2024 UNC CAUSE

In the IT Governance Program Charter that was issued by the UNC System President in January of 2021 it states the following: "In addition to addressing privacy as referenced in the most recent version of ISO 27002, each UNC institution will leverage its IT risk management approach in partnership with the institution's compliance function to determine the appropriate privacy policies to implement and the frequency of privacy risk assessments." Based on this document and other external pressures that are mounting in the privacy landscape, WCU contracted with a vendor to conduct our first ever privacy maturity assessment. From that assessment WCU leadership chose to make an organizational change that allowed for the CISO to create a privacy program to address many of the weaknesses that were identified. In this presentation I will discuss the vendor's assessment process and results, the steps taken to establish information privacy governance at WCU, the privacy framework we chose to use, the overlap of security and privacy including why and how privacy can live in IT, what does a functioning privacy program look like, and what privacy controls we have chosen to not address at this time.