Committee: UCLA Cyber-Risk and Data Privacy Governance Committee
Chair: Cyber-Risk Responsible Executive
Executive Leader: Administrative Vice-Chancellor and Cyber-Risk Responsible Executive Michael Beck
Introduction
In 2015, the UC Office of the President mandated that campuses take a number of steps to improve cybersecurity and strengthen our defenses against future cyberattacks. One element of the mandate was for each campus to develop a governance approach to consistently evaluate and reduce cyber risks across each campus. In response, the UCLA Cyber-Risk Planning Group was formed under the then Cyber-Risk Responsible Executive.
In an effort to continue the progress already made at UCLA and ensure a consistent method for preventing cyber-risk, respond to cyber incidents, and generally enhance cybersecurity, the Cyber-Risk Responsible Executive is hereby formalizing the Cyber-Risk and Data Privacy Governance Committee (the “Committee”), which will supersede the Cyber-Risk Planning Group. The following Committee Charter (the Charter) defines and establishes the scope and objectives of the Committee.
Membership
The Cyber-Risk and Data Privacy Governance Committee will support the Cyber-Risk Responsible Executive and include the following 15 representatives:
| Chair: | Michael Beck, VC Administration and Cyber-Risk Responsible Executive |
| Representatives: |
Lucy Avetisyan, Campus Chief Information Officer David Shaw, Campus Chief Information Security Officer Ellen Pollack, Health Sciences Chief Information Officer Edgar Tijerino, Health Sciences Chief Information Security Officer Jim Davis, Vice Provost Information Technology Kent Wada, Campus Chief Privacy Officer Louise Nelson, Vice Chancellor for Legal Affairs Amy Blum, Lead Campus Counsel for cyber-risk and data privacy Mark Krause, Chief Audit & Compliance Officer Monroe Gorden, Vice Chancellor for Student Affairs Jayathi Murthy, Dean School of Engineering and Applied Sciences Jean-Francois Blanchette, Assoc Prof/ Chair Infor Studies (Academic Senate representative) Ginny Steel, University Librarian Max Kopelevich, Common Systems Group (CSG) representative |
Scope
The Committee will provide oversight of the following areas generally relating to UCLA’s data information systems:
- Cyber-risk management
- Data privacy and protection
- Cyber-risk incident response
The Committee responsibilities also include:
- Review and recommend changes to cybersecurity and data privacy policies, standards, and guidelines
- Review and endorse cyber-risk mitigation and response plans
- Review and endorse information security standards consistent with acceptable risk tolerances
The scope of the Committee’s purview broadly includes the storage, use, and management of electronic data. This includes the protection of digital information assets used for academic, research, or administrative purposes, whether stored or transmitted in electronic form, and may consist of data, systems, networks, or documents created from electronic data.
Objectives
The high-level responsibilities for the Committee are advising the CRE to ensure that cyber-risk reduction and cyber incident response strategies are aligned with industry best practices, business objectives, and privacy expectations. The Committee’s work includes prioritizing risk mitigation, developing cybersecurity standards, addressing stakeholder concerns, and building support for campuswide initiatives and/or policies to address cyber risk. The following are domain-specific objectives of the Committee:
Data Privacy and Protection
- Recommend strategies to protect Campus data from inappropriate use or improper access;
- Review of the Campus Location Information Security Management Plan;
- Review of policies, standards, and training to ensure compliance with all laws and regulations related to the acquisition, retention, storage, and destruction of Campus information in an electronic form or resulting from electronic data; and
- Oversight of the incident response team’s efforts following an incident that potentially compromises data and/or related systems.
Incident Investigation
- Review and approval of the Campus Incident Response Plan;
- Recommend to CRE notification strategy following a cybersecurity incident;
- Recommend corrective and preventative measures to address cybersecurity incidents;
- Review incident action reports from significant cybersecurity incidents and recommend actions to be taken; and
- Review of lessons learned after an incident and recommend corrective actions.
Risk Management
- Review appropriateness of cybersecurity risk tolerances;
- Review and recommend levels of risk requiring mitigation;
- Establish an escalation protocol to manage risks that exceed UC maximum tolerances;
- Review allocation of resources in response to identified and prioritized risks and recommend modifications, if appropriate; and
- Identify and review campus risks related to management, storage, and use of data, especially that which contains protected information.
Administrative Provisions
The Chair shall provide administrative arrangements for the Committee, including calling of meetings, arranging for a meeting place, and preparation of an agenda, discussion material, and meeting minutes.
- The Committee shall from time to time establish its meeting schedules; initially, the Committee shall meet at least quarterly. Other meetings may be called at the discretion of the Chair or at the request of a Committee member with approval of the Chair.
- At the discretion of the Committee, various sub-committees or task groups may be formed to address specific areas of importance. These sub-committees will report directly to the Committee
