Published on: June 13, 2018

  • The broad purpose of the ISC is to provide guidance to the university in matters of information security in the context of the university‚Äôs, mission, objectives, and obligations.
  • Act as a steering committee for the information security program, including a recommendation for the final resource allocation decisions for the annual security strategy plan.
  • As per policy, ensure every academic and non-academic unit is appropriately covered by an information risk management plan.
  • Establishing and maintaining effective lines of accountability, responsibility and authority for protecting information assets. This is typically achieved by reviewing and guiding division level information risk management plans.
  • Establish, ensure and maintain accountability for protecting information resources.
  • Regularly review threats to, and due diligence around (e.g. risk management plans) the protection of the university’s digital assets and monitor assurance.
  • Mediate conflicting risk/security requirements.
  • Collaborate with the CISO to undertake information security initiatives and educate the university community on digital security best practices.
  • Oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets.
  • Act as a steering committee for projects that require significant business unit involvement (for example, supporting the data access governance decisions required for implementing a data loss prevention capability).
  • Tracking the progress of remediation on risk items (for example, audit report findings and risk register items).
  • Reviewing security status metrics reporting, and requesting new metrics if required.
  • Providing inputs and feedback to internal and external auditors on the type and level of assurance most needed during corresponding audit cycles.
  • Providing a forum for the CISO to guide localized security efforts within individual business units via committee members.
  • Acting as a mediation or arbitration forum for reconciling conflicting security requirements between different business units.
  • Reviewing and approving or rejecting requests for policy exemptions from business units or projects.
  • Chartering ad hoc projects to investigate and report back on topics of interest, for example, the security governance implications of cloud computing.
  • Establishing working groups/sub committees, as required, to ensure broad consultation on initiatives.