. RESPONSIBILITIES
- The Chancellor, Provost, Vice Chancellors, General Counsel, CIO, Chief of Staff and
the Director of Athletics are the institutional Data Stewards (Data Stewards). The
Data Stewards may appoint designees for their various areas of responsibility. The
Data Stewards are responsible for ensuring the appropriate handling of the enterprise-level
data produced and managed by their division/unit, including the classification of
data and the authorization of access.
- The Information Technology Division is responsible for ensuring that the appropriate
technologies and system policies and permissions are in place to ensure appropriate
access to electronic data.
- The Office of Institutional Planning and Effectiveness (OIPE) has primary responsibility
for meeting the University's reporting obligations and overseeing the movement of
unit record data between the campus and the University of North Carolina. It is the
responsibility of all other divisions/units charged with the reporting of institutional
data to ensure that OIPE has a record of the parameters of such reporting and timelines
that OIPE will maintain as part of an inventory updated annually.
- The Chancellor will establish an Information Security and Privacy Committee (ISPC),
that shall report to the Chancellor. The charge of this Committee is to oversee the
implementation of this policy, ensure campus data security and privacy policies and
related standards and procedures are up to date, coordinate the review of campus data
security and privacy, advise the campus with regard to data security and privacy,
and assist the campus with risk assessments, etc. The members of the Committee are:
- Chief Information Officer – Chair
- Chief Information Security Officer
- Chief Privacy Officer
- General Counsel / Chief Compliance Officer or designee
- FERPA Officer
- HIPAA Officer
- GLBA Officers
- Assistant Vice Chancellor Institutional Planning and Effectiveness or designee
- Associate Vice Chancellor of Human Resources or designee
- Internal Auditor or designee
- Director of Research Administration or designee
- Director of Student Financial Aid or designee
- Bursar
- Senior Director of Advancement Services
- Faculty representative (Appointed by the Chancellor in consultation with the Faculty
Senate Chair. Term is 3 years)
- The Chief Privacy Officer and the ISPC are responsible for developing, implementing,
maintaining, and monitoring an organization-wide governance and privacy program in
alignment with the adopted privacy framework, to ensure compliance with all applicable
laws and regulations regarding the processing of personally identifiable information
(PII).
- The Chief Information Security Officer is responsible for overseeing the implementation
of the information security program for the campus in alignment with University Policy
117 Information Security.
V. DATA CATEGORIES
- All enterprise-level data will be assigned to one of the following categories by the
appropriate Data Steward. The categories are not mutually exclusive. Data is to be
handled according to the most sensitive category that it falls within.
- GREEN - Low Sensitivity
- BLUE - Guarded Sensitivity
- YELLOW - Elevated Sensitivity
- ORANGE - High Sensitivity
- RED - Severe Sensitivity
- Definitions of each category and requirements for how data is to be stored and transmitted
are specified in the document Data Handling Procedures Related to the Information Security and Privacy Governance
Policy.
- Classification of data and requirements may change due to changes in laws or contractual
obligations.
- Staff authorized to access or disclose, YELLOW, ORANGE, OR RED data are required to
sign a confidentiality statement upon hire or as directed.
VI. PENALTIES
- Willful inappropriate access to or disclosure of data may result in appropriate disciplinary
action, up to and including dismissal, or legal action being taken.
- Liability for the willful inappropriate access to or disclosure of data may, in certain
circumstances, rest with the individual and not the institution.
VII. REFERENCES
International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational
Controls)
International Standards Organization (ISO/IEC 27701:2019, Clause 6 PIMS-specific guidance
related to ISO/IEC 27002)
University Policy 106, “Protecting the Privacy and Security of PII”
University Policy 117, “Information Security”
Data Handling Procedures Related to the Information Security and Privacy Governance
Policy