IT Policy, Risk and Assurance Committee

The IT Policy, Risk and Assurance Committee (IT PRAC) aims to support effective IT policy development (i.e. policies, procedures, standards) and implementation, while monitoring IT risk and compliance. 

Objectives

• Provide a forum for UQ representatives to discuss and provide feedback on compliance with policies, procedures or external instruments (e.g. legislation).
• Review policy documents with regards to UQ and IT quality standards, and requirements around monitoring, assurance, and implementation. 
• Endorse IT policy documents to the CIO (and in some cases the Vice-Chancellor) for approval. 
• Review results from assurance and compliance assessments and provide recommendations where results indicate there are compliance issues, additional risks or inadequate processes or controls. 
• Review IT policy implementation outcomes across UQ. 
• Develop and endorse the IT top 10 risks and associated mitigation actions. 
• Discuss IT risks above UQ’s appetite and recommend mitigation actions. 
• Discuss open actions resulting from internal audits, external advisory, and external audits/accreditations, and recommend actions where actions continue to exceed their due date or cannot be completed. 

Membership

• Chief Information Officer (Chair)
• University Librarian
• Chief Technology Officer, Research Computing Centre
• Director, Governance and Risk
• a Faculty Executive Manager
• Deputy Director, Digital Learning
• Director, Cyber Security
• a Deputy Director (Operations) 
• Associate Director, IT Governance
• IT Policy, Risk and Assurance Manager (Secretary)
• additional staff may be asked to join periodically to provide specific expertise.

Meeting processes

• meets every 2 months
• certain meetings will have standard agenda items (e.g. determining annual IT top 10 risks)
• attendance is defined as in-person, by phone, by video call
• meetings can be held out of session for ad-hoc decisions and items for noting
• members may delegate attendance to an equivalent peer (e.g. FEM from alternate faculty)
• members must be in attendance to vote.

Reporting

IT PRAC will receive the following reports:

• quarterly cyber security risk dashboard
• outstanding actions register reports
• quarterly software compliance report/asset management compliance report
• select reports relating to compliance with IT policy documents and federal or state legislation, regulations and policies 
• select reports relating to IT risk management.

Agenda submissions

Email IT Governance regarding agenda submissions or committee enquiries.

2023 meeting information

Agendas, documents and decisions from IT PRAC meetings are listed below. Certain items may only be available on request. For meeting information from previous years, please email IT Governance.