You are hereHome / IT Policies at the University of Michigan / IT Policy Development and Administration Framework
IT Policy Development and Administration Framework
Issued: May 4, 2011
Last Revised: March 18, 2015
- Authorization and Scope
- Roles and Responsibilities
- IT Policy Review and Governance Approval
- Stakeholder Involvement
- IT Policy Structure and Criteria
- Approach and Publication
- IT Policy Life Cycle Process
- Appendix 1: IT Policy Structure Definitions
- Appendix 2: IT Policy Criteria Decision Tree
- Appendix 3: IT Policy Decision Matrix
- Appendix 4: IT Policy Decision Flow Chart
- Appendix 5: IT Policy Program Framework Models
The responsibility for university-wide IT policy management has been assigned to Information and Infrastructure Assurance (IIA). This includes:
- Coordination of IT policy and underlying development, dissemination, and education.
- Review and analysis of existing policies for continued applicability and effectiveness.
- Interpretation of current policy related to specific issues, situations and incidents.
The IT policy framework covers all campuses, including Flint, Dearborn, and the Health System; unit-level policies and guidelines (including for the Flint and Dearborn campuses) are out of scope. University IT policies apply to all users of U-M IT resources, including students1, faculty, staff, and sponsored or guest users.
1 It is a principle of this IT policy framework that, wherever appropriate, policies should apply to all members of the university community, including students. The Statement on Student Rights and Responsibilities is the primary institutional document that defines appropriate use of IT resources by students. It does so by referring to the Responsible Use SPG 601.07-0, which, like all SPGs, says that it applies to all faculty and staff.
2 Best practices from other universities been adopted in the development of this framework.
Information technology policies articulate the university's vision, strategy, and principles as they relate to the management and use of information and information technology resources, while supporting core academic, research, and teaching and learning missions. Further, IT policies also ensure compliance with applicable laws and regulations, promote operational efficiency, and manage institutional risk by specifying requirements and standards for the consistent management of IT resources across the university. This university-wide IT policy framework2 specifies:
- Structure and criteria for what should be categorized as an IT policy, guideline, or standard
- A process for initiating, reviewing, approving, and expiring IT policies
- Ongoing roles and responsibilities associated with IT policy development and maintenance.
The IT policy structure and process employ the following principles:
- Policy work shall be initiated when there is a compelling need for new or revised policy. Triggers may include new technologies, new laws or regulations, or operational or compliance needs that are not appropriately covered by existing policies or guidance.
- Policies and guidance shall be implementable and sustainable. Impact analysis on both IT systems and end-users should be included in the policy planning and review processes.
- Any unit may request consideration of new IT policies or changes to existing policies that apply university-wide; the process to be followed for such consideration is outlined in this IT policy development and administration framework.
- IT policy development shall be accomplished via individual workgroups convened to address specific topics. Each team will include appropriate subject matter experts. IIA will provide a central coordination function to ensure consistency and to address policy dependencies.
- The policy development process shall be transparent. Input from stakeholders will be addressed and/or incorporated throughout the process. Preliminary/interim policies and guidelines will be posted and disseminated to solicit feedback.
- The policy development process shall be flexible. Circumstances may necessitate the publishing of best practices as a stop-gap to provide immediate guidance while a policy is being developed, vetted, and approved. In other cases, a policy may be established with detailed guidance to be provided at a later time.
- University-wide policies shall be considered a floor, not a ceiling. Unit-level policies, guidelines, standards, or procedures may be developed to supplement university-wide guidance. They must meet the minimum criteria set forth in university-wide policies and related guidance, but may be more restrictive.
The roles and responsibilities defined below represent the staff positions or groups most directly involved in IT policy development.
Chief Information Officer (CIO): The CIO has overall responsibility for IT policy and policy development at U-M, and approves new and revised standards and guidelines based on the recommendation of the Executive Director.
IIA Council: The Council provides ongoing oversight and direction for IT policy program; sets policy development priorities; and reviews and approves new or revised policies as the first level of governance approval.
