1. Policy and Purpose

1.1. It is the policy of East Carolina University that Employees shall protect University Information from unauthorized and/or unlawful access, use, disclosure, destruction, and/or loss.

1.2. This Regulation defines Employee and Administrative Head responsibility for Information Security and establishes an administrative structure that facilitates the protection of University Information in accordance with all applicable laws, regulations, contractual requirements, and university policies and standards.

2. Scope

2.1. This Regulation applies to all Employees.

3. Definitions

3.1. Administrative Head: The administrative director of a university department, such as an academic department chair, an administrative department director, or a college dean. Administrative Heads manage departmental operations and direct the use of departmental resources.

3.2. Employee: A person employed by the University or who serves as a university volunteer. This includes anyone performing work on behalf of the University, such as staff and faculty members, student workers, contractors, and volunteers.

3.3. Information Security: The protection of information from unauthorized and/or unlawful access, use, destruction, and/or loss. Information Security is a business process for achieving university objectives, such as protecting the privacy rights of individuals; ensuring the availability of University Information and IT resources; and complying with federal regulations, state laws and contractual obligations.

3.4. University Information: Information in any form (e.g., electronic, printed or spoken) that is collected, created, stored, distributed or otherwise used by Employees in the course and scope of their employment or volunteer responsibilities, respectively, for any university purpose, including, but not limited to teaching, research, and service.

4. Guiding Principles

4.1. Information is a strategic university asset. University Information is a valuable asset upon which the University depends to achieve its strategic objectives, carry out its mission and fulfill its commitments to stakeholders. Consequently, University Information must be managed and protected in the same basic manner as other strategic assets (e.g., financial and physical assets).

4.2. Every employee is responsible for Information Security. Information Security is far more about people than technology. Information technology is simply a tool that helps us do things better and faster, but cannot by itself protect University Information from misuse and loss. Consequently, all Employees are responsible for protecting the University Information in their care.

4.3. Information Security is an essential business function of every department. Administrative Heads shall ensure that University Information and IT systems within their respective departments are used appropriately and are adequately protected, just as they do for other institutional assets. While IT support personnel may assist this effort by providing technical advice and solutions, many Information Security safeguards can only be taken by Employees while handling University Information and using IT systems.

5. Employee and Management Responsibilities

5.1. Employees: Employees shall take reasonable precautions to protect University Information from unauthorized and/or unlawful access, use, disclosure, destruction, and/or loss.

5.1.1. Employees shall adhere to all Information Security requirements that are relevant to their assigned roles and responsibilities. This includes federal regulations, state laws, contractual requirements, university policies and ECU Information Security Best Practices and Standards.

5.1.2. Employees shall complete university designated information security training within 30 days of employment and university designated refresher training at least once every two years.

5.2. Administrative Heads: Administrative Heads are responsible for ensuring the security of all University Information as it is collected, created, accessed, distributed or otherwise handled by their respective departments, as well as of the security of IT systems and services provided or managed by their respective departments.

5.2.1. Administrative Heads shall ensure their employees are aware of their Information Security responsibilities and adhere to all applicable regulations, laws, contractual requirements, university policies and ECU Information Security Best Practices and Standards.

5.3. Chief Information Security Officer (CISO): The Chief Information Security Officer shall manage the University Information Security Program, a collection of enterprise rules, standards and guidance. The development, adoption and publication of enterprise rules shall adhere to the university Policies, Regulations, and Rules (PRRs) framework and associated processes.

5.3.1. The CISO shall develop and maintain university rules and standards that guide and support departmental management of Information Security.

5.3.2. The CISO shall manage the University Employee Awareness Program to promote university-wide awareness of essential employee responsibilities and basic best practices for Information Security. Upon request, the CISO shall provide guidance to Administrative Heads on supplementing the University Employee Awareness Program to address department-specific needs for employee awareness and training.

5.3.3. The CISO shall coordinate the University Information Risk Management Program and advise university and departmental leadership on the identification and management of risks associated with the handling of University Information and the use of IT systems and services.

5.3.4. The CISO shall coordinate the activities of the University Security Incident Response Team (SIRT), which oversees the University’s response to Information Security incidents. The SIRT assesses risks to individual privacy, facilitates and/or manages data breach notifications, and coordinates its activities with university compliance offices where appropriate.

6. Violations

6.1. Violation of this Regulation may result in disciplinary action being taken in accordance with applicable university policy.