Cyber Risk Committee Charter

CABINET HAS ADOPTED THE CYBER RISK COMMITTEE CHARTER OF BRYANT UNIVERSITY.

Purpose and Policy

The Cyber Risk Committee’s primary purpose shall be to act on behalf of Cabinet in fulfilling its oversight responsibility with respect to the university’s information technology use and protection, including but not limited to data governance, privacy, compliance, and cybersecurity.

Composition

The Committee shall consist of at least one senior member form each university division. Cabinet shall appoint members, fill vacancies occurring on the Committee, and designate the Chair of the Committee.

Responsibilities

The Committee shall be responsible for the following:

  • Data Governance – To oversee the university’s management policies and procedures dealing with cyber risk identification and risk assessment regarding the cybersecurity and principal operational and business risks facing the university, whether internal or external in nature; and review and approve changes to such policies.
  • Information Technology – To oversee the quality and effectiveness of security controls with respect to its information technology systems, network security and data security.
  • Periodically review cyber risk exposures of the university, the steps the university has taken to monitor and control such exposures, and the university’s compliance with applicable information security and data protection laws and industry standards.
  • Incident Response – To review and provide oversight on the policies and procedures of the university in preparation for responding to any cyber security incidents.
  • Business Resilience – To review periodically the university’s disaster recovery, business continuity and business resiliency capabilities. Perform an annual tabletop exercise for at least one business function (i.e., Admission, Finance, Human Resources, etc.).
  • Review or discuss any comments or recommendations of outside experts with regard to cybersecurity and other major risk exposures, and, if appropriate, approve a schedule for implementing any recommended changes and monitor compliance with such schedule.

Meetings and Minutes

The Committee shall hold such regular or special meetings as its members shall deem necessary or appropriate. Minutes of each committee meeting shall be prepared and sent to the CIO to disseminate to Cabinet. The CIO and Committee will develop metrics conveying the security posture to Cabinet. Bryant’s posture is measured by performing periodic risk assessments of applicable controls designed to mitigate risk within their risk register.

All employees that are not members of the Committee may attend meetings of the Committee. Additionally, the Committee may invite to its meetings any member of the university, and such other persons as it deems appropriate to carry out its responsibilities.