The Cyber Security Risk and Compliance Committee (CSRCC) sits underneath the IT Policy, Risk and Assurance Committee (IT PRAC) and provides detailed management oversight of cyber security risk and compliance management. The CSRCC aims to improve compliance with cyber security standards and controls across UQ and provide assurance that cyber security risks are managed effectively.


The CSRCC’s key objectives, activities and authorities.

  • Review proposed initiatives within the Cyber Security Improvements Program each year (with a focus on risk and compliance).
  • Establish implementation or compliance working groups based on cyber security priorities or key risks. Agree on a limited number of working groups to be established each year, and ensure working groups are adequately resourced with clear goals and responsibilities. 
  • Endorse cyber security policy documents where they are highly technical in nature and have no impact outside IT (as agreed by the IT PRAC). Policy documents endorsed by this committee will be provided to IT PRAC for noting.
  • Close implementation or compliance working groups once the group has achieved its goals. 
  • Review and endorse the yearly assurance plan. 
  • Monitor top cyber security risks to oversee risk categorisation and provide feedback on risk mitigation actions. 
  • Review risk management for top risks quarterly.
  • Review outcomes and updates from working groups, including:
    • working group status updates and progress regarding compliance and implementation, and
    • outcomes of compliance checks, reviews, audits, assessments or self-assessments. 
  • Report quarterly to IT PRAC on:
    • progress of working groups
    • summary of compliance monitoring activities and outcomes
    • key cyber security risk information such as new risks with a rating of ‘high’ or above or updates on key risk mitigation actions.


  • Chair – Director, Cyber Security
  • ITS Security Architect
  • CSOC representative
  • Secretary – member of the Cyber Security team
  • Team Leader, Data Strategy and Governance
  • Manager, Cyber Security Improvements 
  • Faculty representative 
  • Library representative 
  • Research representative
  • HR representative
  • Finance representative
  • ITS Senior Management Group – members to attend as required
  • IT Governance representative to attend as required.

Subject matter experts will attend as needed (e.g. ADS, infrastructure, school managers, institute representatives).

Meeting processes

  • Meets every month (except January and December).
  • Meetings will run for one hour.
  • Attendance is defined as in-person, by phone, by video call.
  • Meetings can be held out of session for ad-hoc decisions and items for noting.
  • Members may delegate attendance to an equivalent peer. 
  • Members must be in attendance to vote.