Information Risk Committee

The Charter of the Information Risk Committee

Mission

Information risk relates to the positive and negative effects on the operation, services, and reputation of the university that may result from providing or neglecting to provide specific information services, programs, training, oversight, or initiatives.

The purpose of the USC Information Risk Committee (IRC) is to assist USC’s campus leadership in its responsibility to assess and manage USC’s information risk, including risk relating to information security, business continuity and disaster planning, compliance, information sharing, and information integrity.

The IRC is responsible for:

  • Making quick and efficient recommendations to senior executives regarding critical, risk- and value-sensitive issues, based on the evaluation of such risk throughout the university and using a consistent, well-informed, and documented approach.
  • Providing guidance, assessments, and metrics that help manage and, where possible, mitigate such risk, recognizing that specific risks may be different across the institution depending on context (e.g., research versus eCommerce), perceived value, and other factors.

While the IRC does not replace other committees or organizations at the university that are involved in managing risk, compliance, audit, or other assessment or risk management processes, the IRC is the single authoritative committee responsible for coordinating and finalizing recommendations to the provost and the applicable senior vice presidents with respect to information risk. The IRC may also review the roles and responsibilities of existing committees and make recommendations to the appropriate executives.

Membership

The IRC shall be chaired by and report to the chief information officer (CIO). The associate senior vice president for compliance shall be a voting representative. Additional voting representatives shall be appointed for each of the following university divisions: General Counsel, Audit, Human Resources, CAPS, the Comptroller, Purchasing, ITS, Enrollment Services Division, Health Sciences IT, and the Office of Research. A representative of the Academic Senate shall also serve on the committee. Additional members of the IRC will be voted on by the committee and formally appointed by the chair.

Each member of the IRC shall endeavor to represent the best interests of the university as a whole, while bringing his or her special expertise or perspective to the process.

The USC chief information security officer (CISO) shall report to the IRC on all major initiatives and risks. The CISO shall work to ensure the alignment between information security practices and risk management, often with the involvement of unit and school information security staff.

Duties and responsibilities

The IRC shall have the following duties and responsibilities: Assess information architectures developed by ITS in consultation with the schools and administration for soundness with respect to information risk and overall effectiveness.

  1. Review information architecture developed by the schools or other units, including Keck Medical Center of USC (KMC), regardless of whether it involves a computer system or service developed in-house (at USC) or in collaboration with or by an outside vendor.
  2. Review the risk control plans and programs developed by or with the CISO as they relate to information security at USC and ensure performance metrics and accountability are established and met.
  3. Appraise and develop USC’s information stewardship programs and plans (to ensure appropriate and agile access to USC information) both centrally and in the schools.
  4. Review specific proposals for access to campus services or infrastructure (e.g., “data feeds” or research programs) that could impact confidential or sensitive information, centrally and in the schools. Where research initiatives include access to campus network, server, or electronic-record infrastructures, the IRC would formally consult the vice president for Research. (Requests for access to email or other accounts do not fall to this committee.)
  5. Help ensure effective information risk management (including security) components in USC purchasing and software development programs, whether central or distributed.
  6. Foster a vision of training and capacity building, so that units become better able to address information risk issues on their own.
  7. Help design and recommend new workflows and business processes across the university, with the goal of reducing information risk and improving efficiency.
  8. Review and provide guidance on information risk and security policies and standards.
  9. Evaluate proposed exceptions to security policies and standards. Coordinate with the enterprise risk management committee and enterprise risk assessment process in areas related to information risk, technology and security.
  10. Review and endorse technologies and systems proposed at the school/unit level that have enterprise-wide capabilities or implications.
  11. Review and provide guidance on regulatory matters as appropriate (e.g., PCI, FERPA, HIPAA, etc.).

Meetings

The IRC shall meet as often as it determines is appropriate, but not less frequently than quarterly. The chair shall preside at all meetings of the IRC and shall set its agenda, with input from the compliance office and the CISO.

The IRC shall meet periodically with the risk managers of the university to discuss emerging issues. The chair of the IRC may also ask any individual to participate in any specific meeting as a subject matter expert.

  • The IRC has the authority to retain advisers when it deems appropriate, as it carries out its duties.
  • The IRC shall report periodically to the Executive Information Security Committee and other senior administration, as necessary, on actions taken and significant matters reviewed by the IRC, generally no less than twice yearly.
  • The IRC will coordinate with the HR Policy Development office to consider relevant university policies on a regular basis to ensure that they are up-to-date and consistent with effective practices with regard to information risk.

Charter review

The IRC shall review, at least annually, the committee’s charter and recommend to the senior administration any proposed changes. This review shall compare the performance of the IRC with the requirements of this charter.