IT Policy Development and Related Organizational

Download Report

Transcript IT Policy Development and Related Organizational

IT Policy Development and
Related Organizational Processes
Jenny Mehmedovic
Assistant to the Provost
Provost’s Office
University of Kansas
Michele Gross
Program Director
President’s Office
University of Minnesota
Today’s Policy Discussion
Organization made easy
Documentation of processes and policies
Communication and enforcement
Periodic reviews and updates
Institutional Profiles
University of Minnesota
 Five campuses, incl. 1
medical center
 68,000 students
 19,274 employees
 $823 mil. in sponsored
awards (2010)
 102 governing policies
 192 central
administrative policies
University of Kansas
 Four campuses, incl. 1
medical center
 29,000 students
 9,700 employees
 $225 million in sponsored
awards (2010)
 1 governing policy manual
 641 central administrative
Evolution of Policy Approach
1992: Policy Office
1993: U of M Online
Policy Library launched
1992: Director of Policy Office
position established
2008: Launch of
KU Online Policy
2011: Director of Policy
Office position
2010: Policy Office established
Getting to Know You
• Who are you? Where are you from? What is your
• Why did you choose this EDUCAUSE session?
Getting to Know You
• Where does your organization fit in the IT policy
development/structure continuum?
University of Kansas
Information Technology Organization
University of Minnesota
Information Technology Organization
Connecting to IT People
University of Minnesota
University of Kansas
• IT Leadership Alliance
• Academic Technology Advisory
• Course Management System
Implementation Group
• Privacy Committee
• Senate Committee on
Information Technology
• Enterprise Data Access Group
• University Video Users
• Mass E-mail User Group
• UMContent Developers
• IT Technical Liaisons
• KU Policy Office Partners
• Information Management
Policy Group
• Academic Computing and
Electronic Communications
Committee (Governance)
• Enterprise Application
Resources Planning group
• Center for Online and Distance
Contrasts: Policy Offices
University of Minnesota
University of Kansas
• Director, policy librarian (80%),
and graphic designer (80%)
• Use a content management
system (Oracle, was Stellent)
• Director leads the Policy
Advisory Committee, and
staffs the Presidents Policy
• Director (in progress), admin
support (also policy librarian),
and time from a Web
programmer (in Provost’s
• Use a document management
system (Xythos)
• Jenny providing strategic
direction, longer term
improvement opportunities,
transitioning out
IT Policy Hot Topics
Where is your IT Policy Focus Today?
• List IT issues under consideration at your institution
• In small groups, share the lists
IT Policy Hot Topics
Top 5 Higher Ed Policy Issues
Federal and state regulations
IT security
Intellectual property and copyright law
Campus IT policy issues and best practices
IT Policy Hot Topics
Where is IT Policy Focus Today?
Social media
Cloud services/guidelines
Mobile device encryption & provisioning & security
Identity management/validation
Security policy for shared services and shared cyber
• Data classification, stewardship, and records
• Electronic/digital signatures
• Website privacy notices
IT Policy Hot Topics
Choose One
• Select one of your topics on which you’d like
to work throughout our time together
IT Policy Hot Topics
Organizational Processes for Policy Development, or
How to Get “It” Done Right!
Policy Basics
Definition (from
The set of basic principles and associated guidelines,
formulated and enforced by the governing body of
an organization, to direct and limit its actions in
pursuit of long-term goals.
Policy Development
Institutional Policies
• Statements that reflect the philosophies, attitudes,
or values of an organization related to a specific issue
– Concise statement of what the policy is intended to
accomplish, not how to accomplish it
– One or two sentence description of general organization
– General enough to provide flexibility where flexibility is
Policy Development
Components of a Policy
• Policy statement(s), including scope and
• Terms, roles, contacts
• Support documents
– Procedures
– Guidelines
– Appendices
Policy Development
Electronic Data Disposal Policy
Data confidentiality is an issue of legal and ethical
concern. The purpose of this policy is to…
University employees (e.g., faculty, staff, student
employees) and other covered individuals (e.g., affiliates,
vendors, independent ...
The University of Kansas requires that before any
computer system, electronic device or electronic media
is disposed, recycled or transferred…
University of Minnesota:
Policy on Policy
• The University establishes administrative policies to align
operations, set behavioral expectation, and communicate roles and
• Administrative policies will either require or prohibit specific actions
of faculty, staff, or students as well as external individuals who use
University resources or services, as appropriate.
• Administrative policies must:
– Be warranted in order to implement Board of Regents policy; achieve
compliance with laws, rules, or regulations; or address a risk to the
institution that cannot be adequately addressed elsewhere;
– Address a significant risk after factoring in the number of people affected,
type of risk and impact; and
– Promote operational efficiency and effectiveness.
Policy Development
Process for Developing a University Policy
Policy owner watches for
changes in law, changes
to Board Policies,
operational needs, etc.
Policy owner creates a draft,
with standard templates.
Engages key users in
drafting stage.
Gathers data. Determines a new
or revised policy is needed.