Chief Information Security Officer (CISO)/IIA Executive Director: The CISO works with the IT Policy and Compliance Lead to ensure alignment of the IT Policy program with strategic ITS, Office of the CIO, and University of Michigan objectives and priorities. The CISO also serves as the liaison between the IIA staff managing the IT policy function and the CIO, the IIA Council, and the IT Council.
IT Policy and Compliance Staff: IT policy and compliance staff provide overall direction for the IT policy function, including responsibilities for identifying and prioritizing policy needs, ensuring appropriate campus involvement in policy development, and conducting research and benchmarking for emerging policy development.
The IT Policy and Compliance Lead provides day-to-day staff support for the policy development function, serves ex officio on policy development working groups, and plans and executes policy education and awareness efforts. Specifically, this includes managing an annual review and analysis of existing policies, standards, and guidelines for continued applicability and effectiveness; interpretation of current policies in response to unit/departmental inquiries or specific incidents.
The IT governance structure established in 2010 is intended to set campus-wide priorities for IT services, resources, and facilities. An important foundation in support of these priorities involves reestablishing a campus-wide IT policy function.
The IT policy function shall reside with the Office of the Chief Information Officer, with delegated responsibilities to Information and Infrastructure Assurance for policy development, coordination, education, and maintenance.
The following identifies the different levels of governance review and vetting of policies, standards and guidelines (initially drafted by IT policy development working groups):
CISO/IIA Executive Director: Initial review of policies, guidelines, and standards
CIO: Second level of review for IT policies, standards, and guidelines; final approval of guidelines and standards before adoption and dissemination to campus
IIA Council: First level of governance review for IT policies
IT Council: Second level of governance review for IT policies; new or substantially revised policies require IT Council approval
IT Executive Committee: Final level of governance review for IT policies; policies recommended for adoption as a new or revised Standard Practice Guide require approval of the IT Executive Committee.
Campus stakeholders will be engaged throughout the IT policy development process—in both individual and group settings—to ensure that all appropriate perspectives are accounted for and incorporated as feasible in final versions of new or revised policies, standards, and guidelines. IIA maintains a list of potential stakeholders to be involved at various stages in the IT policy life cycle process.
Specific individuals and groups will be identified during the planning and initiation phase of a given policy, standard, or guideline. Membership in policy development working groups will vary based on the primary content of a policy being developed. The IIA IT Policy and Compliance Lead will serve ex officio and provide staff support to all working groups. In general, any faculty or staff member will be able to provide comments on draft and interim policies, standards, and guidelines on the IT policy web site. Specific stakeholders may be identified and solicited to provide input and review draft documents, while others may be only in the need to inform category.
Students, student groups, and student governments will have opportunities to provide input and feedback on draft policies, standards, and guidelines that deal with student code of conduct amendments or have the potential to impact availability of, or access to, IT resources for students.
Categories of university-wide guidance (see Appendix 1 for additional information about these categories):
University IT Policies articulate the university's values, principles, strategies, and positions relative to a broad IT topic. They are designed to guide organizational and individual behavior and decision making. They are concise, high-level, and independent of a given technology. University IT policies are mandatory. All new or substantially revised policies, once approved by the IT Executive Committee, will be submitted to University Audits for inclusion in the online Standard Practice Guide.
Examples: Responsible Use of Information Resources, Information Technology, and Networks; Information Security Policy
University IT standards specify requirements for becoming compliant with university IT policies, other university policies, as well as applicable laws and regulations. Standards may include technical specifications. Standards are mandatory.
Examples: Domain Name System Standards; IP Address Standards
University IT guidelines provide guidance and best practices relative to a particular IT topic. They may accompany, interpret, or provide guidance for implementing IT policies, other university policies, or applicable laws and regulations. University IT guidelines are not mandatory.
Examples: Guidelines for eDiscovery; Privacy and Retention of Security Logs
IT Procedures document "how to" accomplish specific IT tasks or use IT services. These procedures may be localized to reflect the practices or requirements of a specific unit.
