Information Security Consulting & Support

Service Description

The Enterprise Security and Risk Management Office offers information security consulting and support services to help state agencies safeguard citizens' data and meet the requirements of the security standards legislation (N.C.G.S. 143B-1376-1378) and other legal and regulatory requirements.

Services Provided

Service Details
Security consulting
  • Provide supporting analysis to help agencies resolve information technology risks, threats and vulnerabilities and to implement adequate risk mitigation measures
  • Provide consultation to help agencies respond to audit and/or security assessment findings
Security manual development and ongoing review of statewide policeis, standards and procedures
  • Provide security framework and manual
  • Assist agency with understanding and interpreting statewide security policies and standards and legal and regulatory requirements
Security training and awareness activities and materials
  • Provide security training and awareness events for state agencies
  • Coordinate purchase and distribution of security training and awareness materials for use in state agencies
Coordination of required agency security liaison support role
  • Coordinate background checks for agency security liaisons
  • Maintain agency security contact information
  • Notify agency security contacts of statewide and agency security matters
Review of statewide and agency projects/initiatives for adequate information security risk mitigation provisions
  • Coordinate background checks for agency security liaisons
  • Maintain agency security contact information
  • Notify agency security contacts of statewide and agency security matters
Enterprise purchasing contracts for security related components
  • Research and evaluate security technologies to identify strategic enterprise approaches for the deployment of security technologies that permit the state to benefit from standardization and economies of scale
  • Strategic planning for statewide security needs


  • Use of a standards-based approach to security and risk management
  • Increased understanding and awareness of information security matters that will improve an agency's security posture
  • Active participation in the integration of agency-level and state-level security processes

Hours of Availability

  • The services are available from 7 a.m. to 6 p.m., Monday through Friday, except for holidays.
  • On-call staffing is available for emergencies and after-hours scheduled work.
  • In the event the agency seeks vulnerability or port scanning, the scanning activity will be conducted within the customer's maintenance window unless other arrangements are made.
  • Emergency maintenance windows will be handled using the urgent change process.

Customer Responsibilities

Business Continuity and Disaster Recovery Plans

  • Identify critical agency business systems and applications.
  • Implement agency data classification, retention and handling measures based on legal and regulatory requirements as required by statute.
  • Follow appropriate incident reporting procedures, including cybersecurity incident reporting, as required by statute.
  • Follow standard processes and procedures for cybersecurity incident reporting.
  • Request and schedule special services (e.g., installation of new equipment, after-hours support) well in advance of required date.
  • Be aware of and comply with the security standards, policies and procedures established by the state chief information officer, as well as N.C. Department of Information Technology policies for NCDIT-provided services, such as email and network.
  • Be available to provide critical information to assist in the resolution of cyber incidents.
  • Provide agency staff to support, advise and assist with agency information security matters.
  • Assess, manage and mitigate agency information security risk.
  • Define and implement appropriate agency internal security policies, standards and procedures.
  • Provide security training to agency staff.
  • Define and implement agency internal information security incident plans and procedures and integrate with the statewide cybersecurity incident plan.
  • Provide internal agency security incident response oversight.
  • Develop and follow agency-level project plans to implement agency level security.

How Do We Charge?

The Enterprise Security and Risk Management Office does not currently charge for this service.

Request Any Service

Contact the NCDIT Service Desk:
Phone: 919-754-6000 or 1-800-722-3946
Or file a service ticket in the NCDIT Service Portal.