Technology and Information Security Council

Technology and Information Security Council (TISC)

Mission

The mission of the Technology and Information Security Council (TISC) is to oversee, develop and maintain an enterprise, system-wide information security (IS) program designed to ensure the confidentiality, integrity and availability of UW System Administration (UWSA) and institutions’ information assets from unauthorized access, loss, alteration or damage while supporting the open, information sharing needs of the academic environment. The TISC leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to comprehensively address controls across multiple areas of IS.

Vision and Goals

The vision of the TISC is to enable the instruction, research, extended training and public service mission of the UW System and its institutions by delivering a robust and reliable IS environment that inspires innovation, collaboration and trust. TISC aims to effectively manage IS risks to its assets and the UW System community through the following over-arching goals:

  • Prevent data loss or compromise that could otherwise result in significant risk to highly sensitive/personal or institutional data or reputation;
  • Improve security of critical system and network services through enterprise, defense-in-depth approaches to reduce risks commonly associated with disaggregated computing environments;
  • Proactively assess, reduce and manage risk in a manner that enables data/system owners, administrators and the larger UW System community to be more aware of the risks that their information assets are vulnerable to, identify controls to reduce those risks, and understand what risks remain after any identified controls have been implemented; and
  • Enhance crisis and IS incident response/management to enable the UW System to quickly recover its information assets in the event of a catastrophic event and to manage IS events more efficiently and effectively, thereby reducing or minimizing the damages to the UW System community.
Purpose

The primary purpose of the TISC is to provide governance for, and advise the implementation of, an effective IS program throughout UW System. In this role, TISC provides UW System leadership with advice and recommendations related to IS issues and initiatives and defines the fundamental principles for the protection of UW System information assets, and the proper controls needed to ensure compliance with internal and external regulations to uphold UW System’s security posture and reputation.

Sponsorship

The UW System Associate Vice President (AVP) for Information Security serves as the Sponsor for the TISC.

Responsibilities

TISC responsibilities include but are not limited to:

  • Review on-going and emerging threats and technologies; determine impact and action, if required;
  • Develop and maintain IS policies and standards;
  • Provide preliminary assessment and feedback on costs, value and impact of IS policy implementation and revisions at member home institutions;
  • Assist in the technical coordination and implementation of IS initiatives across the UW System;
  • Provide feedback and recommendations on technical IS related issues, policies, and IS requirements associated with software and hardware procurement;
  • Discuss and make recommendations on solutions for findings identified through various assessment mechanisms (internal/external audits, vulnerability assessments, penetration tests);
  • Provide IS leadership at member home institutions;
  • Communicate effectively with Chief Information Officers (CIOs) and key stakeholders at member home institutions;
  • Coordinate system-wide communication and training initiatives in IS best practices and standards as needed;
  • Create working groups as needed to support TISC’s responsibilities, including, a technical exchange group where security teams from each institution can gather and share ideas and strategies for emerging and continuing information security and protection issues, if required;
  • Vouch for members to be XSec members of REN-ISAC.
Organization and Membership

Institution CIO’s or their designee will select a member of their institution to serve as a member of TISC. UW Shared Services (UW-SS) and each of the 13 comprehensive institutions are expected to identify a single member. Members representing UWSA will be chosen at the discretion of the TISC Sponsor. Institution-designated members should have formal training or professional experience in information security and have an information security role at their home institution.  Members will be the institution’s primary information security contact for TISC.  There is no set membership duration term.

Each TISC member, or a proxy identified by the TISC member, is expected to annually vote for the next Vice-Chair position. Members representing more than one institution will be able to cast votes on behalf of each institution they represent. The TISC Sponsor will cast a vote only in the event of a tie and designates the UW System Director of Information Security as the voting member for UWSA.

The TISC will elect a Vice Chair to serve a one-year term the following calendar year. The Vice Chair will transition to the Chairperson role at the end of their Vice Chair term. The TISC Sponsor will appoint a secretary each year who may come from UWSA or one of the member home institutions. TISC may create other positions as is necessary to efficiently meet its responsibilities.

Members are expected to be open to other member’s opinions and philosophies related to information security and to consider all information available when discussing information security topics.  When appropriate, staff who are specialists in their areas (SFS, HRS, IAM, legal, networking, encryption, etc.) should be consulted and included in discussions or on subcommittees (if formed). Security personnel from SFS and HRS shall be designated as adjunct TISC members.

The nature of TISC’s work is highly confidential.  Members therefore must agree to maintain confidentiality rules regarding the sharing of information outside of the TISC membership.  Members are also expected to become XSec members of REN-ISAC (https://www.ren-isac.net/membership/how-it-works.html).