Serving in the role of governance for Information Security at the University of Iowa, the Information Risk and Policy Council (IRPC) serves as the advocate and representative for IT decisions and priorities that impact the information, systems, and infrastructure protection and resulting risk posture of the university. Merging the IT policy governance activities, risk assessment functions, and overall IT security governance results in improved management of institutional risk.

The IRPC will examine key security, risk, and policy issues in information technology that are facing the university in order to promote technical and policy solutions that will meet current and future campus needs. The IRPC is also empowered to provide input and advice on the University Information Security Program to the Chief Information Officer (CIO) and to the Chief Information Security Officer (CISO).

Information Risk and Policy Council Charge

  • Analyze and assess institutional IT risks
    • Facilitate campus-wide IT risk assessment activities
    • Evaluate assessment results and recommend strategies to address weaknesses
  • Recommend IT policies, procedures, and standards to address enterprise risks
    • Manage the policy review process
    • Review and share feedback received on IT policies and standards with the CIO
    • Communicate with campus groups about policies, procedures, and standards
    • Evaluate IT policy as it applies to compliance with federal and state regulations
    • Ensure consistent procedures for treatment of policy violations
  • Support overall IT security and policy governance, as charged by the CIO:
    • Assist in setting the strategic agenda for information security IT decisions
    • Ensure that outcomes and decisions are communicated back to the campus
    • Lead information security IT collaboration efforts across campus
    • Advocate for necessary information security IT resource allocations
    • Ensure that appropriate stakeholders have opportunity for input and reaction
    • Create and charge subcommittees or task forces as necessary for deeper exploration or engagement
  • Provide council responsibilities as part of IT governance:
    • Raise and collect security domain-specific issues​
    • Analyze issues and make recommendations​
    • Engage other IT governance groups, university governance groups, and general campus stakeholders as appropriate

The IRPC meetings and activities will be facilitated by the Chief Information Security Officer, and a chair will be designated from the current membership to lead the group. Membership will include UI Collegiate, Administrative, HealthCare, OneIT, and Research stakeholders. Subcommittees or ad hoc task forces may be created and charged by the IRPC to study and offer advice on complex issues, questions, or recommendations. Members are nominated by campus groups, administration, or members, and confirmed by the CIO and CISO.

Information Risk and Policy Council Members

  • Kirk Corey (facilitator), Director of Policy and Privacy, Information Security & Policy Office
  • Tim Shie (chair), IT Director, College of Public Health
  • Brian Heil, Director of IT Security, Stead Technology Services Group, Tippie College of Business
  • Josey Bathke, Chief Risk Officer, UI Risk Management Office
  • Chad Sharp, Audit Manager, Internal Audit
  • Debby Zumbach, Assistant VP and Director, Purchasing and Business Services, Finance & Operations
  • Todd Rent, Director, University Employee & Labor Relations
  • Shari Lewison, Chief Information Security Officer, ISPO
  • Ian Arp, Deputy Counsel, General Counsel
  • Emily Robnett, Risk Management Administrator, Risk Management Office
  • Zach Furst, Deputy Chief Information Security Officer, ISPO
  • Brian Beninga, IT Security Architect, ISPO
  • Gabby Perez, Senior Compliance & Education Specialist, Research Services
  • Shannon Manley, Senior Project Manager, Medicine Administration
  • Matt McLaughlin, Chief Technology Officer, College of Engineering