April 2020

University Policy on Data Security Breach Protocols

Any University employee or student who becomes aware of a suspected or actual security breach (“breach”) must report the matter immediately by calling the Information Technology Response Center (IT Response Center) at 919-962-HELP (919-445-4357). The IT Response Center is available to field such reports 24 hours a day, 7 days a week. If the breach involves the loss or theft of University-owned equipment, the employee or student must also notify the Department of Public Safety by calling (919) 962-8100.

Previous Tips

Establishing Monitoring Mechanisms for Awards

Office of Sponsored Research 400.03, Procedure 1 – Establishing Departmental Post-Award Monitoring.

Completing successful award management is dependent on establishing solid monitoring mechanisms maintained by the department receiving the award.  Monitoring is an essential activity throughout the life of the project and is particularly important for financial management. These processes should be established for each award at the receipt of funding. Departments may use the monitoring mechanisms that work best for their department to maintain financial and personnel data for each sponsored project.

Appropriate Documentation for Business Expenses

1263 University of North Carolina at Chapel Hill Policy on University-Related Business Entertainment Expenses
The purpose of this policy is to provide guidance as to the type expenses that qualify as business expenses under the various fund sources received by the University, the documentation requirements for business expenses, and when business expenses might be taxable.

Safeguarding Personal Information

University of North Carolina at Chapel Hill Policy on Data Security Breach Protocol
In accordance with the Identity Theft Protection Act of 2005, North Carolina General Statutes § 75-60 et seq. and § 132-1.10 of the Public Records Act (together, the “Act”), the University of North Carolina at Chapel Hill (the “University”) is required to safeguard certain information of patients, employees, students, vendors, and other individuals who provide information covered by the Act to the University.  This protocol enables the University to comply with the Act.

Standards of Funding Compliance Include Training

Office of Sponsored Research – 100.02 Operating Standard Guide, Section A Uniform Guidance and Research Compliance Components
This policy by the Office of Sponsored research emphasizes that the University’s research business must be performed in accordance with all relevant ethical, legal, and regulatory obligations to Federal and State laws. Compliance programs emphasize training, monitoring, auditing and educating aspects to ensure the University is accountable for its business. Funds received by the University for research are expected to adhere to uniform administrative and regulatory requirements; training efforts are expected to maintain compliance.

Fraud Awareness

Policy 104 – University of North Carolina at Chapel Hill Policy on Misuse of University Property or Funds.
A University employee who has information or evidence of a misuse of University property or funds is required by North Carolina state law to report the misuse. Misuse includes damage, theft or inappropriate use of property and embezzlement of funds.

Don’t forget Internal Controls has a Self-Audit Checklist for Business Managers to keep your controls up-to-par.

Stay In Tune: Keep Your Policy Knowledge Fresh

The UNC-Chapel Hill community is governed by a variety of official policies, procedures and standards which have been developed and implemented at University and Unit levels.  All University and Unit policies that currently govern UNC-Chapel Hill can be found at the Policies website.  Of these items, the Department of Finance has scripted nearly 150 Policies and Procedures and oversees more than 100 forms that are designed to keep internal controls and processes in place.  Although employees are encouraged to frequently check the policy website to make sure its department processes are current, managers should also systematically review general practices of frequently-used policies with their staff, as well as inform them of changes and updates.  For more hints on how to keep your staff in compliance, read this article from HR Insights.

The UNC-Chapel Hill community is governed by a variety of official policies, procedures and standards which have been developed and implemented at University and Unit levels. All University and Unit policies that currently govern UNC-Chapel Hill can be found at the Policies website. Of these items, the Department of Finance has scripted nearly 150 Policies and Procedures and oversees more than 100 forms that are designed to keep internal controls and processes in place.  Although employees are encouraged to frequently check the policy website to make sure its department processes are current, managers should also systematically review general practices of frequently-used policies with their staff, as well as inform them of changes and updates. For more hints on how to keep your staff in compliance, read this article from HR Insights.

UNC-CH Finance Policy 107: Customer Financial Record Safeguards

In order to protect customer information and data, and to comply with relevant federal laws, the Internal Auditor’s office and OUC propose certain practices regarding the University’s maintenance and safeguard of customer financial information. These practices affect the University areas that interact with such data.

Each University department is responsible for securing customer information in accordance with all privacy guidelines.  Additionally, a written security policy and procedure document that details the information security policies and processes is maintained by each relevant area and will be made available to the Coordinators or Internal Auditor’s office upon request.

ITS Information Security Controls Standard – lists the minimum requirements for different technological devices using sensitive information.

UNC-Chapel Hill Information Classification Standard Policy

See Tier 3 and Compliance

Failure to comply with this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment . . . Contractors, vendors, and others who fail to adhere to this standard may face termination of their business relationships with UNC-Chapel Hill. Violation of this standard may also carry the risk of civil or criminal penalties.

Policy 104 – University of North Carolina at Chapel Hill Policy on Misuse of University Property or Funds

It is important for employees to exercise care and sound judgment in the use of University property and funds in order to maintain public trust. A University employee who has information or evidence of a misuse of University property or funds is required by North Carolina state law to report the misuse. Misuse includes damage, theft or inappropriate use of property and embezzlement of funds.

Policy 1212 UNC-CH Policy on Solicitation by Sales Representatives

Unsolicited and/or non-approved solicitations of University business by outside sales representatives are unwarranted and not desired. The University follows the State policy that requires goods and services be obtained from either State term contracts, by competitive bidding, or the small order process for procurements less than $5,000. In order to conduct formal business with the University, a sales representative must first register with the State of North Carolina to participate in the formal bid process. Prospective vendors are required to first make contact with Purchasing Services to gain an understanding of the rules for conducting business with the University before meeting with prospective customers at their campus location.

1252.3 – Procedure on Reconciling a Purchasing Card (P-Card)

Specific Duties of Approver

The Group Approver acts as the approval authority for each P-Card purchase. If, as the Group Approver, you do not understand the charge or have reason to believe that the charge is not proper:

  • Go to the Accountholder for an explanation.
  • Go to the Department Head or Business Manager to verify that the charge was appropriate.
  • Go to Purchasing to verify that the charge is within applicable laws and University policies.
  • Go to Internal Audit if fraud or abuse is suspected.

For more information on the role of the approver, see Procedure 1252.3.