RISM11 Operational Management Group ToR

UCL Research Data Information Security Management System Operational Management Group Terms of Reference #

Document Name: RISM11-Operational_Management_Group_ToR

Author: Tim Machin

Classification: Public

Version: 6.1

Created: 14/02/2025

Last Review date: 07/04/2025

Last Reviewed by: Victor Olago

Approved by: IRGC

Approved date: 31/03/2025

Review Period: 3 Years

Sources: UCL-IG35

1. Document Overview #

The purpose of this document is to define the Research Data ISMS Operational Management Group (OMG), with specific reference to its purpose, responsibilities, composition and membership, communication, and administration.

2. Purpose #

The Research Data ISMS Operational Management Group monitors the development, implementation, and ongoing management of the organisation’s Information Security Management System (ISMS). The Group’s purpose is to ensure the day to day operation of risk management, compliance and continual improvement of information security within the scope of the ISMS.

3. Responsibilities of the OMG #

The OMG is part of the Information Governance Framework and has the following responsibilities:

  • Review risks and ensure risk assessment, risk treatment plan and statement of applicability remain current
  • Determine, review and monitor operational metrics and targets, monitoring trends
  • Ensure consequences of planned non-standard changes are fully considered
  • Participate in, receive reports on, and respond to audits.
  • Receive and respond to incidents reports, deciding what actions arise once an incident is closed
  • Ensure that OMG activities are scheduled and tracked
  • Report to the Information Risk Governance Committee (IRGC) on the performance of the ISMS
  • Escalate risks to IRGC where the risk is either ‘severe’ or ‘intolerable’
  • Manage control implementations to mitigate risks
  • Approve and review policies relating to information security
  • Ensure that personnel of the Organisation and relevant interested parties receive appropriate information security awareness, education and training and regular updates on the Organisation’s information security policy, topic-specific policies and procedures, as relevant for their job function
  • Discussions designed to achieve consensus across the Organisation on policies or how to implement controls

4. Composition #

4.1 Membership #

The OMG is made up of representatives from key stakeholder groups within the scope of the ISMS:

  • Information Risk Governance Committee
  • Technical Environment Owners/Administrators
  • Information Governance
  • ARC Research Data Team
  • Information Security Group
  • Information Asset Owners
  • Approved Researchers

4.2 Chair #

A chair will be a member of the OMG and agreed through a vote.

4.3 Quorum #

The OMG shall have the chair, an environment owner and at least one other voting member to be quorate.

5. Frequency #

The OMG should meet at least once per term, in time to report to scheduled IRGC meetings. More frequent meetings may be necessary, due to changes or incidents, for example.

The standard meeting agenda should be as follows, with additional items added as and when needed.

  • The previous meeting’s minutes and actions
  • Operational metrics for the Information Security Management System
  • Incidents, major changes, audit findings and lessons learnt
  • Internal and external developments affecting the ISMS
  • AOB

6. Approach to decision making #

  • The OMG will operate on a consensus basis. If consensus cannot be reached, the chair will make the final decision
  • If decisions affect the operation of an environment not represented at the meeting the intended decision will be shared with the entire OMG via email and all members given an appropriate amount of time (usually 72 hours) to object
  • Any decisions that affect risk levels in the risk treatment plan or require new resource allocation will be escalated to the Information Risk Governance Committee