State IT Policies

Statewide IT policies protect the privacy of North Carolinians. By setting rules for state agencies to follow in handling and managing data, the policies protect the security and integrity of citizens’ personal and confidential information, such as Social Security and driver’s license numbers.

Policies also regulate state employees' use of the internet and other IT resources.

Article 3D of N.C. General Statutes Chapter 147 gives the state chief information officer broad authority to adopt policies as well as other technical and security standards for information technology.

Security Policies & Forms

• State Adoption of NIST Risk Management Framework 
• Statewide Information Security Manual (UPDATED: March 2020)
  • 2020 SISM Update Memo
  • 2020 SISM Updates List
  • NIST 800-53 Security Controls Crosswalk (July 6, 2018)
• Statewide Glossary of Information Technology Terms (May 2020) (UPDATED: May 2020)
• Statewide Data Classification and Handling Policy (Feb. 2016)
• Statewide Acceptable Use Policy (January 2020)
• Securing Multifunctional Devices (MFDs) and Network Printers Memo (Feb.11, 2015) 
• 2018 Continuous Monitoring Plan Memo (June 1, 2018) 
• 2018 Continuous Monitoring Plan - Annual Assessment & Compliance Report Template (June 1, 2018)
• 2016 Continuous Monitoring Plan Memo (Jan. 27, 2016) 
• Corrective Action Plan (CAP) and Instructions
• Secure Cloud Storage, File Sharing and Collaboration Memo (Jan. 4, 2017) 
• Secure Cloud Storage, File Sharing and Collaboration - Phase II Memo (Feb. 15, 2018) 
• Mandatory HTTPS for Public Sites Memo (March 8, 2018) 
• Statewide International Travel Policy
• Vendor Readiness Assessment Report (VRAR)
• Cloud Vendor Exception Workflow
• ESRMO Forensic Request Form

Annual Security Training

• IRS Security Training for Department of IT Employees and Contractors

• IRS Security Training Confirmation Form for Department of IT Contractors 

Procurement

• IT Procurement Rules

• IT Procurement Policies and Procedures

All Policy Documents