Meeting Schedule:
Monthly on the 4th Tuesday (2nd Tuesday in November and December).


About IRPSC

The Information Risk, Policy & Security Committee (IRPSC) is charged with providing oversight and support of Texas A&M University information security by:

  • Authoring privacy-related policies, procedures and security initiatives
  • Recommending strategic direction on campus information security and data privacy-related work to ensure that it supports the university mission.

The IRPSC works in close collaboration with the University Rule Team and Enterprise Risk Management Group within the Office of University Risk and Compliance.

Committee Information

Committee Objectives

  • Assess security risks and identify security tools to be standardized across the University.
  • Identify strategies for applying HIPAA, including protecting PHI and PII data.
  • Identify strategies for addressing the impact of Controlled Unclassified Information (CUI).
  • Develop security program designed to raise the security posture of the university.

Subcommittees & Task Forces

Minutes *

No minutes yet this year.

View all minutes
* Minutes may be redacted for security reasons

Decisions

Committee decisions and actions.

View all decisions

Members

Permanent Voting Members

  • Dr. Paul Wellman - IT Representative
    (Chairperson)
  • Dr. Michael Sardaryzadeh - Texas A&M University - Chief Information Security Officer
  • Deena McConnell - Academic Services IT Representative
  • Adam Mikeal - Division of IT Representative
  • Aaron Brender - Division of Research Representative
  • Dale Cook - Division of Finance and Operations IT Representative
  • Katherine Rojo Del Busto - IT Professional Representative
  • John Kovacevich - IT Professional Representative
  • Dr. Paula deWitte - Faculty Member Representative
  • Lori Williams - Athletics Representative
  • Jacob Mclean - Student Representative

Ex-officio Members

  • Margaret "Peggy" Zapalac - Texas A&M University Risk and Compliance Representative
  • Joe Mancha - Division of IT - Security, Risk Management, and Policy Representative
  • Matt Walton - Texas A&M Health Risk and Compliance Representative
  • Cheryl Cato - Chairperson - Architecture & Infrastructure Committee
  • Dr. Jon Jasperson - Chairperson - Enterprise Applications Committee
  • John Pryde - Privacy Officer
  • Melia Jones - A&M System Office of General Counsel Representative
  • Cynthia Kauder - Division of IT - Electronic and Information Resources (EIR) Accessibility Coordinator

Committee Charge

The IRPSC oversees committees, existing or developed, that serve as inputs to its overall scope. Active committees established prior to the university-wide IT Governance (ITG) framework who wish to provide input or integrate into the IRPSC, require approval by the Strategic IT Committee (SITC) to be recognized in the ITG framework.

New committees, task forces, IT Communities of Practice (ITCoPs) or Stakeholder Steering Groups (ITSsGs) may be created by the IRPSC.

The IRPSC produces the following outputs, including, but not limited to:

  • Periodically review and monitor the campus information security and privacy programs to ensure adequate transparency on how personal information is protected, what data is collected about electronic activities of individuals and how such data is used.
  • Solicit input and comment for proposed standards from information resource managers across the university prior to publication of proposed standards.
  • Approve privacy and information security policies and standards, including evaluation of risks as well as costs and benefits of mitigation, considering workload impact across campus. Following IRPSC approval, information security and privacy policies are referred to University Risk and Compliance for formal authorization where applicable.
  • Propose new or modified standards/controls developed by the Division of IT Risk Management and Policy personnel in the office of the Chief Information Security Officer.
  • Monitor and direct continual service improvement efforts toward the Texas A&M University Control Catalog in alignment with NIST SP 800-53 Rev. 4 and Texas Administrative Code 202 (§202.76).
  • Interpret and apply Information Resource policy, and adjudicate conflicts between campus initiatives and regulatory compliance requirements.
  • Escalate and/or approve issues that do not conform to university information security and privacy practices, e.g., vendor terms and conditions, contracts and services incompatible with information resource policy.
  • Recommend prioritization of resources and determination of campus response to address information risk situations.
  • Authorize protocols for handling information security and privacy policy exception requests, appeals and escalations, e.g., thresholds for delegation to management.
  • Handle exception appeals regarding security standards and policy, considering whether the presenting risk warrants removal of the non-compliant systems from the network or removal of institutional data from the non-compliant systems, and adoption and delegation of procedures for handling common non-compliance issues that may be delegated to management processes.
  • Develop continual service improvement outcomes to enhance the awareness and effectiveness of information risk, policy and security topics across the university.

