Information Security Consulting & Support Service Description The Enterprise Security and Risk Management Office offers information security consulting and support services to help state agencies safeguard citizens' data and meet the requirements of the security standards legislation (N.C.G.S. 143B-1376-1378) and other legal and regulatory requirements. Services Provided Service Details Security consulting Provide supporting analysis to help agencies resolve information technology risks, threats and vulnerabilities and to implement adequate risk mitigation measures Provide consultation to help agencies respond to audit and/or security assessment findings Security manual development and ongoing review of statewide policeis, standards and procedures Provide security framework and manual Assist agency with understanding and interpreting statewide security policies and standards and legal and regulatory requirements Security training and awareness activities and materials Provide security training and awareness events for state agencies Coordinate purchase and distribution of security training and awareness materials for use in state agencies Coordination of required agency security liaison support role Coordinate background checks for agency security liaisons Maintain agency security contact information Notify agency security contacts of statewide and agency security matters Review of statewide and agency projects/initiatives for adequate information security risk mitigation provisions Coordinate background checks for agency security liaisons Maintain agency security contact information Notify agency security contacts of statewide and agency security matters Enterprise purchasing contracts for security related components Research and evaluate security technologies to identify strategic enterprise approaches for the deployment of security technologies that permit the state to benefit from standardization and economies of scale Strategic planning for statewide security needs Benefits Use of a standards-based approach to security and risk management Increased understanding and awareness of information security matters that will improve an agency's security posture Active participation in the integration of agency-level and state-level security processes Hours of Availability The services are available from 7 a.m. to 6 p.m., Monday through Friday, except for holidays. On-call staffing is available for emergencies and after-hours scheduled work. In the event the agency seeks vulnerability or port scanning, the scanning activity will be conducted within the customer's maintenance window unless other arrangements are made. Emergency maintenance windows will be handled using the urgent change process. Customer Responsibilities Business Continuity and Disaster Recovery Plans Identify critical agency business systems and applications. Implement agency data classification, retention and handling measures based on legal and regulatory requirements as required by statute. Follow appropriate incident reporting procedures, including cybersecurity incident reporting, as required by statute. Follow standard processes and procedures for cybersecurity incident reporting. Request and schedule special services (e.g., installation of new equipment, after-hours support) well in advance of required date. Be aware of and comply with the security standards, policies and procedures established by the state chief information officer, as well as N.C. Department of Information Technology policies for NC DIT-provided services, such as email and network. Be available to provide critical information to assist in the resolution of cyber incidents. Provide agency staff to support, advise and assist with agency information security matters. Assess, manage and mitigate agency information security risk. Define and implement appropriate agency internal security policies, standards and procedures. Provide security training to agency staff. Define and implement agency internal information security incident plans and procedures and integrate with the statewide cybersecurity incident plan. Provide internal agency security incident response oversight. Develop and follow agency-level project plans to implement agency level security. How Do We Charge? The Enterprise Security and Risk Management Office does not currently charge for this service. Request Any Service Contact the NC DIT Service Desk: Phone: 919-754-6000 or 1-800-722-3946 Or file a service ticket in the NCDIT Service Portal.