Governance

Information Security and Privacy Risk Council

The role of governance in an organization is to set policy, establish authority and responsibility, and implement accountability. IU's Information Security and Privacy Program is governed by the Information Security and Privacy Risk Council.

The Information Security and Privacy Risk Council ("the Council") is a standing committee providing broad strategic guidance and oversight to support the university-wide Indiana University Information Security and Privacy Program.

The ISPP exists to establish risk-based safeguards that adequately protect information, but do not unnecessarily impede its appropriate and widespread use. The Council operates under the auspices of the Office of the Vice President for Information Technology and CIO (for digital information protection and privacy) and the Office of the Executive Vice President for University Academic Affairs (for information and privacy in the physical world, and general policy and compliance). The Information Security and Privacy Risk Council will:

Develop, seek wide input, and recommend strategic direction to the Chief Security Officer and Chief Privacy Officer on university-wide information security and privacy.
Review and coordinate university-wide information security and privacy-related policies, procedures, and initiatives, regardless of the office or sector responsible.
Review and coordinate university-wide efforts to improve employee awareness of information security and privacy practices, regardless of the office or sector responsible.
Provide strategic input to key information security and privacy projects undertaken by the University Information Security Office, the University Information Policy Office, and offices having compliance or monitoring responsibilities for the information security and privacy of particular sectors.
Advise university administration on matters of information security and privacy, and with respect to compliance requirements.
Stay abreast of emerging information security and privacy issues and adjust strategy as necessary.

View the Information Security and Privacy Risk Council Charter

Domain 2: Policy

Learn how leadership documents, sets, and communicates direction and expectations to the organization

Domain 3: Organization

Details on how IU's organizational structure and how it outlines responsibilities

Domain 12: Compliance

Outlines the offices responsible for specific legislative, regulatory, or contractual obligations related to information security and privacy.

Representative areas
Domain	Representative
FERPA Compliance Student Records Expertise GLB Act Compliance Student Financial Aid Loans Compliance Student Lifecycle, including applicants and alumni	Jim Kennedy
Human Resources (HR) Compliance Employment Compliance Benefits Compliance HIPAA — as it relates to HR HR Records Expertise Employee Lifecycle, including applicants and retirees	John Whelan
Financial Management Accounting Accounts Payable Payroll	Joan Hagen
Revenue Processing PCI DSS Compliance Debt Collection	Don Lukes
Research Compliance Export Control Human Subjects Compliance	John Baumann
HIPAA Compliance Medical patient records expertise Clinical Trials	Leslie Pfeffer
International Records Transborder Data Flows International Data Protection expertise	Christopher Viers
Foundation Donor data Trade secrets expertise	Jeff Lambright
Internal Audit	Stewart Cobine
Office of the VP and General Counsel Internal Intellectual Property Creative Works expertise Commercialization and Technology Transfer	Joe Scodro and Jeff Goetz
Government Relations Regulatory Issues	Doug Wasitis
Faculty expertise in information security Information privacy Risk management and/or governance	Philip Cochran at-large member
Chair, Committee of Data Stewards	Sara Chambers at-large member

Membership
Term	Co-chairs	Staff
November 2015 - November 2017	Andrew Korty, University Information Security Officer Sara Chambers, University Chief Privacy Officer	Eric Cosens, Writer Vacant, Web development, information architecture, & communication Julie Bennett, Administrative support

Contact

The Council is chaired jointly by the Chief Security Officer and the Chief Privacy Officer, whose offices provide administrative support for the Council and apply the strategies identified by the Council to the ISPP. Contact the University Information Security Office or University Information Policy Office.