The IT policy framework will create processes and structures that are consistent with the university Standard Practice Guide and specifically apply to information and information technology policies.
IT policies will be documented and considered for approval as SPGs (see above). SPGs are currently pdf files; searchable web versions of IT policies and guidelines will be posted at the IIA SafeComputing IT policy web site so that they can be effectively operationalized and readily accessed by campus IT staff and departments. Multiple communication methods will be employed to widely disseminate policies and guidelines.
While it is necessary to provide a flexible policy/guidance structure that keeps pace with technological innovations, process simplicity will be balanced with concerns over legal exposure and assurance of stakeholder collaboration. Ultimately, this policy framework will result in a process that provides proper scoping, collaborative development, and structured vetting and approval.
The IT policy life cycle process is based on the Policy Development Process With Best Practices issued by the Association of College and University Policy Administrators, and applies to university-level guidance including policies, standards, and guidelines. Standards and guidelines may require fewer approvals than formal policies.
- Identification, Planning and Initiation
- Identify compelling need for new or updated policy/guidance. Drivers may include new regulatory requirements, technology developments, operational needs, and identification of current issues or gaps. Request may come from any unit, central office, or IIA.
- Determine whether the need should be satisfied by a policy, guideline, or standard
- Identify sponsorship, stakeholders, working group members and their relevant roles
- Develop high level implementation impact analysis
- Obtain approval to proceed with draft policy (or guideline, standard)
- Prioritize and schedule policy work
- Development, Review, and Approval
- Draft initial policy (guideline, standard)
- Distribute to a small group of stakeholders for initial review and input
- Incorporate initial feedback
- Distribute to a larger group of stakeholders for review and input
- Post final draft on the IT policy web site for general feedback
- Review and, where appropriate, incorporate feedback
- Present to appropriate governance entity for approval (see Appendix 1)
- Obtain approval
- Post and announce guidance (policy standard, guideline)
- Conduct educational activities
- Initiate implementation activities (efforts to develop/update standards and guidelines may be needed for some new policies)
- Determine ongoing review cycle (default review cycle is annual)
- Compliance, Review and Maintenance
- Monitor compliance and effectiveness of implemented guidance
- Review and implement modifications per annual review cycle (last revision and review dates shall be posted on each policy). IIA, the policy owner, and OGC will generally be responsible for most policy reviews.
- Policy Retirement
- As part of the maintenance and review process, policies, standards, and/or guidelines may be identified as out-of-date or no longer needed. They will be retired via the same process by which they were approved.
IT Policy Structure Definitions (KB PDF) for categories of university-wide guidance:
- University IT Policies
- University IT Guidelines
- University IT Standards
- Campus IT Policies, Guidelines, or Standards
- Unit-Level IT Policies, Guidelines, or Standards
An IT Policy Decision Matrix and Decision Tree flow chart are available as planning guides and process reminders for policy development working groups. Both are based on the process flow described below.
During the Planning and Initiation step of the IT policy life cycle process, the need for new or updated guidance may be triggered by various issues such as:
- Laws, regulations or best practices which require new or updated guidance
- Implementation of IT services or new technologies that require new or updated policies
- Risk assessment, audits, and/or reviews of existing policies/guidance that reveal inconsistencies or gaps
- Operational issues that require clarification of university's position
The planning process involves stepping through a list of questions to determine whether there is a compelling need for a guidance effort and, if so, what type of guidance (policy, standard, guideline) needs to be created. Questions and suggestions for relevant decisions are listed below.
What are the consequences/risks of not having documented guidance covering this topic?
- Is there is a legal requirement to have documented guidance?
- Are there operational issues that require clear statement of direction?
- Is there new technology (such as cloud computing) that requires university-wide guidance?
- Will documenting (and implementing) this guidance mitigate risks?
If the answer to any of the above is "yes," documented guidance may be necessary.
What are the consequences/risks of having documented guidance covering this topic?
- Is this guidance implementable?
