IT Policy, Risk and Assurance Committee

The IT Policy, Risk and Assurance Committee (IT PRAC) aims to support effective IT policy development (i.e. policies, procedures, standards) and implementation, while monitoring IT risk and compliance. 

Objectives

• Provide a forum for UQ representatives to discuss and provide feedback on compliance with policies, procedures or external instruments (e.g. legislation).
• Review policy documents with regards to UQ and IT quality standards, and requirements around monitoring, assurance, and implementation. 
• Endorse IT policy documents to the CIO (and in some cases the Vice-Chancellor) for approval. 
• Providing advice, guidance and endorsements on submissions that align with the Technology Master Plan and purpose of IT PRAC.
• Review results from assurance and compliance assessments and provide recommendations where results indicate there are compliance issues, additional risks or inadequate processes or controls. 
• Review IT policy implementation outcomes across UQ. 
• Develop and endorse the IT top risks and associated mitigation actions. 
• Review controls and associated mitigation actions for any IT-specific top UQ risks.
• Discuss IT risks above UQ’s appetite and recommend mitigation actions. 
• Discuss open actions resulting from internal audits, external advisory, and external audits/accreditations, and recommend actions where actions continue to exceed their due date or cannot be completed. 

Membership

• Chief Information Officer (Chair)
• Director, IT Governance and Investment
• Director, Governance and Risk
• Director, Research Computing Centre
• Faculty Executive Manager
• Deputy Director, Digital Learning
• Director, Cyber Security
• Director, Institute Operations
• University Librarian
• Manager, IT Policy, Risk and Assurance (Secretary)
• Additional staff may be asked to join periodically to provide specific expertise.

Meeting processes

• meets every 2 months
• certain meetings will have standard agenda items (e.g. determining annual IT top 10 risks)
• attendance is defined as in-person, by phone, by video call
• meetings can be held out of session for ad-hoc decisions and items for noting
• members may delegate attendance to an equivalent peer (e.g. FEM from alternate faculty)
• members must be in attendance to vote, with a minimum of 5 members in attendance.

Reporting

IT PRAC will receive the following reports:

• reports from each sub-committee or working group that feeds into the committee as required but at a minimum, annually
• quarterly cyber security risk dashboard
• outstanding actions register reports
• select reports relating to compliance with IT policy documents and federal or state legislation, regulations and policies 
• select reports relating to IT risk management.

Agenda submissions

Email IT Governance and Investment regarding agenda submissions or committee enquiries.

Please use the IT PRAC Submission Coversheet (DOCX, 46.6 KB) when providing submissions to the committee.