News

Cyber-Risk and Data Privacy Governance Committee

Updated

 

Committee:  UCLA Cyber-Risk and Data Privacy Governance Committee

Chair:  Cyber-Risk Responsible Executive

Executive Leader:  Administrative Vice-Chancellor and Cyber-Risk Responsible Executive Michael Beck

INTRODUCTION

In 2015, the UC Office of the President mandated that campuses take a number of steps to improve cybersecurity and strengthen our defenses against future cyberattacks. One element of the mandate was for each campus to develop a governance approach to consistently evaluate and reduce cyber risks across each campus. In response, the UCLA Cyber-Risk Planning Group was formed under the then Cyber-Risk Responsible Executive.

In an effort to continue the progress already made at UCLA and ensure a consistent method for preventing cyber-risk, respond to cyber incidents, and generally enhance cybersecurity, the Cyber-Risk Responsible Executive is hereby formalizing the Cyber-Risk and Data Privacy Governance Committee (the “Committee”), which will supersede the Cyber-Risk Planning Group. The following Committee Charter (the Charter) defines and establishes the scope and objectives of the Committee.

MEMBERSHIP

The Cyber-Risk and Data Privacy Governance Committee will support the Cyber-Risk Responsible Executive and include the following 14 representatives:

Chair:Michael Beck, VC Administration and Cyber-Risk Responsible Executive  
Representatives:

Lucy Avetisyan, Campus Chief Information Officer 

David Shaw, Campus Chief Information Security Officer 

Michael Pfeffer, Health Sciences Chief Information Officer 

Edgar Tijerino, Health Sciences Chief Information Security Officer  

Jim Davis, Vice Provost Information Technology 

Kent Wada, Campus Chief Privacy Officer 

Louise Nelson, Vice Chancellor for Legal Affairs  

Amy Blum, Lead Campus Counsel for cyber-risk and data privacy 

Kenton LeFore, Chief Audit & Compliance Officer 

Monroe Gorden, Vice Chancellor for Student Affairs 

Jayathi Murthy, Dean School of Engineering and Applied Sciences 

Jean-Francois Blanchette, Assoc Prof/ Chair Infor Studies (Academic Senate representative) 

Marco Mascari, Common Systems Group (CSG) representative 

SCOPE

The Committee will provide oversight of the following areas generally relating to UCLA’s data information systems:

  • Cyber-risk management
  • Data privacy and protection
  • Cyber-risk incident response

The Committee responsibilities also include:

  • Review and recommend changes to cybersecurity and data privacy policies, standards, and guidelines
  • Review and endorse cyber-risk mitigation and response plans
  • Review and endorse information security standards consistent with acceptable risk tolerances

The scope of the Committee’s purview broadly includes the storage, use, and management of electronic data. This includes the protection of digital information assets used for academic, research, or administrative purposes, whether stored or transmitted in electronic form, and may consist of data, systems, networks, or documents created from electronic data.

OBJECTIVES

The high-level responsibilities for the Committee are advising the CRE to ensure that cyber-risk reduction and cyber incident response strategies are aligned with industry best practices, business objectives, and privacy expectations.  The Committee’s work includes prioritizing risk mitigation, developing cybersecurity standards, addressing stakeholder concerns, and building support for campuswide initiatives and/or policies to address cyber risk. The following are domain-specific objectives of the Committee:

Data Privacy and Protection

  1. Recommend strategies to protect Campus data from inappropriate use or improper access;
  2. Review of the Campus Location Information Security Management Plan;
  3. Review of policies, standards, and training to ensure compliance with all laws and regulations related to the acquisition, retention, storage, and destruction of Campus information in an electronic form or resulting from electronic data; and
  4. Oversight of the incident response team’s efforts following an incident that potentially compromises data and/or related systems.

Incident Investigation

  1. Review and approval of the Campus Incident Response Plan;
  2. Recommend to CRE notification strategy following a cybersecurity incident;
  3. Recommend corrective and preventative measures to address cybersecurity incidents;
  4. Review incident action reports from significant cybersecurity incidents and recommend actions to be taken; and
  5. Review of lessons learned after an incident and recommend corrective actions.

Risk Management

  1. Review appropriateness of cybersecurity risk tolerances;
  2. Review and recommend levels of risk requiring mitigation;
  3. Establish an escalation protocol to manage risks that exceed UC maximum tolerances;
  4. Review allocation of resources in response to identified and prioritized risks and recommend modifications, if appropriate; and
  5. Identify and review campus risks related to management, storage, and use of data, especially that which contains protected information.

ADMINISTRATIVE PROVISIONS

The Chair shall provide administrative arrangements for the Committee, including calling of meetings, arranging for a meeting place, and preparation of an agenda, discussion material, and meeting minutes.

  • The Committee shall from time to time establish its meeting schedules; initially, the Committee shall meet at least quarterly. Other meetings may be called at the discretion of the Chair or at the request of a Committee member with approval of the Chair.
  • At the discretion of the Committee, various sub-committees or task groups may be formed to address specific areas of importance. These sub-committees will report directly to the Committee