Meeting Schedule:
4th Wednesday of September, November, February, April, June


About SPC

The Security and Policies Committee (SPC) is charged with providing oversight and support of Texas A&M University information security by:

  • Authoring privacy-related policies, procedures, and security initiatives
  • Recommending strategic direction on campus information security and data privacy-related work to ensure that it supports the university mission.

The SPC works in close collaboration with the University Rule Team and Enterprise Risk Management Group within the Office of University Risk and Compliance.

Committee Information

Committee Objectives

Coming soon.

Operational Groups

Minutes *

View all minutes
* Minutes may be redacted for security reasons

Documents

There are no documents.

Decisions

No decisions have been posted yet.

Members

Permanent Members (Voting)

  • Dr. Dwayne Whitten - IT Security Faculty Representative (Chair)
  • Aaron Brender - Division of Research Representative
  • Dr. Danny Davis - Faculty Senate Representative
  • John Kovacevich - IT Professional Representative
  • Kristen Kubenka - Division of IT, IT Security Representative
  • Michael Leary - IT Professional Representative
  • Adam Mikeal - Division of IT Representative
  • Kyle Page - Academic IT Services Representative
  • Josh Shepard - Transportation Services Representative
  • Michael Thompson - Texas A&M Athletics Representative
  • Garrett Yamada - IT Professional Representative

Ex-officio Members (Voting)

  • Cynthia Kauder - Division of IT - Electronic and Information Resources (EIR) Accessibility Coordinator
  • Kate Pharr - A&M System Office of General Counsel Representative
  • John Pryde - Privacy Officer
  • Dr. Michael Sardaryzadeh - Chief Information Security Officer & Associate Vice President
  • Matt Walton - Texas A&M Health Risk and Compliance Representative
  • Margaret "Peggy" Zapalac - Texas A&M University Risk and Compliance Representative

Committee Charge

The SPC oversees committees, existing or developed, that serve as inputs to its overall scope. Active committees established prior to the university-wide IT Governance (ITG) framework who wish to provide input or integrate into the SPC, require approval by the CIO and Strategic Chair Committee (CSCC) to be recognized in the ITG framework.

New operational groups, task forces, IT Communities of Practice (ITCoPs) or Stakeholder Steering Groups (ITSsGs) may be created by the SPC.

The SPC produces the following outputs, including, but not limited to:

  • Periodically review and monitor the campus information security and privacy programs to ensure adequate transparency on how personal information is protected, what data is collected about electronic activities of individuals and how such data is used.
  • Solicit input and comment for proposed standards from information resource managers across the university prior to publication of proposed standards.
  • Approve privacy and information security policies and standards, including evaluation of risks as well as costs and benefits of mitigation, considering workload impact across campus. Following IRPSC approval, information security and privacy policies are referred to University Risk and Compliance for formal authorization where applicable.
  • Propose new or modified standards/controls developed by the Division of IT Risk Management and Policy personnel in the office of the Chief Information Security Officer.
  • Monitor and direct continual service improvement efforts toward the Texas A&M University Control Catalog in alignment with NIST SP 800-53 Rev. 4 and Texas Administrative Code 202 (§202.76).
  • Interpret and apply Information Resource policy and adjudicate conflicts between campus initiatives and regulatory compliance requirements.
  • Escalate and/or approve issues that do not conform to university information security and privacy practices, e.g., vendor terms and conditions, contracts and services incompatible with information resource policy.
  • Recommend prioritization of resources and determination of campus response to address information risk situations.
  • Authorize protocols for handling information security and privacy policy exception requests, appeals and escalations, e.g., thresholds for delegation to management.
  • Handle exception appeals regarding security standards and policy, considering whether the presenting risk warrants removal of the non-compliant systems from the network or removal of institutional data from the non-compliant systems, and adoption and delegation of procedures for handling common non-compliance issues that may be delegated to management processes.
  • Develop continual service improvement outcomes to enhance the awareness and effectiveness of information risk, policy, and security topics across the university.

The SPC votes and makes decisions within the above charge and scope. The SPC receives the following inputs, including, but not limited to:

  • Recommendations and decisions that are out of scope for the following committees:
    • CIO and Strategic Chairs Committee (CSCC)
    • Research Technologies Committee (RTC)
    • Enterprise Services Committee (ESC)
    • Student and Academic Technologies Committee (SATC)
  • Recommendations for the development of policy, procedure, or security actions from the following bodies:
    • Research Technologies Committee (RTC)
    • Enterprise Services Committee (ESC)
    • University Rules Team
    • Enterprise Risk Management Group
  • Any recognized ITG input body.
  • Analysis activities and recommendations requested by any ITG committee.

Policy, Decisions and Exception Facilitation

The Vice President for IT and Chief Information Officer (CIO) acts with signature authority on all policy and control documents within the information resources domain prior to finalization with the Texas A&M University Compliance Program.

The Chief Information Security Officer (CISO) acts as the final approving agent for exception requests reviewed by the SPC. Exceptions will be documented in a consistent format and stored in a secure document repository. 

University Representation

Permanent Members (Voting)

  • 1 Division of IT Representative (By appointment of the Vice President for IT and CIO)
  • 1 Division of IT, IT Security Representative (By appointment of the Chief Information Security Officer)
  • 1 Division of Research IT Representative (By appointment of the Vice President for Research)
  • 1 Academic Services IT Representative (By appointment of the Vice President for Enrollment and Academic Services)
  • 4 IT Representatives (By appointment of the Vice President for IT and CIO)
  • 2 Faculty Members (By appointment of the Vice President for IT and CIO)
  • 1 Transportaion Services Representative (By appointment of the Associate Vice President for Transportation)

Ex-officio Members (Voting)

  • Chief Information Security Officer & Associate Vice President
  • Texas A&M University Risk and Compliance Representative
  • Texas A&M Health Associate Vice President for Risk and Compliance
  • Texas A&M Privacy Officer
  • Texas A&M University System Office of General Council Representative
  • Division of IT - Electronic and Information Resources (EIR) Accessibility Coordinator

Terms and Procedures

Chair and Chair-Elect: A new chair-elect shall be elected during the first meeting of each year. The chair-elect serves a one-year term that begins during the September meeting, followed by a one-year term as the chair.

Member Terms: Each member will serve a one-year term beginning in September and ending in August. The Chairperson will request up to three members to serve a second term to ensure continuity of experience in the committee.

Ex-Officio Members: The Associate Vice President for University Risk and Compliance shall appoint a University Risk and Compliance representative to serve as an ex-officio member. The CISO shall appoint a Division of IT, IT Security representative. The Office of General Counsel shall appoint a representative to serve as an ex-officio member. The Privacy Officer, Texas A&M Health Associate Vice President for Risk and Compliance, and EIR Accessibility Coordinator shall serve as ex-officio members.

Meeting Frequency: The SPC meets on the fourth Tuesday of September, November, February, April, and June. The committee will determine modifications to the meeting schedule as needed based on current activities.

Reporting: The Office of the CIO will report on decisions and maintain electronic communication mediums for distributing university-wide information for the SPC.

Documentation of Proceedings: All meetings will have minutes of discussions, decisions and action items that are published within two weeks of the proceeding.

Voting: Each permanent attending member shall have one vote counting toward a decision/vote, where a quorum is half of the permanent attending members. The Vice President for IT and CIO shall have final authority in the endorsement of an IRPSC decision/vote.

Research and Supplemental Input Mechanisms: The committee may establish, at its discretion, additional operational groups, task forces, ITCoPs or ITSsGs, as needed.

 

Questions about IT Governance can be submitted to: itgovernance@tamu.edu