Skip to main content

Information Security Committee

(Sub-committee of University Executive Board)

1. Secretary

A member of the University’s Cyber Security Team or Information Governance Team.

 

2. Constitution

Members:

a. A member of University Executive Board (Chair)

b. Executive Director of Finance

c. Registrar

d. Director of NUIT

e. Chief Information Security Officer

f. Head of Information Governance and Data Protection Officer

g. Director of Technology Operations, NUIT

h. NHS Data Security Protection Toolkit (DSPT) Toolkit Information Risk Officer

i. An academic with a cyber security specialism nominated by the Head of the School of Computing

j. Three faculty representatives, one from each faculty, with at least one representing the education community and at least one representing the research community nominated by the Chair in consultation with the Faculty PVCs

Information Security Committee shall have the authority to co-opt up to three further members.

The University Risk Manager and the Head of Internal Audit shall be invited to observe and advise the Committee.

A quorum shall be not fewer than one third of the members and must include at least one member from University Executive Board and the Chief Information Security Officer or Head of Information Governance and Data Protection Officer. 

 

3. Terms of Reference

a. Accountable for the University’s cyber security and information governance (collectively information security) arrangements and provide oversight of the implementation of the following policies:

i. Information Security

ii. Policy Data Protection Policy

iii. Records Management Policy

iv. Freedom of Information Policy

b. Approve changes to the policies stated in 3.a above.

c. Approve the Cyber Security Accountability Framework made under the Information Security Policy.

d. Approve the University’s Cyber Security Architecture.

e. Approve changes to the terms of reference for the Information Security Operations Group, a sub-committee of Information Security Committee.

f. Create other sub-committees necessary for the effective management and implementation of the University’s information security arrangements.

g. Oversee the progress of the work of sub-committees.

h. Approve key information security related risk-based decisions within the context of the University’s Risk Management Policy and Risk Appetite Statement.

i. Promote an effective information security posture and culture throughout the University.

j. Discuss any information security related matter brought to the attention of the Committee.

k. Make recommendations to University Executive Board on investment, resources, and other decisions/escalations pertinent to the University’s information security arrangements.  

 

4. Authority

a. The Committee is authorised by University Executive Board to make changes to the polices listed at 3.a above and the Cyber Security Accountability Framework.

 

5. Reporting

a. Receive and consider reports from the Information Security Operations Group and the Cyber Security Programme Steering Group.

b. Provide regular reports to University Executive Board and Audit, Risk, and Assurance Committee.

 

6. Procedure

a. The Committee shall meet at least six times a year.

b. Any member who has a pecuniary, family, or other personal interest in any matter under discussion at any meeting of the Committee shall, as soon as practicable, disclose that fact to the meeting, shall not take part in any voting that arises from such discussions and shall, if requested by the Chair, withdraw from that part of the discussion.

c. The Committee shall conduct its business in accordance with its terms of reference, and with the University’s Standing Orders for Committees.

 

Version 0.2, 19/12/2022, JNB.

Approved by University Executive Board, 10 January 2023.