IT Governance Program - Information Risk, Policy, and Security Committee

Committee Profile

Purpose:
The Information Risk, Policy, and Security Committee (IRPSC) provides the ITG framework with institutional governance of information risk. IRPSC is charged with providing oversight and support of Texas A&M University information security by authoring privacy-related policies, procedures, and security initiatives. The committee recommends strategic direction on campus information security and data privacy-related work to ensure that it supports the University mission. IRPSC works in close collaboration with the University Rule Team and Enterprise Risk Management Group within the Office of University Risk and Compliance.

The IRPSC produces the following outputs, including, but not limited to:

-Periodic review and monitoring of the campus information security and privacy programs to ensure adequate transparency on how personal information is protected, what data is collected about electronic activities of individuals, and how such data is used.

-Solicit input and comment through electronic communications channels for proposed standards from Information Resource Managers across the University prior to publication of proposed standards.

-Approval of privacy and information security policies and standards, including evaluation of risks as well as costs and benefits of mitigation, considering workload impact across campus. Following IRPSC approval, information security and privacy policies are referred to University Risk and Compliance for formal authorization where applicable.

-Propose new or modified standards/controls developed by the Texas A&M Risk Management and Policy personnel in the office of the Chief Information Security Officer.

-Monitor and direct continual service improvement efforts toward the Texas A&M University Control Catalog in alignment with NIST SP 800-53 Rev. 4 and Texas Administrative Code 202 (§202.76).

-Interpretation and application of Information Resource policy, and adjudication of conflicts between campus initiatives and regulatory compliance requirements.

-Escalation and/or approval of issues that do not conform to TAMU information security and privacy practices, e.g., vendor terms and conditions, contracts, and services incompatible with information resource policy.

-Recommend prioritization of resources and determination of campus response to address information risk situations.

-Authorization of protocols for handling information security and privacy policy exception requests, appeals, and escalations, e.g., thresholds for delegation to management.

-Handling of exception appeals and non-compliance regarding security standards and policy, including decisions on whether the presenting risk warrants removal of the non-compliant systems from the network or removal of institutional data from the non-compliant systems, and adoption and delegation of procedures for handling common non-compliance issues that may be delegated to management processes.

-Develop continual service improvement outcomes to enhance the awareness and effectiveness of Information Risk, Policy, and Security topics across TAMU.


Membership Selection Process:
Appointed by the Provost, Vice President for Student Affairs, Vice President for IT and CIO, Vice President for Research, Vice President for Enrollment and Academic services, and the Vice President and CFO.

Meeting Times:
Bi-monthly on the 3rd Tuesday in January, March, May, July, September, and November.

Roster

This group's roster has been flagged as private.