Information Security & Privacy Program

The role of governance in an organization is to set policy, establish authority and responsibility, and implement accountability. IU's Information Security and Privacy Program is governed by the Information Security and Privacy Risk Council.

See also Domain 2: Policy to learn how leadership documents, sets, and communicates direction and expectations to the organization; Domain 3: Organization for more on IU's organizational structure and outlining of responsibilities; and Domain 12: Compliance for offices responsible for specific legislative, regulatory, or contractual obligations related to information security and privacy.

Information Security and Privacy Risk Council

The Information Security and Privacy Risk Council ("the Council") is a standing committee providing broad strategic guidance and oversight to support the university-wide Indiana University Information Security and Privacy Program ("ISPP"). The ISPP exists to establish risk-based safeguards that adequately protect information, but do not unnecessarily impede its appropriate and widespread use.

The Council operates under the auspices of the Office of the Vice President for Information Technology and CIO (for digital information protection and privacy) and the Office of the Executive Vice President for University Regional Affairs, Planning, and Policy (for information and privacy in the physical world, and general policy and compliance). 

The Information Security and Privacy Risk Council will:

  • Develop, seek wide input, and recommend strategic direction to the Chief Security Officer and Chief Privacy Officer on university-wide information security and privacy.
  • Review and coordinate university-wide information security and privacy-related policies, procedures, and initiatives, regardless of the office or sector responsible.
  • Review and coordinate university-wide efforts to improve employee awareness of information security and privacy practices, regardless of the office or sector responsible.
  • Provide strategic input to key information security and privacy projects undertaken by the University Information Security Office, the University Information Policy Office, and offices having compliance or monitoring responsibilities for the information security and privacy of particular sectors.
  • Advise university administration on matters of information security and privacy, and with respect to compliance requirements.
  • Stay abreast of emerging information security and privacy issues and adjust strategy as necessary.


You may download the charter here.


Representative AreasName
FERPA Compliance
Student Records Expertise
GLB Act Compliance
Student Financial Aid
Loans Compliance
Student Lifecycle, including applicants and alumni
Jim Kennedy
Human Resources (HR) Compliance
Employment Compliance
Benefits Compliance
HIPAA — as it relates to HR
HR Records Expertise
Employee Lifecycle, including applicants and retirees

John Whelan

Financial Management
Accounts Payable
Joan Hagen
Revenue Processing
PCI DSS Compliance
Stewart Cobine
Research Compliance
Export Control
Human Subjects Compliance
Eric Swank
HIPAA Compliance
Medical patient records expertise
Clinical Trials
Leslie Pfeffer
International Records
Transborder Data Flows
International Data Protection expertise
Christopher Viers
Foundation Donor data
Trade secrets expertise
Jeff Lambright
Internal AuditChristine Swafford
Office of the VP and General Counsel
Internal Intellectual Property
Creative Works expertise
Commercialization and Technology Transfer
Joe Scodro
Government Relations
Regulatory Issues
Doug Wasitis
Faculty expertise in information security
Information privacy
Risk management and/or governance
Philip Cochran
at-large member
Chair, Committee of Data StewardsSara Chambers
at-large member

Term: November 2013 – November 2015


University Chief Security OfficerTom Davis
University Chief Privacy OfficerSara Chambers


WriterEric Cosens
Web development, information architecture, & communicationvacant
Administrative supportJulie Dreesen

Meeting Minutes

You may view the minutes here.

Selected Activities

  • Program Endorsement
    The Council reviewed the entirety of the current Program in 2011 and endorsed the framework and its safeguards as being appropriate and necessary. In April 2012, the VP for Information Technology and the Executive VP for University Regional Affairs, Planning, and Policy issued a memo to the President's Cabinet informing them of the Program and asking them to distribute the information to their organizations.
  • "12 Domains in 12 Months"
    In February 2012, an awareness campaign began to promote the study and local review of one Domain of the Program each month. Each month the IT Professionals are sent an email encouraging them to review that month's highlighted Domain.
  • High Priority Activities
    The Council reviewed lists of gaps in the Program in 2011 and provided guidance on prioritization of the gaps. In early 2012, high priorities were identified and work began:

    High Priority ActivityAssigned Lead
    Major IT Facilities ReviewTom Davis
    Network Management ReviewTom Davis
    Roles and Responsibilities StandardMerri Beth Lavagnino
    IT Risk AssessmentKim Milford
    Policy Communication ProcessKim Milford


The Council is chaired jointly by the Chief Security Officer and the Chief Privacy Officer, whose offices provide administrative support for the Council and apply the strategies identified by the Council to the ISPP. Contact the University Information Security Office or University Information Policy Office.