Systemwide Information Security Council (SISC)
This committee is charged with overseeing the ϲʹ’s information security (InfoSec) policies, procedures, and standards to identify and apply a risk-based approach to information security. The committee will strive to ensure that the InfoSec program supports the University’s mission, improves the security posture of the University and is appropriately prioritizing resources and risk.
Responsibilities
- Champion the InfoSec program to promote awareness, compliance and drive cultural change across the System
- Review and approve university-wide InfoSec policies and initiatives
- Provide strategic direction and establish priorities
- Ensure compliance with InfoSec policies within their organizational hierarchy
- Engage Council of Chancellors periodically for feedback and input regarding the InfoSec program
- Establish functional ownership and accountability for key information security areas
- Hold identified staff (CISO, Emergency Mgmt, etc.) responsible for execution of priorities
- Ensure the development of a “State of Information Security” report for the President and Board of Curators at least annually
Membership
The committee is accountable to the Vice President for Finance and Vice President for Information Technology and is chaired by the Chief Information Security Officer (CISO) whose offices will also provide administrative support for the SISC. Standing members include:
- Chief Information Security Officer (Chair)
- Director of Risk & Insurance Management
- General Counsel representative
- Vice President for Finance and Administration
- Vice President for Information Technology
- Director of UM Procurement
- Executive Vice Chancellor, Health Affairs
- Chief Audit & Compliance Officer
- Chief Human Resources Officer
- Associate Vice President, Academic Affairs/Chief of Staff
- Chief Data Officer
- UM System Privacy Officer
- Director of Enterprise Architecture
Chief Information Security Officer (CISO)
The CISO will serve as a liaison between the SISC and the ISG.
Responsibilities
- Communicate the goals, objectives and priorities of the SISC to the ISG.
- Present draft elements created by the ISG to the SISC.
- Create a template for elements of the information security program to ensure a consistent look and feel.
- Ensure that the information security program is published prominently and remains up to date.
- Assist the VP for IT in managing compliance with the information security program by UM units/departments.
Information Security Group (ISG)
This working group will be comprised of the CISO, the Information Security Officer (ISO) from each University entity and other members as appropriate (i.e. HR representatives from each campus when dealing with HR elements of the program).
Responsibilities
- Develop elements of the information security program in accordance with the goals, objectives and priorities of the SISC.
- Serve as a conduit for obtaining input from, and communicating program elements to, each University entity.
Other Roles
The Chief Information Officer (CIO) for each University entity will be responsible for communicating, publishing and distributing new policies and program components to their respective entity.
- CIOs/ISOs will manage compliance within their respective entities.
- VP for IT will manage compliance within UM departments/units.
Information Security Governance
Reviewed 2024-10-21