1. Compliance with Legal and Contractual Requirements
    1. To avoid breaches of any criminal and civil law, statutory or State regulatory or contractual obligations, and security requirements, the design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements. Advice on specific legal or University of North Carolina System requirements will be provided by Winston-Salem State University’s (WSSU) Office of Legal Affairs.
    2. Laws and standards include, but are not limited to, the following: Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), North Carolina Identity Theft Statute, North Carolina Security Breach Notification Law, Payment Card Industry Data Security Standards, Digital Millenium Copyright Act, and intellectual copyright laws.
    3. All users of information and information resources of WSSU including faculty, staff, students, guests, contractors, consultants, and vendors shall acknowledge and accept their responsibilities for information security.
  2.  Information security reviews

    WSSU supervisors will ensure that all security processes and procedures within their areas or information systems under their control and responsibility are followed. In addition, all business units will be subject to regular reviews to ensure compliance with security policies and standards.
  3. Security Exceptions

    The Information Security Manager with the approval of the institution of higher education head or his or her designated representative may issue exceptions to information security requirements or controls. The Information Security Officer will coordinate exceptions and compensating controls with information and service owners. Any such exceptions shall be justified, documented, and communicated as part of the risk assessment process.
  4. Sanctions for Violations

    Penalties for violating the requirements of the Information Technology Security Program Policy & Standards include but are not limited to disciplinary action, loss of access and usage, termination, prosecution, and/or civil action.