Chief Operating Officer Portfolio

Cyber Security Risk and Assurance Committee

  1. Home
  2. Operational areas
  3. Information Technology
  4. IT Governance

The Cyber Security Risk and Assurance Committee (CSRAC) will sit underneath the IT Policy, Risk and Assurance Committee (IT PRAC) and will provide detailed management oversight of cyber security risk and compliance management. The CSRAC aims to improve compliance with cyber security standards and controls across UQ and provide assurance that cyber security risks are managed effectively.

Definitions: Information Security Management System (ISMS): A comprehensive framework designed to manage and protect and organisation’s information assets. It encompasses a set of policies, procedures, tools and controls to safeguard the confidentiality, integrity, and availability of information.

Mandate

The CSRAC’s key objectives, activities and authorities are:

  • Review proposed initiatives within the Cyber Security Improvements Program each year (with a focus on risk and compliance).
  • Establish implementation or compliance working groups based on cyber security priorities or key risks. Agree on a limited number of working groups to be established each year, and ensure working groups are adequately resourced with clear goals and responsibilities.
  • Endorse cyber security ISMS documents where they are highly technical in nature and have no impact outside IT (as agreed by the IT PRAC). ISMS documents endorsed by this committee will be provided to IT PRAC for noting.
  • Close implementation or compliance working groups once the group has achieved its goals.
  • Review and endorse the yearly assurance plan.
  • Monitor top cyber security risks to oversee risk categorisation and provide feedback on risk mitigation actions.
  • Review risk management for top risks quarterly.
  • Review outcomes of ISMS Audits.
  • Review outcomes and updates from working groups, including:
    • working group status updates and progress regarding compliance and implementation, and
    • outcomes of compliance checks, reviews, audits, assessments or self-assessments.
  • Report quarterly to IT PRAC on:
    • progress of working groups
    • summary of compliance monitoring activities and outcomes
    • key cyber security risk information such as new risks with a rating of ‘high’ or above or updates on key risk mitigation actions.

Membership

  • Chair – Director, Cyber Security
  • ITS Security Architect
  • CSOC representative
  • Secretary – member of the Cyber Security team
  • Team Leader, Data Strategy and Governance
  • Senior Manager, Cyber Security Culture and Awareness 
  • Faculty representative 
  • Library representative – University Librarian to nominate
  • Research representative – PVCRI to nominate
  • HR representative – CHRO to nominate
  • Finance representative –CFO to nominate
  • ITS Senior Management Group – ­members to attend as required
  • IT Governance representative to attend as required.

SMEs to attend as needed (e.g. ADS, infrastructure, school managers, institute representatives).

Meeting processes

  • Meets every month (except January and December).
  • Meetings will run for one hour.
  • Attendance is defined as in-person, by phone, by video call.
  • Meetings can be held out of session for ad-hoc decisions and items for noting.
  • Members may delegate attendance to an equivalent peer. 
  • Members must be in attendance to vote.