Services
Identity and Access Management
System Access Removal for Separating Employees
See System Access Removal for Separating Employees for details on how to securely manage access to employee data.
System Access Request (SAR)
Visit the SAR Overview for details about SAR, which is a web application that automates the approval process for granting and revoking employee access to HR data, Student Information System (SIS) data, Financial data, and Document Management data — as well as other data systems at NC State.
Secure Computing
Data Discovery and Protection
The Data Discovery and Protection (DDP) program is a campus-wide data management initiative to safeguard all university data. Visit the Data Discovery and Protection web page for details.
Data Encryption
This service offers guidance with data-encryption solutions to protect university data.
Data Removal
Visit Secure Data Removal at NC State for details on how to remove data from devices before surplussing them.
Log Management and Event Correlation
This service includes the management and maintenance of a central repository for the investigation and analysis of security events. After collecting and correlating events from multiple sources, the results are shared to help identify, resolve, and prevent incidents.
Multifactor Authentication
Multifactor Authentication (MFA) adds a critical layer of security when a user logs into an account. With the MFA service, the user must meet one of the following authentication requirements in addition to entering a unique passphrase:
- USB security key
- Security code (delivered to a mobile device via text or mobile app)
- Backup code
The MFA service includes the following:
- Technical security implementation and support
- Alert investigation, remediation, and notification
Network Security Monitoring
This service monitors the university network with packet brokers, aggregating data from all network devices to send to analysis tools.
Password Vault Management
This service manages and supports the university’s password-vault utility for the system administrators and staff across campus that are supported by the central license.
SSL Certificate Management
This service includes the reviews and certificates required for Secure Socket Layer (SSL) applications. Visit the Applying for SSL Certificates web page for details.
Vulnerability Scanning and Penetration Testing
This service includes implementation and support for scanning and penetration testing, investigation, remediation, and notification associated with identified alerts. Visit the Tenable.io at NC State web page for details.
Web Application Security Testing
This service helps NC State development teams assess the security of their web applications and reduce associated security risks. In addition to empowering developers to identify and fix the most critical security issues, this service provides guidance regarding web-application security concepts and best practices.
Security Consulting and Education
Data Management
This service provides ongoing assistance in collaboration with data trustees, stewards, and custodians to align data classification and protection requirements with:
- Current threats
- Legal and university requirements
General Security Consultation, Security Architecture, and Review
This service provides the ongoing protection of sensitive university data and other digital assets by offering the following:
- Consultation, guidance, and ad hoc support to maintain security best practices throughout system life cycles
- Security requirements and design criteria for university initiatives
IT Risk Management
This service provides the following support:
- Continuous IT risk identification, ranking, and mitigation recommendations
- Security assessments to identify and reduce risks, particularly for non-IT organizations
- Continuous third-party application security assessments to ensure product security meets university requirements
- Planning and facilitation of activities necessary for the university to evaluate and resolve IT, data, and risk issues
- Consulting services to help secure data with integration of business processes
Security Awareness and Training
This service includes the following for students, faculty, staff, and all university stakeholders:
- Development and delivery of effective security awareness and training
- Development and facilitation of workshops and customized training
- Coordination of training associated with university-related security certifications to document and demonstrate compliance with mandated policy, regulations, rules, and standards
- Security awareness training for students, faculty, and staff referred by university stakeholders — for example, schools, departments, Principal Investigators (PI’s), Internal Audit, Institutional Review Board (IRB), and so forth
Data Security Training
This online Data Security Training module is required annually for all university employees, including student employees. This training module focuses on cybersecurity awareness topics that are critical to the university, including phishing, Two-Factor Authentication (2FA), and mobile device security.
HIPAA Training
The HIPAA Privacy and Security Rules training encompasses a hybrid of all campus-relevant, HIPAA-covered components; required annually.
Targeted Training
Data Management Regulation and Data Sensitivity training: University data trustees, stewards, managers, custodians, and all users of sensitive-data environments are required to complete targeted training based on their roles and responsibilities. This training is provided to those who must access sensitive data; required before access can be granted.
Ad Hoc Training
OIT S&C provides training on a variety of security topics based on customer needs.
Cybersecurity Liaison Team
This service provides management and coordination of the Cybersecurity Liaison Team.
