The following CISPC Charter, revised June 2014, is conditionally published, pending approval by the Information Risk Governance Committee. The previous version of the charter remains available for reference.
The Campus Information Security and Privacy Committee (CISPC) is a standing committee to support and advise the Information Risk Governance Committee (IRGC) on information security and privacy programs, priorities, and budget. CISPC also functions as an advisory group for the Chief Information Security Officer (CISO), Campus Privacy Officer (CPO), and Information Technology Leadership Group (ITLG).
- Identifying campus requirements
- Providing input on policy issues
- Reviewing proposed standards
- Recommending agenda priorities for IRGC
- Providing research and risk/cost-benefit analysis on IRGC agenda topics
- Sponsoring periodic professional development events (jointly with Information Security and Policy) to foster 2-way information flow to and from campus IT service providers
- Other work delegated or assigned by the IRGC, CISO, or CPO.
CISPC is sponsored by the IRGC.
- CISPC members are selected from the campus community by the IRGC (or, if delegated, by the IRGC Co-Chairs), based on subject matter expertise and willingness to serve.
- The IRGC will contact each CISPC member’s manager annually to request the following release time: 2 hrs/month for CISPC general meetings and 8 hrs/month for additional CISPC work commitments.
- Volunteers can apply for membership via the CISPC chairs for full committee review and recommendation and subsequent IRGC approval. (Working group service is taken into consideration on membership decisions.)
- The CISPC chair and vice-chair are selected by a majority vote of CISPC members. The elected vice-chair is the designated chair for the following year.
- Vacancies and other membership issues are resolved by the IRGC Co-Chairs.
- Meeting frequency: 2 hours monthly, plus additional workgroup commitments. The committee will determine modifications to the schedule based on current needs.
- Meeting structure: The chairs or a designee will collect agenda items and circulate agendas in advance of each meeting to ensure an informed discussion of scheduled topics.
- Reporting: CISPC reports directly to the IRGC separately from the CISO and CPO. The CISO/CPO annual report to the IRGC shall also include CISPC reporting and input, and the CISO/CPO report shall be shared with CISPC (as well as other interested UCB stakeholders).
- Documentation of proceedings: All meetings shall have notes of discussions and action items.
- Voting: If CISPC does not reach a consensus on advisory topics, majority and minority opinions may be used to convey a topic’s depth and complexity to the IRGC and other audiences.
- Working Groups: Ad hoc working groups bring together subject matter experts to study particular topics in depth, prepare reports, and make recommendations to CISPC. Working group members are appointed for a finite term and can include both CISPC and non-CISPC members, as long as at least one working group member is a CISPC member.