The Statewide Information Security Manual is the foundation for security and privacy in the state of North Carolina, and is based on industry standards and best practices. The Security Manual provides State agencies with a baseline for managing information security and making risk based decisions. These policies were developed with the assistance of subject matter experts and peer reviewed by agency representatives using NIST 800-53 revision 4 controls as the framework.

This document should be used when engaging vendors for solutions that are either hosted on State infrastructure or are NOT hosted on State infrastructure, such as cloud services, (e.g. Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)). The VRAR captures the “baseline” security requirements that MUST be addressed by vendors to ensure the security of the State’s data. Agencies may add additional requirements due to Federal or other statutory mandates. Note: There is a separate document for the type of hosted solution!

Subscribe to Documents