Does this guidance represent a strategy that we would like units to plan for, although it may not be currently implementable?
- Is there an existing policy (SPG) that already addresses this topic?
- Does the proposed guidance contradict (explicitly or implicitly) current university policy, bylaw, or other laws/regulations?
If the guidance is necessary but not implementable across the university within a reasonable time frame, starting with guidelines (rather than a policy) is preferable. If there is a contradiction or inconsistency between the proposed guidance and existing policies or laws, further analysis is necessary with the participation of appropriate stakeholders to determine how to handle. An existing policy may be obsolete or substantially out-of-date; therefore, updating or expiring the existing policy may be the appropriate option.
- Is this guidance implementable?
Should this guidance be mandatory? Is it technology-dependent?
- Is there a federal or state law requiring the university to follow this?
- Is there a contractual obligation for the university to follow this?
- Is there another reason why this should be mandatory?
- Will this guideline change when new technology is implemented? What part of the guidance is technology-dependent and what part can be stated as a general policy?
If the guidance is mandatory, implementable, and applicable across the university, and technology-independent, it should be stated as a policy. If it is mandatory, implementable, and applicable across the university, but specific to a particular technology, it should be stated as a standard. Another option is to create a combination of a short, high-level policy statement, and a detailed, technology-dependent standard.
Can the essence of this guidance be summarized in no more than one page?
Short, high-level policy statements will typically be documented as a policy. More detailed documentation can be provided as standards, guidelines, or procedures. If the guidance cannot be summarized succinctly, and an umbrella policy does not exist, it may need to be represented as a combination of a policy and guidelines or standards.
How often do policies and related guidance need to be reviewed in order to stay current and applicable?
Policies and related guidance should be reviewed annually at a minimum to ensure that policies are meeting legal and regulatory obligations, best practices, and keeping up with technological change.
Are policy exemptions or exceptions allowed?
Exemptions to policies and related guidance are generally not allowed. If an exemption is necessary, then the requesting party must comply with the policy exception process. This process will be maintained and coordinated by the IIA IT Policy Lead.
- What determines whether a policy is university-wide or unit-level?
- Should this guidance apply university-wide to all users of university information resources?
- Should this guidance apply university-wide to all IT providers?
These questions do not determine the category (policy, guideline, standard) but rather the scope for applicability.
Is this guidance specific to information technology? What other campus domains are involved and who should be included in policy drafting and decision-making?
Sometimes, the implementation of an IT service may trigger the need for a policy that relates to multiple domains (HR, Student, other), and it may or may not involve IT decisions. It is important to assess this situation with the appropriate stakeholders and determine who should be the primary "owner" of the policy. There may be cases where an HR or Communications Office policy, for example, should be implemented containing an IT standard or guideline.
This document outlines the decision points to determine if a policy, standard, or guideline is required.
If the answer to any of the following is "yes," then continue with the questions to determine what kind of documented guidance may be necessary.
- Is there is a legal requirement to have documented guidance?
- Are there operational issues that require clear statement of direction or policy?
- Is there new technology (such as cloud computing) that requires university-wide guidance?
- Will risks be mitigated by documenting (and implementing) this guidance?
|Criteria||If Yes||If No|
||Continue to #2||Create a Guideline|
||Continue to #3||Conduct further analysis with participation of appropriate stakeholders to determine how to handle|
||Continue to #4||Skip to #9|
||Continue to #5||Skip to #9|
||Continue to #6||Skip to #9|
||Continue to #7||Create a Standard
** or **
Create a high-level Policy and a Detailed technology-dependent Standard
||Continue to #8||Use the umbrella Policy
** and **
Create detailed Standard(s), Guideline(s), or Procedure(s)
||Create a Policy
** and **
Detailed Standard(s), Guideline(s), or Procedure(s), if needed
|Create a high level Policy
** and **
A combination of Standard(s) and/or Guideline(s)
||Create a Standard||Create a Guideline|
[+] Enlarge (KB PDF)
- Customer Relations
- Michigan IT