News

Cyber-Risk and Data Privacy Governance Committee

Updated

PROPOSAL

Committee:  UCLA Cyber-Risk and Data Privacy Governance Committee

Chair:  Cyber-Risk Responsible Executive

Executive Leader:  Administrative Vice Chancellor and Cyber-Risk Responsible Executive Michael Beck

INTRODUCTION

In 2015, the UC Office of the President mandated that campuses take a number of steps to improve cybersecurity and strengthen our defenses against future cyberattacks. One element of the mandate was for each campus to develop a governance approach to consistently evaluate and reduce cyber risks across each campus. In response, the UCLA Cyber-Risk Planning Group was formed under the then Cyber-Risk Responsible Executive.

In an effort to continue the progress already made at UCLA and ensure a consistent method for preventing cyber-risk, respond to cyber incidents, and generally enhance cybersecurity, the Cyber-Risk Responsible Executive is hereby formalizing the Cyber-Risk and Data Privacy Governance Committee (the “Committee”), which will supersede the Cyber-Risk Planning Group. The following Committee Charter (the Charter) defines and establishes the scope and objectives of the Committee.

MEMBERSHIP

The Cyber-Risk and Data Privacy Governance Committee will support the Cyber-Risk Responsible Executive and include the following 14 representatives:

Chair:(1) Cyber-Risk Responsible Executive
Representatives:

(1) Campus Chief Information Officer

(1) Campus Chief Information Security Officer

(1) Health Sciences Chief Information Officer

(1) Health Sciences Chief Information Security Officer

(1) Vice Provost Information Technology

(1) Campus Chief Privacy Officer

(1) Vice Chancellor for Legal Affairs

(1) Lead Campus Counsel for cyber-risk and data privacy

(1) Chief Audit & Compliance Officer

(1) Vice Chancellor for Student Affairs

(1) Professional School or College dean

(1) Academic Senate representative

(1) Common Systems Group (CSG) representative

SCOPE

The Committee will provide oversight of the following areas generally relating to UCLA’s data information systems:

  • Cyber-risk management
  • Data privacy and protection
  • Cyber-risk incident response

The Committee responsibilities also include:

  • Review and recommend changes to cybersecurity and data privacy policies, standards and guidelines
  • Review and endorse cyber-risk mitigation and response plans
  • Review and endorse information security standards consistent with acceptable risk tolerances

The scope of the Committee’s purview broadly includes the storage, use, and management of electronic data. This includes the protection of digital information assets used for academic, research, or administrative purposes, whether stored or transmitted in electronic form, and may consist of data, systems, networks, or documents created from electronic data.

OBJECTIVES

The high-level responsibilities for the Committee are advising the CRE to ensure that cyber-risk reduction and cyber incident response strategies are aligned with industry best practices, business objectives, and privacy expectations.  The Committee’s work includes prioritizing risk mitigation, developing cybersecurity standards, addressing stakeholder concerns, and building support for campuswide initiatives and/or policies to address cyber risk. The following are domain specific objectives of the Committee:

Data Privacy and Protection

  1. Recommend strategies to protect Campus data from inappropriate use or improper access;
  2. Review of the Campus Location Information Security Management Plan;
  3. Review of policies, standards, and training to ensure compliance with all laws and regulations related to the acquisition, retention, storage, and destruction of Campus information in an electronic form or resulting from electronic data; and
  4. Oversight of the incident response team’s efforts following an incident that potentially compromises data and/or related systems.

Incident Investigation

  1. Review and approval of the Campus Incident Response Plan;
  2. Recommend to CRE notification strategy following a cybersecurity incident;
  3. Recommend corrective and preventative measures to address cybersecurity incidents;
  4. Review incident action reports from significant cybersecurity incidents and recommend actions to be taken; and
  5. Review of lessons learned after an incident and recommend corrective actions.

Risk Management

  1. Review appropriateness of cybersecurity risk tolerances;
  2. Review and recommend levels of risk requiring mitigation;
  3. Establish an escalation protocol to manage risks that exceed UC maximum tolerances;
  4. Review allocation of resources in response to identified and prioritized risks and recommend modifications, if appropriate; and
  5. Identify and review campus risks related to management, storage, and use of data, especially that which contains protected information.

ADMINISTRATIVE PROVISIONS

The Chair shall provide administrative arrangements for the Committee, including calling of meetings, arranging for a meeting place, and preparation of an agenda, discussion material, and meeting minutes.

  • The Committee shall from time to time establish its meeting schedules; initially the Committee shall meet at least quarterly. Other meetings may be called at the discretion of the Chair or at the request of a Committee member with approval of the Chair.
  • At the discretion of the Committee various sub-committees or task groups may be formed to address specific areas of importance. These sub-committees will report directly to the Committee