FY 22 NMSU System IT and Data Security, Privacy and Compliance Committee Report

Fiscal Year 2022

Your Name (Point of Contact):

CARLOS LOBATO

Email (Point of Contact):

clobato@nmsu.edu

Is this board being dissolved?:

No

Authorizing body or official:

Chancellor

Type of Board:

Adhoc

Scope of Impact:

System

Board Purpose:

"The IT and Data Security, Privacy and Compliance Committee (the Committee) is formally established by the Office of the Chief Information Officer (CIO) to assist in the implementation and maintenance of an institutional data privacy & security compliance program, which is a regulatory requirement. The Committee is formed to assist in the identification, assessment, and resolution of issues regarding institutional data privacy regulatory requirements, to promote proper data safeguards, and aid the NMSU community in managing institutional data security related risks.

Institutions participating in Title IV federal financial aid programs are required to comprehensively protect student financial aid data and personally identifiable information (PII). This program is driven and governed by legal and regulatory requirements included in its Program Participation Agreement (PPA) with the U.S. Department of Education (ED), consisting of the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), and other regulations (e.g. the Federal Trade Commission’s Safeguards Rule and Privacy Rule). A comprehensive understanding and management of diverse and dynamic regulatory requirements is necessary in order to navigate and meet regulations in a business-aligned and cost-conscious manner. "

Board Authority:

Decision-making

Current Chair / Term Ends:

Ongoing

Describe the process for selecting the chair :

Chief Information Security Officer (CISO) is the chair and Chief Privacy Officer serves as co-chair in the absence of CISO>

Incoming Chair / Term Begins (if applicable) :

How are the chair and members appointed?:

Combination

Are members subject to a term appointment (three years or less)?:

No

What university function/office is responsible for future appointments?:

Chief Information Security Officer

What university office/function provides administrative support to this board or committee?:

ICT

How often will this board or committee meet?:

On a quarterly basis.

Are there any requirements for the number of meetings to be held?:

No

In the past fiscal year, what accomplishments have been made? (if applicable):

The committee assisted in completion of an IT & data risk assessment for the entire NMSU system. This is a requirement of a federal privacy regulation (GLBA) and recommended by others such as FERPA, FISMA, HIPAA, etc.