Committee on Information Technology Security (CITS)


The Committee on IT Security (CITS) is responsible for oversight of UCSF’s information security program and ensuring alignment between the program and the UCSF’s mission of advancing health worldwide through research, education, and patient care. CITS members represent schools and business units from across the enterprise, providing expert counsel to guide security strategy, assurance, compliance and policy directing reasonable and appropriate actions are taken to protect UCSF electronic information resources. The committee seeks to promote balance between the need for protection and the productivity needs of the UCSF.


CITS’ scope includes matters of information security across the entire UCSF enterprise, including UCSF Medical Center, schools, and administrative areas, as well as affiliates accessing UCSF information resources.


  • Evaluate, author, review, and approve information security policies that address risk and align with applicable federal and state regulations, University of California policy, risk, insurance and compliance requirements
  • Review IT risk management activity across all control points, ensuring activity is in line with UCSF’s security and IT risk management strategies
  • In cases where satisfying business goals would require a significant exception to security policy (an exception that falls outside the established routine exception process), provide arbitration or make a recommendation to the Cyber Risk Responsible Executive.
  • Facilitate communication between UCSF IT Security and the UCSF community
  • Ensure visibility into UCSF’s cybersecurity threats, vulnerabilities, incidents and trends for stakeholders
  • Serve as an advisory group to UCSF’s Cyber Risk Responsible Executive(s)
  • Review matters relating to digital identity and access management where there are security implications
  • Recommend annual investment priorities to UCSF IT Governance Steering Committee (ITGSC)