IT policy development framework


Purpose


This document describes in detail the framework in which the IT policies and their support documents are developed and maintained.

Application


This framework applies to all IT guidance documents for application at the University.

Authorisation and scope


The responsibility for university-wide IT policy management has been assigned to ITSPP.

  • Coordination of IT policy and underlying development, dissemination, and education.
  • Review and analysis of existing policies for continued applicability and effectiveness.
  • Interpretation of current policy related to specific issues, situations and incidents.

Rationale


Information technology policies articulate the university's vision, strategy, and principles as they relate to the management and use of information and information technology resources, while supporting core academic, research, and teaching and learning missions. Further, IT policies also ensure compliance with applicable laws and regulations, promote operational efficiency, and manage institutional risk by specifying requirements and standards for the consistent management of IT resources across the university. This university-wide IT policy framework specifies:

  • Structure and criteria for what should be categorized as an IT policy, standard, or guideline
  • A process for initiating, reviewing, approving, and retiring IT policies
  • Ongoing roles and responsibilities associated with IT policy development and maintenance.

Principles


The IT policy structure and process employ the following principles:

  • Policy work will be initiated when there is a compelling need for new or revised policy. Triggers may include new technologies, new laws or regulations, or operational or compliance needs that are not appropriately covered by existing policies or guidance, or the review date may be due
  • Policies and guidance will be implementable and sustainable. Impact analysis on both IT systems and end-users should be included in the policy planning and review processes
  • Any unit may request consideration of new IT policies or changes to existing policies that apply university-wide; the process to be followed for such consideration is outlined in this IT policy development framework
  • IT policy development will be accomplished via individual workgroups convened to address specific topics. Each team will include appropriate subject matter experts. ITSPP will provide a central coordination function to ensure consistency and to address policy dependencies
  • The policy development process will be transparent. Input from stakeholders will be addressed and/or incorporated throughout the process. Preliminary/interim policies and guidelines will be posted and disseminated to solicit feedback
  • The policy development process will be flexible. Circumstances may necessitate the publishing of best practices as a stop-gap to provide immediate guidance while a policy is being developed, vetted, and approved. In other cases, a policy may be established with detailed guidance to be provided at a later time
  • University-wide policies will be considered a floor, not a ceiling. Unit-level policies, guidelines, standards, or procedures may be developed to supplement university-wide guidance. They must meet the minimum criteria set forth in university-wide policies and related guidance, but may be more restrictive

Roles and responsibilities


The roles and responsibilities defined below represent the staff positions or groups most directly involved in IT policy development:

  • Chief Information Officer (CIO): The CIO has overall responsibility for IT policy and policy development at the University and is the owner of IT policies, standards and guidelines
  • ITSPC: The committee provides ongoing oversight and direction for the IT policy program. ITSPC reviews and approves new or revised IT standards, and reviews and endorses new or revised IT policies for approval by SMT
  • IT Risk and Strategy Manager ensures alignment of the IT Policy program with strategic IT and University mission and provides overall direction for the IT policy function, including responsibilities for identifying and prioritizing policy needs, ensuring appropriate University involvement in policy development, and conducting research and benchmarking for emerging policy development
  • Director ITSPP - The Director reviews new or revised IT policies and standards, and serves as the liaison between the  staff managing the IT policy function and the CIO, and the senior committees including ITSPC and SMT
  • The IT Policy Lead provides day-to-day staff support for the policy development function, serves on policy development working groups, and plans and executes policy education and awareness efforts. Specifically, this will include managing an annual review and analysis of existing policies, standards, and guidelines for continued applicability and effectiveness; interpretation of current policies in response to unit/departmental inquiries or specific incidents

IT policy governance and approval


  1. ITSPP Develops and drafts IT policies, standards, and guidelines
  2. Director ITSPP First level review for IT policies, standards, and guidelines
  3. IT governance subcommittees Second level review for IT policies and standards
  4. CIO Approves IT policies and standards for submission to ITSPC
  5. ITAC Endorsement for IT policies and approval for IT standards
  6. SMT Approval of IT policies
  7. VC Sign off IT policies

Full stakeholder involvement


University stakeholders will be fully engaged throughout the IT policy development process—in both individual and group settings and by online review—to ensure that all appropriate perspectives are accounted for and incorporated as feasible in final versions of new or revised policies, standards, and guidelines. ITSPP maintains a list of potential stakeholders to be involved at various stages in the IT policy life cycle process.