The IRPSC votes and makes decisions within the above charge and scope. The IRPSC receives the following inputs, including, but not limited to:

  • Recommendations and decisions that are out of scope for the following committees:
    • Strategic IT Committee (SITC)
    • Architecture & Infrastructure Committee (AIC)
    • Research & Innovative Technologies Committee (RITC)
    • Teaching & Transformational Learning Technologies Committee (TTLTC)
    • Enterprise Applications Committee (EAC)
  • Recommendations for the development of policy, procedure or security actions from the following bodies:
    • Architecture & Infrastructure Committee (AIC)
    • Research & Innovative Technologies Committee (RITC)
    • Teaching & Transformational Learning Technologies Committee (TTLTC)
    • Enterprise Applications Committee (EAC)
    • University Rules Team
    • Enterprise Risk Management Group
  • Any recognized ITG input body.
  • Analysis activities and recommendations requested by any ITG committee.

Policy, Decisions and Exception Facilitation

The Vice President for IT and Chief Information Officer (CIO) acts with signature authority on all policy and control documents within the information resources domain prior to finalization with the Texas A&M University Compliance Program.

The Texas A&M University Chief Information Security Officer (CISO) acts as the final approving agent for exception requests reviewed by the IRPSC. Exceptions will be documented in a consistent format and stored in a secure document repository. 

University Representation

Permanent Voting Members

  • Texas A&M University Chief Information Security Officer
  • 1 Division of IT Representative (By appointment of the Vice President for IT and CIO)
  • 1 Vice President for Research Representative (By appointment of the Vice President for Research)
  • 1 Academic Services IT Representative (By appointment of the Vice President for Enrollment and Academic Services)
  • 1 Division of Finance and Operations IT Representative (By appointment of the Executive Vice President for Finance and Operations and Chief Financial Officer (CFO))
  • 4 IT Representatives (By appointment of the Vice President for IT and CIO)
  • 2 Faculty Members (By appointment of the Vice President for IT and CIO)
  • 1 Athletics Representative (By appointment of the Vice President for IT and CIO)
  • 1 Undergraduate Student Representative (By appointment of the Student Government Association President)

Ex-officio Members

  • Texas A&M University Risk and Compliance Representative
  • Texas A&M Health Associate Vice President for Risk and Compliance
  • Texas A&M Privacy Officer
  • Texas A&M University System Office of General Council Representative
  • Division of IT - Risk, Management and Policy Representative
  • Division of IT - Electronic and Information Resources (EIR) Accessibility Coordinator
  • Chairperson - Architecture & Infrastructure Committee (AIC)
  • Chairperson - Enterprise Applications Committee (EAC)

Terms and Procedures

Chairperson: A chairperson shall be elected during the July meeting of each year, serving a one-year term that begins during the September RITC meeting.

Member Terms: Each member will serve a two-year term beginning in September and ending in July during the second year of membership. The Chairperson will request up to three members to serve a second term to ensure continuity of experience in the committee. Supplemental term information is available in the Schedule of Terms.

Ex-Officio Members: The Associate Vice President for University Risk and Compliance shall appoint a University Risk and Compliance representative to serve as an ex-officio member. The Division of IT Associate Director for Security Operations, along with the Chairpersons of the Architecture & Infrastructure Committee and Enterprise Applications Committee, shall serve as ex-officio members. The CISO will also appoint a Division of IT Risk, Management and Policy representative.

Meeting frequency: The IRPSC meets bi-monthly on the third Tuesday of January, March, May, July, September and November. The committee will determine modifications to the meeting schedule as needed based on current activities.

Reporting: The Office of the CIO will report on decisions and maintain electronic communication mediums for distributing university-wide information for the IRPSC.

Documentation of proceedings: All meetings will have minutes of discussions, decisions and action items that are published within two weeks of the proceeding.

Voting: Each permanent attending member shall have one vote counting toward a decision/vote, where a quorum of seven is needed from within the 14 permanent attending members. The Vice President for IT and CIO shall have final authority in the endorsement of an IRPSC decision/vote.

Research and Supplemental Input Mechanisms: The committee may establish, at its discretion, additional ad hoc committees, task forces, ITCoPs or ITSsGs, as needed.

 

Questions about IT Governance can be submitted to: itgovernance@tamu.edu