Roles
Roles
Everyone has a role to play; whether it is preventing a phishing attack, securing a system, protecting data privacy or prioritizing risks for the University.
The University's information security and data privacy program requires a coordinated effort involving several roles and governing groups, each of which plays a crucial part in ensuring the program's effectiveness.
Individual Roles
- Community Members
- System or Service Custodian
- Data Stewards
- School Security and Data Privacy Officers (SPSO)
Teams
Governance Groups
While the functional "PrivSec" program has been combined, the University's governing groups still function independently.
Information Security Oversight Committee (ISOC)
- The Information Security Oversight Committee will serve as the highest-level decision-making group on information security issues at the University. The ISOC is charged with understanding, on behalf of the University, what the biggest information security risks are, how those risks are evolving, and how well positioned the University is to address those risks. The committee will prioritize University needs for policy, people, process, and technology solutions to meet emerging and ongoing risks.
Information Security Advisory Committee (ISAC)
- The University Information Security Advisory Council advises the University Chief Information Security and Data Privacy Officer (CISDPO) and the Information Security and Data Privacy (ISDP) team. This includes advising and guiding security policies and strategies to secure and protect information in all areas of the University. As needed, ISAC will appoint working groups to lead specific information security initiatives.
Electronic Communications Policy Oversight Committee (ECPOC)
- The ECPOC was established in 2014 to address policy considerations arising in connection with the University Policy on Access to Electronic Information, and with making recommendations to the University President for improvements.
Privacy Regulation Advisory Council (PRAC)
- The Privacy Regulation Advisory Committee previously served as a GDPR working group, formed in 2018 to advise and address the University's compliance with GDPR. The committee is composed of members of the OGC and stakeholders from across the University. The group is charged with advising and assisting the ISDP team regarding all privacy-related legal and regulatory compliance obligations.
Faculty Risk Advisory Panel (FRAP)
- The Faculty Risk Advisory Panel comprises key faculty members with expertise in privacy and cybersecurity. FRAP meets annually to review the university's privsec program and provide guidance from the faculty perspective.
University Risk Management Council (URMC)
- The University Risk Management Council administers a structured approach to risk management that identifies and manages, to an acceptable level, the key risks that may adversely affect the University’s ability to achieve its goals and objectives. The Council reports to the President and the Harvard Corporation's Joint Committee on Inspection regarding the effectiveness of the University’s risk management program. The URMC works with Harvard's schools and central administration units on continuous improvement of the University’s capabilities around managing priority risks.
Joint Committee on Inspection (JCI)
- The Harvard Corporation's Joint Committee on Inspection is an audit committee composed of Corporation members and Overseers, responsible for reviewing and making annual reports on Harvard's financial and operational matters.
The Committee to Visit Information Technology (ITVC)
- The Committee to Visit Information Technology at Harvard convenes every two years to assess and recommend improvements to the university's IT strategy. After each visit, they submit a report with evaluations and recommendations to the Board of Overseers and key university leaders, ensuring alignment with Harvard's overall priorities.