Standard for Security Requirements of Information Systems

I. Purpose

The purpose of this standard is to establish the university’s obligation to ensure that information security is integrally tied to all university information systems throughout the life of any given system including any information systems which provide services over public networks.

II. Scope

It is the responsibility of all information system owners to ensure that security controls are considered for their information systems throughout the lifecycle, from initial planning to service retirement.

III. Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Standard

Prior to implementation or enhancement

Information security requirements should be included in the considerations for any new information system or for the enhancement of any existing information system. For acquired systems/services, security requirements should be fully addressed in the contract and any risks considered prior to purchase. Information systems that store or process level 2 or level 3 University data must utilize multi-factor authentication via the University’s centrally managed authentication services. In cases where this isn’t feasible, use of the third-party’s multi-factor authentication is allowed. If an information system that stores or processes level 2 or level 3 University data is unable to implement multi-factor authentication, an official exception must be approved by OneIT. For information systems that store or process level 1 or level 0 University data, multi-factor authentication should be utilized, if available.

The following requirements should be addressed:

• User authentication requirements
• Access management
• Authorization processes (for end users and privileged accounts)
• Communicated guidelines regarding user responsibilities when accessing the system
• Protection of any associated data or assets including the availability, confidentiality and integrity of those assets
• Other security control mandates such as required interfaces to logging and monitoring systems

NOTE: The following checklists provide a starting point to review information security related to systems and services:

• Information Security Checklist
• Information Security Checklist for Externally Hosted Services

Services provided via the Internet or other public network

Extra care must be taken to protect information involved in application services which pass over the Internet or other public networks. That care should include protection from fraudulent activity, contract dispute, and unauthorized disclosure or modification.

NOTE: Any application involving payment transactions should be coordinated through the University Bursar’s office and comply with the Payment (Credit/Debit) Card Processing Standard

Protecting application services transactions

Information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Related Resources

• University Policy 311 Information Security
• Information Security Checklist
• Information Security Checklist for Externally Hosted Services
• Payment (Credit/Debit) Card Processing Standard
• Guideline for Security of Applications
• Guideline for Security of Systems
• ISO/IEC 27002

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 5/15/15
Updated 4/12/24