Defending North Carolina's IT Assets

In the digital world, we are continuously vulnerable to cybercrime and security threats that harm citizens, institutions, businesses and the economy.


The state chief information officer is responsible for securing North Carolina’s information assets, including data and the supporting infrastructure.

The N.C. Department of Information Technology’s Enterprise Security and Risk Management Office, or ESRMO, supports the state CIO by providing leadership in the development, delivery and maintenance of a cybersecurity program that safeguards the North Carolina’s information and supporting infrastructure against unauthorized use, disclosure, modification, damage or loss.

This comprehensive statewide cybersecurity program encompasses:

  • Information security implementation
  • Monitoring
  • Threat and vulnerability management
  • Cyber incident management
  • Enterprise business continuity management

ESRMO works with executive branch agencies to help them comply with requirements that include:

  • Legal and regulatory requirements
  • Statewide technical architecture
  • Industry best practices

It also works with state agencies, federal and local governments, citizens and private-sector businesses to help manage risk to support secure and sustainable information technology services to meet the needs of North Carolina’s citizens.


Objective Description
Protect the confidentiality, integrity and availability of North Carolina residents’ data.
  • Ensure data is classified and retained, according to state law.
  • Ensure data is encrypted, when appropriate.
  • Ensure data is not compromised.
  • Ensure data is available when required by citizens, agencies or application.
Promote a safe and secure information technology operations environment.
  • Coordinate incident response between interested parties.
  • Manage the statewide program of threat and vulnerability management.
  • Disseminate information about protective measures for security and business continuity threats.
  • Provide training to North Carolina employees in cybersecurity, risk, compliance and business continuity.
  • Help create and sustain information security and risk management awareness programs.
Coordinate information sharing and communication.
  • Work with agencies to disperse information about risks and security incidents.
  • Work with state, local and federal agencies, as required.
  • Advise on risk management and security for statewide information technology projects.
  • Coordinate statewide security and risk management communication.
Identify and provide guidance on business continuity planning.
  • Assist with and consult on business continuity risk management, business continuity, disaster recovery and continuity of operations plans.
  • Facilitate and coordinate audits and assessments of IT infrastructure.
  • Support enterprise business continuity management.
  • Provide reasonable assurance that continuity of operations and continuity of government objectives are being achieved.