Committee Charge

The IRPSC oversees committees, existing or developed, that serve as inputs to its overall scope. Active committees established prior to the university-wide IT Governance (ITG) framework who wish to provide input or integrate into the IRPSC, require approval by the Strategic IT Committee (SITC) to be recognized in the ITG framework.

New committees, task forces, IT Communities of Practice (ITCoPs) or Stakeholder Steering Groups (ITSsGs) may be created by the IRPSC.

The IRPSC produces the following outputs, including, but not limited to:

  • Periodically review and monitor the campus information security and privacy programs to ensure adequate transparency on how personal information is protected, what data is collected about electronic activities of individuals and how such data is used.
  • Solicit input and comment for proposed standards from information resource managers across the university prior to publication of proposed standards.
  • Approve privacy and information security policies and standards, including evaluation of risks as well as costs and benefits of mitigation, considering workload impact across campus. Following IRPSC approval, information security and privacy policies are referred to University Risk and Compliance for formal authorization where applicable.
  • Propose new or modified standards/controls developed by the Division of IT Risk Management and Policy personnel in the office of the Chief Information Security Officer.
  • Monitor and direct continual service improvement efforts toward the Texas A&M University Control Catalog in alignment with NIST SP 800-53 Rev. 4 and Texas Administrative Code 202 (§202.76).
  • Interpret and apply Information Resource policy, and adjudicate conflicts between campus initiatives and regulatory compliance requirements.
  • Escalate and/or approve issues that do not conform to university information security and privacy practices, e.g., vendor terms and conditions, contracts and services incompatible with information resource policy.
  • Recommend prioritization of resources and determination of campus response to address information risk situations.
  • Authorize protocols for handling information security and privacy policy exception requests, appeals and escalations, e.g., thresholds for delegation to management.
  • Handle exception appeals and non-compliance regarding security standards and policy, including decisions on whether the presenting risk warrants removal of the non-compliant systems from the network or removal of institutional data from the non-compliant systems, and adoption and delegation of procedures for handling common non-compliance issues that may be delegated to management processes.
  • Develop continual service improvement outcomes to enhance the awareness and effectiveness of information risk, policy and security topics across the university.

The IRPSC votes and makes decisions within the above charge and scope. The IRPSC receives the following inputs, including, but not limited to:

  • Recommendations and decisions that are out of scope for the following committees:
    • Strategic IT Committee (SITC)
    • Architecture & Infrastructure Committee (AIC)
    • Research & Innovative Technologies Committee (RITC)
    • Teaching & Transformational Learning Technologies Committee (TTLTC)
    • Enterprise Applications Committee (EAC)
  • Recommendations for the development of policy, procedure or security actions from the following bodies:
    • Architecture & Infrastructure Committee (AIC)
    • Research & Innovative Technologies Committee (RITC)
    • Teaching & Transformational Learning Technologies Committee (TTLTC)
    • Enterprise Applications Committee (EAC)
    • University Rules Team
    • Enterprise Risk Management Group
  • Any recognized ITG input body.
  • Analysis activities and recommendations requested by any ITG committee.

Policy, Decisions and Exception Facilitation

The Vice President for IT and Chief Information Officer (CIO) acts with signature authority on all policy and control documents within the information resources domain prior to finalization with the Texas A&M University Compliance Program.

The IRPSC reviews and decides on exception requests to information security controls and standard administrative procedures in the domain of information technology. Exceptions will be documented in a consistent format and stored in a secure document repository. The Texas A&M University Chief Information Security Officer (CISO) acts as the final approving agent for exception requests reviewed by the IRPSC.

University Representation

Permanent Voting Members

  • Texas A&M University Chief Information Security Officer
  • 1 Division of Student Affairs IT Representative (By appointment of the Vice President for Student Affairs)
  • 1 Division of IT Representative (By appointment of the Vice President for IT and CIO)
  • 1 Vice President for Research Representative (By appointment of the Vice President for Research)
  • 1 Academic Services IT Representative (By appointment of the Vice President for Enrollment and Academic Services)
  • 1 Division of Finance and Administration IT Representative (By appointment of the Executive Vice President for Finance and Operations and Chief Financial Officer (CFO))
  • 4 IT Representatives (By appointment of the Vice President for IT and CIO)
  • 3 Faculty Members (By appointment of the Provost)
  • 1 Texas A&M Health Science Center Representative (By appointment of the Vice President for IT and CIO)

Ex-officio Members

  • Texas A&M University Risk and Compliance Representative
  • Texas A&M University System Office of General Council Representative
  • Division of IT - Associate Director for Security Operations
  • Division of IT - Risk, Management and Policy Representative
  • Chairperson - Architecture & Infrastructure Committee (AIC)
  • Chairperson - Enterprise Applications Committee (EAC)

Terms and Procedures

Chairperson: A chairperson shall be elected during the July meeting of each year, serving a one-year term that begins during the September RITC meeting.

Member Terms: Each member will serve a two-year term beginning in September and ending in July during the second year of membership. The Chairperson will request up to three members to serve a second term to ensure continuity of experience in the committee. Supplemental term information is available in the Schedule of Terms.

Ex-Officio Members: The Associate Vice President for University Risk and Compliance shall appoint a University Risk and Compliance representative to serve as an ex-officio member. The Division of IT Associate Director for Security Operations, along with the Chairpersons of the Architecture & Infrastructure Committee and Enterprise Applications Committee, shall serve as ex-officio members. The CISO will also appoint a Division of IT Risk, Management and Policy representative.

Meeting frequency: The IRPSC meets bi-monthly on the third Tuesday of January, March, May, July, September and November. The committee will determine modifications to the meeting schedule as needed based on current activities.

Reporting: The Office of the CIO will report on decisions and maintain electronic communication mediums for distributing university-wide information for the IRPSC.

Documentation of proceedings: All meetings will have minutes of discussions, decisions and action items that are published within two weeks of the proceeding.

Voting: Each permanent attending member shall have one vote counting toward a decision/vote, where a quorum of seven is needed from within the 14 permanent attending members. The Vice President for IT and CIO shall have final authority in the endorsement of an IRPSC decision/vote.

Research and Supplemental Input Mechanisms: The committee may establish, at its discretion, additional ad hoc committees, task forces, ITCoPs or ITSsGs, as needed.