OIT issues new regulation to define security standards for sensitive data and systems

As part of ongoing efforts to defend the university network from actors with malicious intent, on March 25, OIT issued a new regulation that defines the security standards required to protect sensitive university data and systems. The new regulation seeks to arm data stewards, data custodians and IT administrators with the information necessary to secure their systems and data in a manner consistent with well-known industry standards. The regulation will also help the stakeholders comply with university policies and state and federal security requirements, such as the:

  • International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27002
  • National Institute of Standards and Technology (NIST) 800-53
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPAA)

Regulation 08.00.16 – NC State University Security Standards for Sensitive Data and Systems applies to all computer systems and associated infrastructure devices, facilities and people who support the storage, processing or transmission of sensitive data.

The regulation outlines security standards for:

  • Identification and authentication to access systems and data
  • Acceptable technology use
  • Physical security
  • Configuration management
  • Software development lifecycle
  • Media protection
  • Audit and accountability
  • Contingency planning
  • External service providers
  • Wireless usage
  • Encryption
  • Enforcement

System administrators and data stewards, data custodians or their delegates are encouraged to begin implementing controls immediately to ensure compliance with this standard where possible.  However, multiple operational changes, processes and tools need to be identified and implemented to support overall university compliance. As such, OIT Security and Compliance (S&C) will develop an implementation timeline for this standard by Dec. 31, 2016 and communicate to appropriate stakeholders. All credit-card related systems are expected to be fully compliant with the standard by May 2016.

Following the development of the implementation plan, the necessary processes and tools to support university-wide compliance will be identified and implemented accordingly.

If you have any questions or concerns regarding the application of the standard to your environment, please contact S&C at oit_security@ncsu.edu,
S&C also recognizes that the standards may be applied to different environments in different ways. Consequently, an exceptions process has been included in the regulation to address these situations.

For additional information, see the  RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems Web page.