Cybersecurity Risk and Compliance

Risk and Compliance is a function of the Cybersecurity Governance, Risk & Compliance team. It operates under the charge, obligations, provisions, and directives presented to it by the Chief Privacy & Security Officer (CPSO), and the operational provisions as directed by the Associate Director, Information Security.

What do they do?

  • Evaluate and communicate risk and compliance posture
  • Identify policy gaps
  • Advise on the disposition, handling, and resolution of compliance
  • Enable campus principals with accurate risk information from which they can make informed choices
  • Facilitate risk process

Who can request work?

University administration, faculty, and staff

What should I expect?

What We Do 


Performance Expectations

Risk assessment / compliance review & reporting

Written review, gap report, recommendations.

  • 1-business week pick-up for requests
  • 90-day turnaround

Contract review

Written review and consultations

  • 1-business week pick-up for requests
  • 90-day turnaround

Risk and compliance consulting

Consultation, SME input

  • 1-business week response to requests
  • 3-week lead time
  • TBD turnaround (per needs)

Risk acceptance/acknowledgement process facilitation

Registered risk acceptance with the CPSO, 1 year duration

  • 1-business week pick-up for requests
  • 1-business week turnaround, assuming immediate response from risk owners

Risk assignment process

Risks accepted in defacto documented (gap report, risk report, recommendations, and assignment documentation) assigned/presented to unit executive(s); applicable data stewards or overriding authorities also receive notification and reports.

As warranted (not a customer-pulled feature). Varying turnaround.

How do I contact Cybersecurity Risk and Compliance?


Important note for customers on intended service functions and value

Risk and Compliance’s overall function is to evaluate and communicate risk, and advise on “where the line is” as it pertains to compliance, standards, policy, and other requirements set by the university. A persistent challenge for us is that our team has often been misunderstood as an “approval/disapproval” function. We would like to be clear that “approval” is not our function, nor should our risk evaluation, consultation, or reporting be misunderstood as such. We seek to enable our customers with understanding of their posture such that they may make more informed decisions. We are not the decision-making role. That is up to university leadership authorized to decide such things.

If you are unsure who can officially accept certain risks, what the applicable processes look like, who the data stewards for certain data types are, or who the risk holder might be for an existing gap, Risk and Compliance can help.

This service/function expectation(s) documentation is provided such that all who engage with it may understand what any given service/function promises to do or provide, for whom, on what timeline, and how well.