University Governance, Risk, and Compliance (GRC) Policy for Information Security

Issue/Question

Governance, Risk, and Compliance are foundational elements of a Security Program.  As part of increased compliance requirements centered around risk, including third party risk management a policy is required.

Environment

  • Governance
  • Risk
  • Compliance
  • Third-party service providers
  • GRC
  • Security program

Cause

Formal policy laying out the USD GRC Program is required for compliance. 

Resolution


1. Purpose

This policy establishes the framework for managing governance, risk, and compliance (GRC) responsibilities related to information security and data protection at the University. It designates the Chief Information Security Officer (CISO) as the official GRC Agent responsible for implementation, oversight, and continuous improvement of institutional security programs. This policy is aligned with the Center for Internet Security (CIS) Critical Security Controls Version 8.1 (CIS Controls v8.1).

2. Scope

This policy applies to all information systems, data, personnel, and third-party entities operating on behalf of the University or processing institutional data, including cloud and on-premises infrastructure.  It is applicable to all faculty, staff, contractors, and institutional units of the University

3. Policy

3.1 GRC Agent Designation

The University hereby designates the Chief Information Security Officer (CISO) as the institution’s official GRC Agent for Information Security. The CISO is responsible for:

  • Developing, maintaining, and enforcing security policies and procedures
  • Overseeing risk assessments and compliance reviews
  • Coordinating institutional responses to federal, state, and industry cybersecurity regulations (e.g., GLBA, HIPAA, FERPA, PCI-DSS)
  • Leading the implementation of the CIS Critical Security Controls (v8.1)
  • Reporting regularly to executive leadership on cybersecurity risk posture and compliance status
  • Coordinating GRC strategy and operations in alignment with the South Dakota Board of Regents (SDBOR) GRC Program and Agent
     

3.2 Holistic GRC Oversight Structure

To support a unified and institution-wide approach to GRC, the CISO shall:

  • Serve as the primary liaison to the SDBOR GRC Agent, participating in system-wide risk and compliance initiatives
  • Ensure consistent application of policies and controls across all academic and administrative units
  • Establish and chair a Data Governance Steering Committee that includes representation from IT, legal, audit, institutional research, and academic affairs
  • Collaborate with the University's Chief Finance Officer (CFO), Internal Auditor, and Legal Counsel to ensure all aspects of institutional risk are considered and addressed
  • Engage in quarterly joint reviews with the SDBOR GRC program to align institutional controls, data governance strategies, and risk response plans
     

3.3 Governance Framework

The University adopts the CIS Critical Security Controls v8.1 as the foundational framework for its cybersecurity program. These controls are organized into three implementation groups (IGs) based on institutional risk, size, and complexity. The University commits to implementing all relevant IG1 and IG2 controls as a minimum standard.

The CISO will maintain a CIS Control Implementation Tracker, mapped to specific institutional systems and owners, to track progress and identify gaps. This Tracker will be reviewed and updated biannually.
 

3.4 Risk Management

  • The CISO shall ensure that regular risk assessments are conducted in coordination with internal audit and compliance stakeholders.
  • Risks will be documented in an institutional Risk Register, prioritized by likelihood and impact, and assigned to responsible parties.
  • Critical and high-risk findings shall be escalated to executive leadership and communicated through the Data Governance Steering Committee and ITS Leadership .
  • Risk findings will be integrated with the SDBOR risk management dashboard and reported through formal governance channels.
     

3.5 Compliance Monitoring

The GRC Agent shall:

  • Monitor and interpret evolving regulatory requirements
  • Conduct periodic compliance reviews in coordination with the SDBOR
  • Maintain records of policy exceptions, incidents, and risk decisions
  • Coordinate institutional responses to regulatory audits and assessments, including those driven by SDBOR policy
  • Track key compliance indicators using dashboards integrated with system-level reporting
     

3.6 Roles and Responsibilities

  • CISO (GRC Agent): Leads GRC program and serves as primary institutional authority on information security governance and risk management. Coordinates reporting and alignment with SDBOR.
  • IT Units and Data Stewards: Assist in implementing CIS controls and reporting compliance gaps.
  • Internal Audit, Legal, and Compliance: Collaborate on risk mitigation, incident handling, and regulatory adherence.
  • SDBOR GRC Agent: Provides oversight, system-level coordination, and inter-campus alignment.

4. Enforcement

Non-compliance with this policy may result in disciplinary action, up to and including termination of access to institutional systems and/or employment. Third-party vendors found in violation may be subject to contract termination.

5. References

  • Center for Internet Security (CIS) Controls v8.1
  • University Information Security and Data Responsibilities Policy (USD Policy 5003)
  • GLBA Safeguards Rule
  • HIPAA Security Rule
  • FERPA
  • PCI-DSS v4.0
  • South Dakota Board of Regents GRC Framework and Requirements

6. Review and Revision

This policy shall be reviewed annually by the CISO and revised as needed based on changes in technology, threat landscape, institutional strategy, or regulatory requirements. Annual updates shall be shared with the SDBOR GRC program for joint review and system-wide alignment.

Print Article