ITSAC – Security & Compliance (ITSAC-SC)

Focus

The Security & Compliance Subcommittee is focused on acting as a steering committee for security and compliance related services issues with a charge to:

  • Make policy and operational recommendations to the Information Technology Strategic Advisory Committee (ITSAC) and technical and technology recommendations to the Campus IT Directors (CITD) Committee.
  • Recommend solutions related to establishing and monitoring university-wide security policies, regulations, guidelines, standards, and priorities and performing other duties as assigned.
  • Identify and assess university security, privacy and compliance needs and assist with their development and implementation.
  • Work with the Office of Information Technology (OIT), the ITSAC, the CITD and other governance subgroups to review progress on security initiatives, to provide feedback, to make recommendations, and to serve as a forum for communication with the campus community at large.
  • Serve as a touch-point, at both the strategic and tactical levels, to ensure that the actions of one information technology organization will not have unnecessarily adverse impacts on another.

View the operational pages for this subcommittee: TeamMeetingsDocuments.

Scope

The Security & Compliance Subcommittee is charged with making recommendations for the following areas:

  • Business Continuity and IT Disaster Recovery.  This area relates to the policies, processes and technologies that address the university’s ability to recover from disastrous events and be able to continue business with minimum impact. One example of this area would include development of university templates for department level business continuity and disaster recovery plans.
  • Risk Management. This area covers university risks related to information technology assets and data. Risk is considered from many different angles including financial, reputation, and compliance. This area sets the tone for identification of university assets, and the potential for exploitation of associated vulnerabilities or weaknesses, to foster proactive mitigation steps. One example would be development of policies for university-wide IT risk management.
  • Security Policies/Procedures. This area addresses all policies, regulations and rules relating to university IT. One example would be the development of policies for acceptable security of “red hot” or “extremely sensitive” data on campus.  Another example would be the development of procedures for the full life cycle of secruity incidents – occurrence/detection, diagnosis, reair/recovery, remediation, closure, etc.
  • Compliance. This area addresses compliance with security provisions in acts, regulations and agreements. It also addresses adherence to accessibility compliance mandates. Examples would include development and/or maintenance of compliance regulations and procedures relating to research data, the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Data Security Standards (PCD DSS). Another example would be to review proposed online services to ensure that security and other features do not conflict with accessibility measures.
  • Identity and Access Management Policy (IAM-Policy). Focus on the coordination and implementation of policy for identity management services adhering to the guidance put forth by this subcommittee in a consistent and sustainable fashion. 
  • Security Technology. This area incorporates topics relating to current and future security technologies used for protecting university computers, networks, applications and data. This area will predominantly investigate new technologies and guide procedure development for effective integration into the university environment. For example, this area may include consideration for university-wide mobile device encryption.
  • Training & Awareness.  This area addresses the need for sufficient and timely training and awareness activities for the university community. For example, regulations and procedures may be developed for mandatory training and awareness for university faculty and staff, particularly.

Membership

The Security & Compliance Subcommittee is comprised of:

  • Office of Information Technology-OIT (2 members: 1 from OIT Security & Compliance, 1 appointed by OIT leadership)
  • University staff with domain knowledge of Advancement, Foundations, and Alumni (1 member)
  • Office of Research, Innovation & Economic Development (1 member)
  • Office of General Counsel (1 member)
  • Environmental Health and Public Safety (2 members: 1 Security Applications Technology Representative, 1 Environmental Health Representative)
  • Finance and Business (2 members: 1 Financial Systems Representative, 1 HR Systems Representative)
  • Enrollment Management and Services-EMAS (1 member)
  • Colleges (1 member nominated and appointed by the Campus Information Technology Directors-CITD)
  • NCSU Libraries (1 member)
  • The chairs of the subcommittee’s working groups
  • Internal Audit (1 non-voting member) 

The subcommittee representative from Internal Audit will be a non-voting member.  The chairs of the subcommittee’s working groups are nominated and appointed by the Security & Compliance subcommittee for a term of at least two years.  All other members will serve on a permanent basis as nominated by the senior management of their constituencies.

The subcommittee may appoint additional members as needed with appropriate approval. Additional members will serve up to one-year terms from the time of their appointments. Each additional member’s term is reviewed at the end of the academic year.

All members recommended to serve on this subcommittee will be approved by the VCIT.

This subcommittee has subgroups, whose membership is described in the Subgroups section.

Structure

The Security & Compliance Subcommittee appoints a chair, a chair-elect, and a secretary each academic year.

  • Chair – With appropriate approval, subcommittee selects its own chair from its membership each academic year. The chair both calls and sets the agendas for subcommittee meetings. The chair leads subcommittee meetings, adhering to meeting management best practices and maintains the committee’s forward momentum. With approval of the subcommittee, the chair may create ongoing subgroups using the Governance Entity Definitions section to name the subgroups, which should be chaired by member or the subcommittee, but may include members who are not on the subcommittee. The chair serves a one-year term.
  • Chair-elect  – The subcommittee appoints one of its members as chair‐elect each academic year. With appropriate approval, the chair‐elect will chair the committee in the following year. The chair-elect serves as a proxy in the chair’s absence. The chair-elect serves a one-year term.
  • Secretary – The subcommittee appoints one of its members as secretary each academic year. The secretary (or his/her designee) keeps the minutes of each subcommittee meeting. The secretary is a voting member of the committee. The secretary serves a one-year term.

This subcommittee has subgroups, whose structure is described in the Subgroups section.

Administration

Meeting Frequency

The Security & Compliance Subcommittee will meet monthly. The chair or the committee may adjust the meeting frequency as needed.

Administrative Procedures

This subcommittee will adhere to the Administrative Procedures for IT Governance.

Subgroups

Any new subgroups created must be named using the Governance Entity Definitions for subgroups.

The Security & Compliance Subcommittee has the following subgroups:

  • Compliance and Policy Working Group. The Compliance and Policy Working Group assesses university compliance with laws and/or federal or state regulations, as well as university policies, regulations and rules (PRRs), processes, procedures and standards pertaining to security and privacy. The working group oversees the drafting and implementation of university security and privacy PRRs. It may also recommend necessary changes to existing security and privacy regulations and rules so they are kept both current and consistent. An example of this would be to evaluate the Computer Use regulation and make recommended changes to address use of personal computers for business purposes.
  • Security Technology Working Group.  The Security Technology Working Group evaluates security technologies to ensure that proposed solutions conform to established security, compliance and privacy standards. In addition, it anticipates security issues that may arise as needs change or as technologies advance. It promotes the university community’s awareness of technical or procedural solutions. It evaluates the current environment for security enhancements.  It serves as a “reality check” for the Compliance and Policy subcommittee on the feasibility of implementing proposed conceptual approaches. An example would be proposing a solution for encrypting mobile devices.  Another example would be discussing the number of attacks/vulnerabilities seen across campus and recommending a patch management solution as a mitigation strategy.

Membership

  • In addition to the chair Each working group shall have up to five members and will be nominated and appointed by the Security & Compliance Subcommittee.  The number of members for each workgroup may be adjusted as needed by the subcommittee.
  • Members will serve for a term of at least one year, or as determined by the Security & Compliance Subcommittee.

Structure

  • Each working group will have a chair and a secretary.  The chair is nominated and appointed by the Security & Compliance Subcommittee.  The secretary is nominated and appointed by each workgroup.
  • The chair will serve a term of at least two years and the secretary will serve for a team of at least one year, or as determined by the Security & Compliance Subcommittee.
  • The workgroups will adhere to the Administrative Procedures for IT Governance.