Published on: June 13, 2018
- The broad purpose of the ISC is to provide guidance to the university in matters of information security in the context of the university’s, mission, objectives, and obligations.
- Act as a steering committee for the information security program, including a recommendation for the final resource allocation decisions for the annual security strategy plan.
- As per policy, ensure every academic and non-academic unit is appropriately covered by an information risk management plan.
- Establishing and maintaining effective lines of accountability, responsibility and authority for protecting information assets. This is typically achieved by reviewing and guiding division level information risk management plans.
- Establish, ensure and maintain accountability for protecting information resources.
- Regularly review threats to, and due diligence around (e.g. risk management plans) the protection of the university’s digital assets and monitor assurance.
- Mediate conflicting risk/security requirements.
- Collaborate with the CISO to undertake information security initiatives and educate the university community on digital security best practices.
- Oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets.
- Act as a steering committee for projects that require significant business unit involvement (for example, supporting the data access governance decisions required for implementing a data loss prevention capability).
- Tracking the progress of remediation on risk items (for example, audit report findings and risk register items).
- Reviewing security status metrics reporting, and requesting new metrics if required.
- Providing inputs and feedback to internal and external auditors on the type and level of assurance most needed during corresponding audit cycles.
- Providing a forum for the CISO to guide localized security efforts within individual business units via committee members.
- Acting as a mediation or arbitration forum for reconciling conflicting security requirements between different business units.
- Reviewing and approving or rejecting requests for policy exemptions from business units or projects.
- Chartering ad hoc projects to investigate and report back on topics of interest, for example, the security governance implications of cloud computing.
- Establishing working groups/sub committees, as required, to ensure broad consultation on initiatives.