Specific individuals and groups will be identified during the planning and initiation phase of a given policy, standard, or guideline. Membership in policy development working groups will vary based on the primary content of a policy being developed. The ITSPP IT Policy Lead will provide support to all working groups. In general, any faculty or staff member will be able to provide comments on draft and interim policies, standards, and guidelines on the IT policy web site. Specific stakeholders may be identified and solicited to provide input and review draft documents, while others may be only in the need to inform category.

Students, student groups, and student representatives will have opportunities to provide input and feedback on draft policies, standards, and guidelines that deal with student conduct or have the potential to impact availability of, or access to, IT resources for students.

IT policy structure and criteria


Categories of university-wide guidance:

  • IT policies articulate the university's values, principles, strategies, and positions relative to a broad IT topic. They are designed to guide organizational and individual behavior and decision making. They are concise, high-level, and independent of a given technology. University IT policies are mandatory. All new or substantially revised policies, once endorsed by the ITSPC, will be submitted to University Registrar for inclusion in the University Policy Register
    Examples: IT Acceptable Use policy, IT Security policy
  • IT standards are specific to a particular unit or IT technology or topic and are mandatory
    Example: Web development standard
  • IT guidelines provide guidance and best practices for users, relative to a particular IT topic. They may accompany, interpret, or provide guidance for implementing IT policies, other university policies, or applicable laws and regulations. University IT guidelines are not mandatory but will normally be seen as the recommended approach and standard practice to be followed
    Example: Password management guideline
     

IT policy development process


The IT policy development process applies to university-level guidance including policies, standards, and guidelines. Standards and guidelines require fewer approvals than formal policies.

  • Identification, planning and initiation of new policies, standards and guidelines
    1. Identify compelling need for new or updated policy/guidance. Drivers may include new regulatory requirements, technology developments, operational needs, and identification of current issues or gaps. Request may come from any unit, central office, or ITSPP
    2. Determine whether the need should be satisfied by a policy, guideline, or standard.  (See Appendix 1 below: IT Policy Planning Criteria)
    3. Identify sponsorship, stakeholders, working group members and their relevant roles
    4. Develop high level implementation impact analysis
    5. Obtain approval to proceed with draft policy (or guideline, standard)
    6. Prioritize and schedule policy work
  • Development, review, and approval
    1. Draft initial policy (guideline, standard)
    2. Distribute to a small group of stakeholders for initial review and input
    3. Incorporate initial feedback
    4. Distribute to a larger group of stakeholders for review and input
    5. Post final draft on the IT policy web site for general feedback
    6. Review and, where appropriate, incorporate feedback
    7. Present to appropriate governance entity for approval (see Appendix 1 below)
    8. Obtain approval
  • Rollout
    1. Post and announce policy (standard, guideline)
    2. Conduct educational activities
    3. Initiate implementation activities (efforts to develop/update standards and guidelines may be needed for some new policies)
    4. Determine ongoing review cycle (default review cycle is annual)
  • Compliance, review and maintenance
    1. Monitor compliance and effectiveness of implemented policy/standard
    2. Review and implement modifications per annual review cycle (last revision and review dates will be posted on each policy). ISPP and the policy owner will generally be responsible for most policy reviews
  • Document retirement
    1. As part of the maintenance and review process, policies, standards, and/or guidelines may be identified as out-of-date or no longer needed. They will be retired via the same process by which they were approved

