Call to Order and Approval of Minutes (5 Minutes)
Minutes from April meeting approved as received.
Minutes from April meeting approved as received.
Council is made up of “assurance positions” such as Chief Security Officer, Chief Risk Officer, Chief Privacy Officer, Chief Compliance Officer, Assistant VP& Exec Director Internal Audit, Office of General Counsel, and Director of University Policies. These people work within their spheres to promote compliance, assess risk, etc. Formerly, these efforts were more independent. The UAC brings these roles together to work through shared issues/challenges. Discussed examples.
Goal of IT-28 is to help IU further reduce its threat surface (number of network devices), and therefore risk. Asks units to review their IT services and leverage central services as much as practicable. Migration plans should be developed within a year, and reviewed every two years. Examples were discussed. Also requires UITS to provide a comprehensive, evolving set of services at reasonable cost. Departments often do not fully load the cost of providing services. Discussed various aspects/implications of the policy.
At earlier Risk Council meeting it was suggested that it may be useful for Internal Audit to seek feedback from the council for its risk assessment. However, as it turns out, everyone on the council already has an avenue to provide input to the process. Nonetheless, Mike sent out a risk assessment template for feedback from the group on items of concern and offered an opportunity to provide feedback during the meeting. A few issues were discussed. Mike invited other input via email after the meeting.
Tom reviewed how the council has reviewed the program, identified top gaps, provided feedback on various policies & standards, etc. Asked the council for their opinion of whether the council is doing the right things, the right way, etc? Gardner – what’s the lifecycle of the council? Once our initial work is done, do we move to a more ad hoc meeting basis? Wasitis – if we’ve accomplished our initial goals, maybe we move to a less frequent/more ad hoc format? Bruhn – believes the group has an ongoing role. Although future meetings may be less frequent, governance is a continuing need. Group consensus was that initial goals have been largely achieved, and that future meetings should be issue-driven. Davis – Does the council’s makeup still make sense? Should others be added, or some rotated off? Conclusion was to block time off on the calendar every 4 months, and cancel meetings if no business exists. We can also communicate issues as they arise via listserv and Oncourse.
Reference:
http://policies.iu.edu/policies/categories/administration-operations/policy-admin/establishing-university-policies.shtml
http://policies.iu.edu/policies/categories/information-it/it/IT-28.shtml
Next Meeting: November 20, 2013
July 24, 2013
1:00pm
Poplars 017, Video Bridge 223739
Julie Aders (for Jim Kennedy)
Mark Bruhn
Eric Cosens
Tom Davis (ch)
Michael Gardner
Jeff Lambright
Dan Rives
Chris Swafford
Doug Wasitis
None
Phil Cochran
Joseph Scodro
Stew Cobine
Marcia Gonzales
Joan Hagen
Jim Kennedy
Kim Milford
Eric Swank
Chris Viers