CYB 6010 · St. Francis College

Governance Center

Governance Center

Accountability & Oversight

Board-to-operations governance model aligned with NIST CSF 2.0 Govern function.

Governance Hierarchy

Board of Trustees

Fiduciary oversight · annual review · breach briefing

President

IR activation · cabinet escalation · external communications

CISO

Program ownership · quarterly scorecard · vendor risk

IT Director

Operational security · containment · restoration

Operational Teams

Detection · day-to-day controls · helpdesk

Escalation Procedures

IT Director

Detection and initial containment

CISO

Confirmed incident, scorecard variances

President

IR activation, regulatory breach assessment

Board of Trustees

Critical incident, risk acceptance, annual review

Reporting & Risk Acceptance

Quarterly reporting: CISO presents cybersecurity scorecard to President's cabinet each quarter

Risk acceptance: CFO / Board (Accountable) with CISO recommendation and IT Director operational input

Annual review: Annual full strategy review each June; quarterly KPI scorecard to cabinet

  • Any Critical-rated incident or confirmed FERPA breach
  • Material change in Tier-1 vendor (Banner, Microsoft, Gecko)
  • Regulatory change affecting FERPA, NY SHIELD, or SEVIS

Board Oversight Charter

  1. Annual review of cybersecurity strategy and budget allocation
  2. Designated trustee liaison for technology risk oversight
  3. Board briefing within 10 business days of any regulatory breach notification
  4. Standing annual board-level cybersecurity briefing as agenda item
  5. Quarterly cybersecurity scorecard presented to President's cabinet

RACI Matrix

ActivityPresidentCFO/BoardCISOIT Dir.LegalDSO
IR ActivationRACIII
Security Budget ApprovalCARIIC
Risk AcceptanceCACRII
Policy ApprovalCARCII
Regulatory Breach NotificationRACICI
Vendor Risk ApprovalCARCIC

Framework alignment

NIST Cybersecurity Framework 2.0 · Primary governance structure
ISO/IEC 27001:2022 · ISMS design principles
FERPA · Mandatory compliance
NY SHIELD Act · State regulatory requirement
CISA Education Sector Guidance · Baseline posture reference

St. Francis College Cybersecurity Governance Portal · CYB 6010 · For executive and board use