OIT S&C assures the university meets compliance obligations by conducting assessments, participating on several committees, and serving in several capacities:

• IT Purchase Compliance
• Copyright Compliance
• Annual ISO 27002 Gap Analysis
• Facilitation of IT Audits
• Payment Card Industry Data Security Standards
• NIST 800-171 Compliance Steering Team
• University Compliance Steering Committee

IT Purchase Compliance

The following types of IT purchases must be reviewed by OIT S&C before anyone makes the purchase:

• IT purchases that cost $5,000 or more
• IT purchases that will handle HIPAA or PCI data, regardless of cost

This requirement ensures the IT purchase meets university standards and follows Federal and State regulations or guidelines for security and accessibility.  To be clear, the University Materials Management unit will not process any requisition or execute any software agreement until after OIT reviews and approves the IT purchase request. 

See the IT Purchase Compliance website for details.

OIT S&C Reviews

OIT S&C reviews software purchasing requests from campus, Software as a Service (SaaS), and cloud storage services for the following:

• Data security issues
• Potential data breaches
• Non-compliance with accessibility
• Non-compliance with security standards
• Requirements to integrate the software into enterprise applications

OIT S&C Security Assessments

OIT S&C conducts security assessments for IT purchases that store, transmit, or access university ultra-sensitive (purple) or highly-sensitive data (red). Visit the IT Purchase Compliance website for additional information about this process.

Copyright Compliance

Copyright is a legal right to control the copying, distribution, modification, display, and performance of certain types of works. It applies to text, graphics, video, audio, and many other forms of expression. For more information on how the university handles copyright compliance, visit the copyright website.

DMCA

The Digital Millennium Copyright Act (DMCA) provides safe harbors from copyright infringement liability for online service providers.  Visit the United States Copyright Office’s DMCA Designated Agent Directory website for additional information.

DMCA Designated Agent

An OIT S&C staff member is the university’s DMCA designated agent and, as such, receives notifications of claimed infringement.

Annual ISO 27002 Gap Analysis

Annually, OIT S&C collaborates with the ISAG to lead a review of the gap analysis against ISO 27002, which serves to assess progress towards compliance.  The results are shared via the IT Governance structure and used to prioritize the projects associated with the Cybersecurity Strategic Plan/Roadmap. The results are also shared with the UNC Information Security Council for a peer review — as required by the UNC System Office.

Facilitation of IT Audits

When state, internal, and third-party auditors conduct reviews or audits of central or campus-wide IT systems, OIT S&C assists by managing the exchange of information for all involved parties.  OIT S&C maintains a repository of information from past reviews and audits to facilitate the process for efficiency, accuracy and continuity.

Payment Card Industry
Data Security Standards

Payment Card Industry Data Security Standards (PCI DSS) is an information security standard for organizations that handle branded credit cards for payment.  The university must comply with PCI DSS in order for any unit to accept credit cards for payment.

PCI Compliance Team

OIT S&C jointly leads the PCI Compliance team with the NC State University Controller’s Office.  

Responsibilities:

• Ensure ongoing compliance with PCI DSS.
• Ensure that appropriate training is provided for units who accept credit cards for payment of services.
• Complete Self-Assessment Questionnaires (SAQs) annually for the university.

NIST 800-171

The National Institute of Standards and Technology (NIST) published Special Publication 800-171 (more commonly known as NIST 800-171) as guidance for federal agencies to make sure certain types of federal information are protected when processed, stored and used in information systems. Agencies are beginning to adopt this standard and require their contractors to meet its security framework.

NOTE:  Department of Defense (DoD) has adopted this standard and is requiring all of its contractors and subcontractors to be in compliance.

DoD Contracts

As a DoD contractor, NC State must meet compliance requirements for all DoD research contracts and subcontracts. 

NOTE:  Noncompliance results in a denial of DoD research grants.  

NIST 800-171 Compliance Steering Committee

To ensure the development and maintenance of a secure research environment at NC State, OIT S&C jointly leads the NIST Compliance Steering Committee with NC State Office of Research and Innovation (ORI). 

NIST 800-171 Gap Analysis

The NIST 800-171 Compliance Steering Committee performs a gap analysis to review and evaluate the NIST 800-171 standard against NC State’s current practices to protect regulated data and information.  

University Compliance Steering Committee

To assure compliance with our legal, regulatory, and ethical responsibilities, the Chancellor has charged the University Compliance Steering Committee with the following responsibilities:

• Oversight and promoting excellence for all compliance efforts 
• Approving university ethics, compliance, and training priorities

Sub-working Groups (SWGs)

The Vice Chancellor for IT & CIO is a member of the University Compliance Steering Committee.  As part of its charge, the committee established the following sub-working groups, which are comprised of various subject matter experts to promote areas of compliance:

• University Compliance Officials Working Group (COWG)
• HIPAA Compliance Sub-working Group

University Compliance Officials Working Group (COWG)

The COWG is comprised of officials from across the university who have executive responsibility for key areas of compliance with applicable federal, state, and local laws and regulations.  Members of the COWG include the CISO and the Senior Director for OIT Outreach Communications and Consulting (OCC).

COWG Mission & Service

The COWG mission is to assist the Compliance Steering Committee in promoting a culture of comprehension and adherence to the following:

• Applicable federal, state, and local laws and regulations
• University policies, regulations and rules

The COWG also provides assistance to the campus community:

• Compliance leadership in the university’s academic and administrative units
• Ensures effective communication and collaboration among employees responsible for compliance

HIPAA Compliance Sub-working Group

Members of this working group include the CISO, the Director of Information Security Risk & Assurance (ISRA), and the HIPAA Security Officer.

HIPAA Security Officer

The HIPAA Security Officer is responsible for the development and implementation of policies, procedures, and technical systems that ensure the following at NC State:

• Confidentiality, integrity and availability of electronic Protected Health Information (PHI)

The HIPAA Security Officer is an OIT S&C information security specialist who works closely with the university’s HIPAA Privacy Officer.

HIPAA SWG Responsibilities

This sub-working group is tasked with the following high-level responsibilities:

• Reviewing the landscape of NC State’s current level of compliance with the Health Insurance Portability and Accountability Act (HIPAA)
• Enhancing organizational excellence through a climate of constant improvement surrounding HIPAA-compliance operations

HIPAA SWG Tasks

Specific HIPAA SWG tasks include the following:

• Perform Security Risk Assessments Annually:  Identify risks and vulnerabilities to electronic Protected Health Information (ePHI)
• Recommend appropriate updates to NC State REG 01.25.09 — Privacy/Confidentiality, Release and Security of Protected Health Information
• Review and update training content and activity
• Perform compliance reviews for all university Health Care components
• Report and field HIPAA compliance complaints
• Develop protocols related to receipt, storage, and distribution of PHI and electronic PHI (ePHI):
  • Institutional Review Board (IRB)
  • Research datasets
  • Business Associate Agreements (BAA)
  • Clinics
  • Memorandums of Understanding (MOUs)
  • American Disabilities Act (ADA) documentation
  • Occupational Safety and Health Administration (OSHA) documentation
  • Family Medical Leave Act (FMLA) forms
  • Workers Compensation
• Identify accounts or units authorized to maintain electronic PHI (and related workflows) for the following:
  • New units 
  • Accounts requesting permission to maintain electronic PHI

Next Page

Home	Previous	Next
Information Security Program at NC State	Cybersecurity Services at NC State	Policies, Regulations & Rules (PRRs)