Information Security Program Committee
Authority: Information Technology
Date Enacted or Revised: N/A
The Information Security Program Committee is responsible for implementing and maintaining the information security program. The committee is comprised of the chief information technology officer, the director of the Office of University Computing Services, the registrar, the comptroller, the director of the Office of Financial Aid, the Bookstore manager, the director of marketing and ticket operations (Athletics), and the internal auditor. In implementing this program, the committee works closely with relevant academic and administrative organizational units across campus.
The responsibilities of the committee include, but are not limited to:
- Consulting with responsible offices to identify organizational units with access to covered data, ensure all such units are included within the scope of this program, and maintain a current listing of these units.
- Working with all relevant organizational units to identify potential and actual risks to the security and privacy of covered data; evaluate the effectiveness of current safeguards for controlling these risks; design and implement additional required safeguards; and regularly monitor and test the program.
- Working with appropriate organizational units to ensure adequate training and education programs are developed and provided to all employees with access to covered data; ensure existing policies and procedures that provide for the security of covered data are reviewed and adequate; and make recommendations for revisions to policy, or the development of new policy, as appropriate.
- Consulting with responsible organizational units to identify service providers with access to covered data; ensure all such service providers are included within the scope of this program; and maintain a current listing of these service providers.
- Reviewing the information security program, including this and related documents, annually, and adjusting as needed.
- Maintaining a current, written program that is available to the University community.
In carrying out these responsibilities, the committee may require organizational units with substantial access to covered data to develop and implement supplemental information security programs specific to those units, to provide the committee with copies of the program documents, and to designate responsible individuals to carry out activities necessary to implement this information security program.
Further information is found in the Information Security Program Policy.