An NSHE-wide governance structure establishes and maintains the alignment of information security strategies with organizational goals and objectives, assures consistency with applicable laws and regulations, and provides accountability, responsibility, and authority necessary to manage cybersecurity risk. In response to the challenge of reducing cybersecurity risk and improving system-wide information security, an information security governance structure has been established.
The four pillars of this governance structure include:
- An Information Security Steering Committee to set goals and priorities for the information security program based on NSHE priorities and regulatory requirements. This group is composed of representatives from each NSHE institution who provide a high level of knowledge of institutional objectives and are influential across a wide spectrum of campus issues. In keeping with the requirement for a broad perspective, membership includes both technical and non-technical areas.
- An Information Security Officers Council to serve as the working group for information security issues. This group is comprised of President-appointed representatives who have been identified as having the responsibility for information security issues at each institution. The members are tasked with implementation and delivery of elements of the NIST Cybersecurity Framework, examining potential avenues for shared services where appropriate, security policy review and drafting proposals, and productively engaging in knowledge sharing for our common benefit.
- The NSHE Chief Information Security Officer is responsible for implementing and managing the security governance process and for advocating the information security program throughout the System.
- Internal Audit verifies that the security controls reported are being executed as stated as well as looking for deficiencies in security that need to be addressed to improve the overall security posture of the organization.