The Information Security Advisory Board is authorized by the IT Steering Committee of the University of Idaho (U of I) to provide advice and recommendations in support of the Information Security Program. The goal of this board is to ensure protection of the confidentiality, integrity, and availability of information assets across the university is in alignment with regulatory and contractual requirements, industry standards, and best practices. The work of this board supports the cost-effective, transparent, strategic, and compliant approach to managing technology risk and prioritizing changes, initiatives, and investments for the Information Security Program in support of the institution’s mission and priorities. As the board co-chair, the Chief Information Security Officer (CISO) has primary responsibility for reaching consensus, reporting, and coordination of board recommendations.
Definition of Information Security*
Information security is protecting information, information systems and IT infrastructure from unauthorized access, use, disclosure, disruption, modification, or destruction to provide integrity, confidentiality, and availability. Information security spans and is an integral part of administrative, academic and research technology in higher education.
* Based on the NIST Computer Security Resource Center definition of INFOSEC found at https://csrc.nist.gov/glossary/term/INFOSEC
Board Composition and Term
- The composition of this board will consist of a cross-functional representation of stakeholders with authority to make decisions or subject matter expertise.
- Generally, members are selected to represent technology stewards, service stakeholders, Faculty Senate IT Committee, and the student body.
- Membership may be permanent or rotating for 1- to 3-year terms based on the position of each member. The membership terms for the various members will be determined after the board has been in operation for one year.
- Some members are appointed as ex-officio.
- Members are appointed to committees based on recommendations from the existing members of the IT Steering Committee and other University leadership as appropriate.
- The board will annually review membership, addressing attendance gaps or participation gaps from changing member commitments. The board will attempt to stagger terms for rotating members where possible.
-
Board Membership
- Co-Chair – Chief Information Security Officer
- Co-Chair - [one of the positions chosen below]
- Director of Financial Aid, or designee
- Director of Human Resources (HIPAA Privacy Officer), or designee
- Director of Research Computing, or designee
- Representative of OSBE Risk Management
- Representative of General Counsel
- Representative of Data Governance Steering Committee
- Representative of Office of Sponsored Programs
- Representative of Faculty Information Technology Committee
- Representative of ASUI
- Ad Hoc - Subject matter experts on compliance, cybersecurity
Member Responsibilities
- Regularly attend and actively participate in board meetings.
- Solicit and accept input from constituents as well as applicable broader institutional input.
- Recommend strategic direction in support of the institution’s mission.
- Assist in regular use of communication channels among other governance groups, stakeholders, and the University community.
- Provide input and build consensus on board actions.
Co-chairs Responsibilities
- Finalize meeting agendas and schedule meetings at least monthly during the Spring and Fall terms.
- Facilitate board consensus and understanding
- Lead board meetings.
- Establish board rules to support the orderly and transparent discussion of topics and to facilitate democratic decision making.
- Support transparency by announcing meetings, providing meeting minutes, and disseminating board information such as lists of projects, workgroups, and results of surveys or open forums for publication.
- Work with IT to maintain a repository of board work and publish information and meeting logistics as appropriate to the University community.
- Present board work to the IT Steering Committee
- Serve as the representative of this board with other committees and governing bodies
- Provide input to other IT Governance boards per discussions
The full Charter and is attached to this article.