Appendix 1: IT policy planning criteria


During the Planning and Initiation step of the IT policy life cycle process, the need for new or updated guidance may be triggered by various issues such as:

  • Laws, regulations or best practices which require new or updated guidance
  • Implementation of IT services or new technologies that require new or updated policies
  • Risk assessment, audits, and/or reviews of existing policies/guidance that reveal inconsistencies or gaps
  • Operational issues that require clarification of university's position

The planning process involves stepping through a list of questions to determine whether there is a compelling need for a guidance effort and, if so, what type of guidance (policy, standard, guideline) needs to be created. Questions and suggestions for relevant decisions are listed below:

1.            What are the consequences/risks of not having documented guidance covering this topic?

a)    Is there is a legal requirement to have documented guidance?

b)    Are there operational issues that require clear statements of direction?

c)    Is there new technology (such as cloud computing) that requires university-wide guidance?

d)    Will documenting (and implementing) this guidance mitigate risks?

If the answer to any of the above is "yes," documented guidance may be necessary.

2.            What are the consequences/risks of having documented guidance covering this topic?

a)    Is this guidance implementable?

b)    Does this guidance represent a strategy that we would like units to plan for, although it may not be currently implementable?

c)    Is there an existing policy that already addresses this topic?

d)    Does the proposed guidance contradict (explicitly or implicitly) current university policy, or other laws/regulations?

If the guidance is necessary but not implementable across the university within a reasonable time frame, starting with guidelines (rather than a policy) is preferable. If there is a contradiction or inconsistency between the proposed guidance and existing policies or laws, further analysis is necessary with the participation of appropriate stakeholders to determine how to handle this. An existing policy may be obsolete or substantially out-of-date; therefore, updating or retiring the existing policy may be the appropriate option.

3.            Should this guidance be mandatory? Is it technology-dependent?

a)    Is there law requiring the university to follow this?

b)    Is there a contractual obligation for the university to follow this?

c)    Is there another reason why this should be mandatory?

d)    Will this guideline change when new technology is implemented? What part of the guidance is technology-dependent and what part can be stated as a general policy?

If the guidance is mandatory, implementable, and applicable across the university, and technology-independent, it should be stated as a policy. If it is mandatory, implementable, and applicable to specific units of the university, or specific to a particular technology, it should be stated as a standard. Another option is to create a combination of a short, high-level policy statement, and a detailed, technology-dependent standard.

4.            Can the essence of this guidance be summarized in no more than one page?

Short, high-level policy statements will typically be documented as a policy. More detailed documentation can be provided as standards, guidelines, or procedures. If the guidance cannot be summarized succinctly, and an umbrella policy does not exist, it may need to be represented as a combination of a policy and guidelines or standards.

5.            How often do policies and related guidance need to be reviewed in order to stay current and applicable?

Policies and related guidance should be reviewed annually at a minimum to ensure that policies are meeting legal and regulatory obligations, best practices, and keeping up with technological change.

6.            Are policy exemptions or exceptions allowed?

Exemptions to policies and related guidance are generally not allowed. If an exemption is necessary, then the requesting party must comply with the policy exception process. This process will be maintained and coordinated by the ITSPC IT Policy Lead.

7.            What determines whether a policy is university-wide or unit-level?

a)    Should this guidance apply university-wide to all users of university information resources?

b)    Should this guidance apply university-wide to all IT providers?

These questions do not determine the category (policy, standard, guideline) but rather the scope for applicability.

8.            Is this guidance specific to information technology? What other University units are involved and who should be included in policy drafting and decision-making?

Sometimes, the implementation of an IT service may trigger the need for a policy that relates to multiple domains (HR, Student, other), and it may or may not involve IT decisions. It is important to assess this situation with the appropriate stakeholders and determine who should be the primary "owner" of the policy. There may be cases where an HR or Communications policy, for example, may be implemented containing an IT standard or guideline.

Policy decision flowchart


IT Policy Decision Flow Chart