IT Policy, Risk and Assurance Committee
The IT Policy, Risk and Assurance Committee (IT PRAC) aims to support effective IT policy development (i.e. policies, procedures, standards) and implementation, while monitoring IT risk and compliance.
Objectives
- Provide a forum for UQ representatives to discuss and provide feedback on compliance with policies, procedures or external instruments (e.g. legislation).
- Review policy documents with regards to UQ and IT quality standards, and requirements around monitoring, assurance, and implementation.
- Endorse IT policy documents to the CIO (and in some cases the Vice-Chancellor) for approval.
- Providing advice, guidance and endorsements on submissions that align with the Technology Master Plan and purpose of IT PRAC.
- Review results from assurance and compliance assessments and provide recommendations where results indicate there are compliance issues, additional risks or inadequate processes or controls.
- Review IT policy implementation outcomes across UQ.
- Develop and endorse the IT top 10 risks and associated mitigation actions.
- Discuss IT risks above UQ’s appetite and recommend mitigation actions.
- Discuss open actions resulting from internal audits, external advisory, and external audits/accreditations, and recommend actions where actions continue to exceed their due date or cannot be completed.
Membership
- Chief Information Officer (Chair)
- Director, IT Governance and Investment
- Director, Governance and Risk
- Director, Research Computing Centre
- Faculty Executive Manager
- Deputy Director, Digital Learning
- Director, Cyber Security
- Director, Institute Operations
- University Librarian
- Manager, IT Policy, Risk and Assurance (Secretary)
- Additional staff may be asked to join periodically to provide specific expertise.
Meeting processes
- meets every 2 months
- certain meetings will have standard agenda items (e.g. determining annual IT top 10 risks)
- attendance is defined as in-person, by phone, by video call
- meetings can be held out of session for ad-hoc decisions and items for noting
- members may delegate attendance to an equivalent peer (e.g. FEM from alternate faculty)
- members must be in attendance to vote, with a minimum of 5 members in attendance.
Reporting
IT PRAC will receive the following reports:
- reports from each sub-committee or working group that feeds into the committee as required but at a minimum, annually
- quarterly cyber security risk dashboard
- outstanding actions register reports
- select reports relating to compliance with IT policy documents and federal or state legislation, regulations and policies
- select reports relating to IT risk management.
Agenda submissions
Email IT Governance and Investment regarding agenda submissions or committee enquiries.
Please use the IT PRAC Submission Coversheet (DOCX, 46.6 KB) when providing submissions to the committee.
2025 meeting information
Agendas, documents and decisions from IT PRAC meetings are listed below. Note that certain items may only be available on request.
| Meeting date | Submission due date | Outcomes and actions |
|---|---|---|
| 25 February 2025 | 11 February 2025 | TBC |
| 29 April 2025 | 15 April 2025 | TBC |
| 24 June 2025 | 10 June 2025 | TBC |
| 26 August 2025 | 12 August 2025 | TBC |
| 21 October 2025 | 7 October 2025 | TBC |
| 9 December 2025 | 25 November 2025 | TBC |
Outcomes and actions from prior meetings:
| Meeting date | Outcomes and actions |
|---|---|
| 7 August 2024 | IT PRAC outcomes and actions (PDF, 102.5 KB) |
| 8 October 2024 | IT PRAC outcomes and actions |
| 27 November 2024 (held out of session) | TBC |
For meeting information from other meetings, please email IT Governance.