Information Risk Management Board
The Information Risk Management Board (IRMB) is empowered to manage technology risk for the University. This board is co-chaired by the Chief Information Security Officer and General Counsel. Membership includes representation from each vice presidential area, as well as a faculty representative. Support members of the IRMB include the directors of Information Security and Assurance.
Scope and Objectives of the IRMB
- The Information Security and Assurance office regularly reports identified risks to the IRMB. These risks are evaluated using qualitative binary risk analysis to determine the likelihood and impact of each risk.
- The IRMB, depending on the severity of the risk, may choose to perform one of the following actions:
- Avoid the risk: abandon action that causes the risk.
- Mitigate the risk: take actions to lower the risk to acceptable levels.
- Accept the risk: sign off that the risk is acceptable.
- Transfer the risk: have a third party manage the risk.
- The IRMB will attempt to prioritize risks that need to be mitigated, as resources to perform all mitigations may not be available to lower risk in a timely manner.
- High and very high risks may be escalated to the Administrators Conference and/or the Board of Trustees, as required.
- All decisions of the IRMB will be reflected in the meeting minutes. These minutes will serve as documentation as to the disposition of the risk.
For more information about the IRMB, contact Information Security and Assurance at [email protected]