Privacy Assurance and Systems Security Council

Membership Information


Organization and Authority
Scope
Responsibilities
Membership List and Criteria


Organization and Authority

Governance is critical to the success of information security and privacy at UW and must be well defined. There needs to be clear direction from the executives regarding roles and responsibilities, objectives, and enforcement of information security and privacy programs. UW executives will ensure that an appropriate organizational structure exists to provide oversight and governance for information security services, related planning, and associated risk management practices.

The PASS Council is the senior governing authority for UW information security and privacy programs and will provide support and advice to the information security and privacy programs. The CISO will work with UW’s management and committees currently chartered to support UW’s business issues. These efforts will focus on the roles and responsibilities for providing the required accountable leadership/ownership and resources for the development and support of UW’s strategic information security and privacy objectives.


Scope

The PASS Council’s scope includes information security and privacy for University infrastructure technology, computerized devices, information systems, and institutional information in any form (e.g. electronic or paper).


Responsibilities

  • Advise on University-wide strategic plans for information security and privacy;
  • Develop, implement, and maintain University-wide information security and privacy policies, standards, guidelines, and operating procedures related to University institutional information, information systems, computerized devices, or infrastructure technology;
  • Approve controls or plans commensurate with asset value and risk as well as information security and privacy policy exceptions;
  • Approve data classifications according to information security and privacy policy;
  • Coordinate compliance requirements related to laws and regulations that have information security and privacy implications and impart a duty upon the University;
  • Oversee related institutional risk issues and provide appropriate recommendations in support of the University’s larger risk management programs and objectives; and
  • Recommend risk mitigation and control processes for information security and privacy incidents.