Security Incident Response and Investigation
Digital Forensics
This service provides the following:
- System forensics analysis, data acquisition, and incident response
- System data retrieval in response to requests from law enforcement, litigation holds, and sysadmins — to assist in root-cause analysis
Security Incident and Response
This service includes incident response management, notification, and tracking for information security issues such as the following:
- Potential unauthorized disclosure or alteration of:
- University data not routinely made available to the general public; for example, employee evaluations
- Data the university is bound legally or contractually to protect; for example, social security numbers, credit card numbers, and certain research data
- Loss or theft of electronic storage devices or media containing:
- University data not made available to the general public routinely
- Data the university is bound legally or contractually to protect
- Content in a university web page, through pop-up or direct access:
- Advertising for a non-educational commercial product; for example, an online pharmacy
- Pornographic material
- Distribution of viruses or malicious software from a computer on the NC State University network
Security Support
This service supports campus organizations that require system access higher than what is available to its users.
Examples: Litigation Hold retrievals, employee separation support, answering general security questions, and so forth.
Security Policy and Compliance
Access Reviews
This service provides assistance with annual access certification for enterprise systems.
Internal and External OIT Audit Coordination
This service facilitates:
- Internal and external IT audits involving OIT
- Corrective actions (and monitors their effectiveness)
Litigation Holds/eDiscovery Coordination
Electronic discovery, aka e-discovery, is the process of “retrieving, saving and producing electronically stored information in anticipation of and during litigation.”
In 2006, the Federal Rules of Civil Procedure were amended to include the preservation and production of Electronically Stored Information (ESI) — stating that ESI may be stored on PDAs, laptops, office computers, and portable media (such as USB drives, CDs, DVDs, and so forth.).
Failure to comply with the requirements for producing ESI may subject the university to serious sanctions.
Research Data Security Consultation & Evaluation
In response to PI or ORI requests for security-requirement reviews of special contracts or grants, this service includes negotiation of terms and assessment of NC State’s ability to comply.
Security Compliance Program Development, Management & Continuous Assessment
To ensure compliance with university policies and state and federal requirements, this service provides continuous activities:
- Assessment of university infrastructure, systems, services for compliance ISO 27002, GLBA, Red Flags, NIST 800-171, PCI DSS, HIPAA, and so forth
- Annual ISO 27002 compliance gap analysis for the UNC System security peer-review program
- PCI compliance assessment and validation activities
- HIPAA compliance program management to ensure protection of PHI data
- NIST 800-171 compliance program management to ensure protection of Controlled Unclassified Information (CUI)
- Higher Education Opportunity Act (HEOA) Compliance program management to ensure effective responses to potential violations of the Digital Millennium and Copyright Act (DMCA)
- PowerAmerica Security and Compliance Program (PA SCP) management to ensure that PowerAmerica data on campus (and also on external member locations) are protected as required by the PA SCP
Security Policy, Regulations, Rules (PRRs) and SOP Development
To ensure alignment with university business needs, the evolving threat landscape, and compliance requirements, this service provides the development and maintenance of information security Policies, Regulations, Rules (PRRs) and SOPs.
Software Licensing
IT Purchase Compliance Management
The IT Purchase Compliance requirement applies to all IT purchases of $5,000 or more and all HIPAA- and PCI-related purchases regardless of cost. This includes new IT purchases as well as maintenance and support renewals for IT purchases made previously. This service manages the overall process to ensure that security, accessibility and integration reviews occur on campus software purchases greater than $5,000.
IT purchases include software and more:
- Software applications and operating systems
- Web-based applications (SaaS)
- Cloud-hosting services
- Products that process electronic payments
- Network and storage solutions (for example, Load Balancer, IP management, VPN, storage platform, and so forth)
- Integrated hardware such as endpoints connected to special purpose devices (for example, microscopes)
License Risk Assessment
This service includes the following:
- Clickwrap Agreement Risk Assessment — Conduct risk assessments on clickwrap agreements before users accept licensing terms. This service ensures the terms meet university and State standards.
- Non-Negotiable Hard Copy License Review and Risk Assessment — For those agreements at an impasse between Contracts Management and the vendor, agreements are reviewed and risk assessments are generated for colleges and departments to accept risk instead of the university.