Carnegie Mellon University

Security Points of Contact Program (SPoC)

The Security Points of Contact (SPoC) program formalizes local operational support for the information security program at Carnegie Mellon University.


The SPoC program deputizes distributed IT service providers to be accountable for implementing the information security program within their local context. SPoCs engage in campus-wide information security initiatives to provide guidance and feedback, such as local impact analysis.


The SPoC program is managed by the Deputy Chief Information Security Officer (DCISO), reporting to the Chief Information Security Officer (CISO). The unit leader, e.g., Dean, Division Head, Department Head, etc., assigns a primary and secondary SPoC with the necessary unit knowledge, technical expertise, responsibility, and authority to meet membership expectations.

Membership Expectations

  • Attend and participate in regular monthly meetings and ad hoc meetings as necessary.

  • Manage and execute information security plan components within their local scope, such as asset inventory management, access management and certification, secure system configuration, security software deployment, vulnerability management, security monitoring, and incident response.   

  • Provide timely and candid feedback on operational practices, initiative proposals, document drafts, and ad hoc requests for comment.

  • Assist with relevant, timely, and appropriate communication to their constituents.

  • Participate in continuous improvement initiatives for the information security program.