Security Governance

August 3, 2018


The purpose of the Security Governance Policy is to define St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, the Enterprise) model for security decision-making, specifically by escalating all major security decisions to the Enterprise’s Cyber Security Committee. This Policy will describe the responsibilities of the Cyber Security Committee and outline how it interacts with executive management to guide the Enterprise’s security program as a whole.


This policy applies to all governance processes, including:

  • Creation or modification of Enterprise security policy
  • Prioritization of Enterprise security goals
  • Allocation of technological, financial, and employee resources to achieve Enterprise security goals
  • Approval of purchase and implementation of new technologies
  • Mandating and enforcement of security awareness and training

Roles and Responsibilities

Enterprise’s Cyber Security Committee is a team of leaders from several of the Enterprise’s business areas tasked with steering Enterprise’s security program. This committee must include representatives from all major stakeholders including Executive Management, the Office of Information Technology (IT), the Security Division, Operations, Human Resources, and Legal. The Cyber Security Committee is responsible for generating and filling all necessary roles in support of the continued success of the Enterprise security program. More broadly, the Cyber Security Committee must provide a framework that allows all key security decisions to be reviewed by the relevant stakeholders. The committee shall also maintain the authority to approve or deny any such strategic decision, taking into account the alignment and confluence between security priorities and business requirements.

The Enterprise’s Chief Information Officer (CIO) must play an active role in the steering of the Enterprise’s security program. The CIO is responsible for overseeing the Cyber Security Committee’s meetings and initiatives, and providing an interface between security personnel and the Enterprise’s executive leadership.

Policy Statement

Creation and Modification of Policy
The Enterprise Cyber Security Committee will oversee all drafting and modification of the Enterprise’s security policy. The framework for proper generation of policy is outlined in the Enterprise’s Policy Lifecycle and Governance Policy, and the Cyber Security Committee must enforce that all policy development is compliant with that framework.

Prioritization and Roadmap
The Cyber Security Committee will be responsible for aggregating information from more focused security teams, such as the Risk Management Team or the Incident Response Team. Based on the information the committee receives from these various sources, the Cyber Security Committee must generate a security improvement roadmap outlining goals for building out the maturity of the organization’s security capabilities. The committee is also responsible for deciding which projects and improvements receive technological, financial, and human support.

Analysis of Technologies
The Cyber Security Committee is responsible for reviewing employee requests for the purchase of new technologies to expand the Enterprise’s capabilities, and replace existing technologies that are approaching End of Life. This review process must assess whether the use of financial resources to acquire the proposed technology aligns with the prioritized roadmap and resource allocation described above.

Security Awareness and Training
The Cyber Security Committee is also responsible for promoting general security awareness in students, faculty, and staff for the Enterprise. These efforts must include providing training for any individual with access to Enterprise systems or data and role-specific training for employees who have elevated access privileges or official security responsibilities. The committee must also delegate and oversee the tasks of confirming that all individuals complete their assigned trainings and sending periodic security awareness communications to end users.

Related Documents