Frequently Asked Questions
Click on any of the questions below for answers.
If you have a new kind of use for SSN (a new form, putting it in a new system, using it for a new purpose), you need a review. If you’ve had a review, but something important has changed with the use, you need to bring it back. Examples of that might be moving the system it’s in from on-premises to a cloud application, or storing it longer. You can learn more about SSN review on the Process for New or Changing How Social Security Numbers Are Used webpage.
You need an IT Security Risk Assessment if:
- you have a new in-house or vendor-supplied application or IT service that is either “mission critical” to your unit, or will have any potential contact with Tier 2 or 3 information, (you will also need a DGOG review).
- anything important changes with that application or system such as moving to a new architecture like from on-premises to the cloud for example
- the data changes tier, for example adding new Tier 2 information when it was only Tier 0 or 1 or adding Tier 3 when it was only Tier 0-2 before.
- you’re adding a new kind of interface – maybe it was only available to logged-in staff, but now you’re adding a public web interface.
- you’re adding a new class of users, for example it was only staff, but now will be students as well.
If you need an IT Security Risk Assessment, you need a DGOG review. (and a DGOG request will get you both!) If you’re doing something new with SSN, you need a DGOG review. If you’re not sure what Tier something is, ask us! If You’re not sure if you need a DGOG review, ask us!
Data Governance is about making sure that data is used in ways that are legal, appropriate, and that don’t create unnecessary risk for people (personal information) or the University. You need to do this because most people aren’t experts in those things. There are so many laws, and so many ways that information can be used to hurt people, that the University provides a set of experts who can help you figure it all out. You need to do this because you don’t want to be going along doing your work and find that you’ve committed a crime you didn’t even know about, or exposed data that puts people at risk, or caused an embarrassing data breach that causes people to lose trust and respect for UNC.
Assume your data is Tier 2 unless you have some reason to believe it’s something else. Use the Information Classification Standard to see what “else” it might be. These are some informal ways to think about it. Data is in context though, so something Tier 1 most of the time might be Tier 2 or even 3 in context! (For example, a person’s name isn’t sensitive…but if it’s on a list of patients in your genital warts clinic, it sure is.) This is complicated. Don’t hesitate to ask an expert. DGOG is available to give guidance. We love to be asked!