Committee on Cybersecurity


  • Provides oversight of  UCSF’s information security program and ensures alignment of  IT security policy and practice with our missions of research, education, and patient care. The Committee’s work includes risk mitigation, developing policy and standards, communicating policy and taking input from the community, and building support for activities that address cyber risk.
  • Provides guidance to UCSF’s Cyber-risk Responsible Executive (CRE) in making risk mitigation and acceptance decisions.  Guidance should ensure strategies are aligned with industry best practices, business objectives, and privacy expectations. This committee is one component of  UCSF’s information security risk governance framework, as required by the University of  California, Office of the President (UCOP) BFB-IS-3 5.2.1.
  • The committee guides UCSF’s implementation of the systemwide information security policy, BFB-IS-3, and UCSF’s IT Operating Model recommendations and assists the Chief  Information Security Officer (CISO) in executing the Information Security Management Program (ISMP) plan.

Note: This charge was approved in September 2022.  Membership for Cybersecurity is still being considered.  This page will be updated once the membership roster is determined.


  • Evaluate, author, and review information security policies that address risk and align with applicable federal and state regulations, UC policy, insurance, and compliance requirements. Submit new policies for approval by IT Governance Steering Committee.
  • Review and guide activity related to UCSF implementation of UCOP BFB-IS-3.
  • Identify and review campus risks related to management, storage, and use of data, especially that which contains protected information.
  • Evaluate IT risk management activities, ensuring activity follows UCSF’s ISMP
    • Review the appropriateness of cybersecurity risk tolerances
    • Establish an escalation protocol to manage risks that exceed maximum tolerances
  • Review the allocation of resources in response to identified risks and recommend modifications, if appropriate.
  • Review security exception processes.
  • Represent the needs of the UCSF community in IT security discussions and decisions.
  • Ensure visibility into UCSF’s cybersecurity threats, vulnerabilities, incidents, and trends for stakeholders • Review matters relating to digital identity and access management. • Advise ITGSC on enterprise security funding needs
  • Review the UCSF Incident Response Plan • Review major incidents and advise on correction actions and “lessons learned” to reduce both likelihood of recurrence and potential negative impacts