Prepares a policy plan for
Policy Advisory Committee.
Evaluate &
Policy draft is announced
posted for open 30day comment period.
& Compliance
Policy owners
monitors. Results
should drive any
enhancements or
training or
Presents all policy documents to Policy Advisory
Committee. Captures comments and revises
as needed.
Final product to President’s Policy Committee for
review and approval.
Do we
have a
Is policy
Revise as needed at end of
30-days. Publish policy.
Respond to questions
captured through
comment box at end of
each policy. Tweak as
needed (informal) or
modify (formal).
U of M Model: Critical Success Factors
Stakeholder consultation
The “right” review/approval groups
Transparency and accountability
System of organization
Strong policy website
– If you build it, they will come.
– If you build it WELL, they will come back.
Policy Development
University of Kansas Policy on Policy
• Historically institution has been policy-averse
• Thus, we are working to define the KU Policy
Process rather than a policy
Policy Development
Process for Developing a University Policy
This roadmap is intended to assist units who generate policy applicable to faculty, staff, and students in understanding the
process and responsibility for policy-making at KU. Specific policies may require adjustment of this process to ensure
adequate review by stakeholders.
Identify Issues
1. Raise
of the issue
2. Inform
Policy Office
that a policy
has been
for revision
Draft Initial
3. Coordinate
sponsoring the
Review & Revise
4. Ensure accuracy and
consistency with
existing policies by
working with the Policy
Office and other
relevant offices
Final Review &
8. Signature
approval by Provost,
Chancellor, or
appropriate Vice
Provost or Vice
9. Post policy to KU
Policy Library
10. Announce policy
12. Encourage feedback
13. Grant exceptions, as
11. Educate community 14. Update periodically
to ensure accuracy
5. Review by Office of
the Provost with input
sought from General
6. 21-day* university
comment period
7. Respond to
comments; may
involve revision of
policy, minor or major
March 30, 2011
* In rare circumstances, the comment period may be
reduced in order to comply with federal or state mandate.
U of Kansas: Critical Success Factors
Know who the primary policy-making partners are
Cultivate partnerships and generate input
Provide tools to make life easier for partners
Be positive about smallest incremental changes – we
have far to go, but we have come a long way in a few
Policy Development
Your Current Policy Structure
• Share what you are doing well and where you have
the greatest room for improvement
– Do you have a University-wide policy library?
– Are your IT policies contained within it or separate?
– Do you have a University-wide tool for
developing/maintaining policies?
– Do you have a policy on policy?
– Do you have standard templates for your policy work?
Policy Development
Predevelopment: Identify Issues
• Recognize a trigger for creating or revising an IT
– Change in law, rule or regulation
• Legislative, regulatory, or public policy
– Weakness in current structure
• Correct misbehavior (reactive); organizational change (reactive)
– New technical opportunity
• That reduces risk, streamlines operations, etc. (proactive)
Policy Development
Predevelopment: Define Your Audience
• Understand who will be impacted by a policy or
policy change
Who is the owner
Whose actions are you directing (primary)
Who are the other stakeholders
How can you capture their input during the development
and review phases
Technical Staff?
Policy Development
All end users?
Subset of end users?
Predevelopment: Conduct Analysis
• Determine the approach to develop the policy
– Research the subject
• Laws
• Peer institutions (e.g., through ACUPA)
– Know how decisions will be made when there are
management choices
– Identify required deadlines (is an interim policy needed?)
– Confirm scope of the policy
Policy Development
Predevelopment: Conduct Analysis
• Understand the scope and impact of the gap
What are the risks?
Who is impacted?
How widespread is the problem or need?
What are the options for solving it?
Is a policy needed to address the issue?
Who owns the issue/policy? Is it an IT policy or a
component of a broader business policy?
– What are the onetime and recurring costs associated with
Policy Development
Pen to Paper (or Fingers to Keyboard)
• Draft the policy language
Generally NOT a group activity
Align with required format (template)
Identify definitions needed
Ensure title is appropriate for content, and content aligns
with scope
– Use style specified by institution
• Review with stakeholder representatives, and revise
if needed
• Obtain required approvals
Policy Development
Policy Approval Comparison
• Process/policy owner
obtains internal
management approval
• Presents to a policy
advisory committee
• Presents final draft to
President’s Policy
Committee for approval
Policy Development
• Policy owner ensures
consensus around issue
with primary stakeholders
• Share draft with Counsel
• 21 day campus comment
• Submit to Provost for
Documentation of Policies and Procedures
Oh Give Me a Home…
• A University-wide administrative policy library or
policies held on local (HR, IT, etc.) sites
– Best practice: single site for all policies
– One-stop shop for end users
– Many of the policies are related so this facilitates
movement between policies
– More consistency possible
Documenting Policies and Procedures
• Maintain historical and current policy version(s)
– Assists with legal queries
– Supports standing practices (e.g., students are permitted
to go by policies that were in effect when they
– Provides the historical view
– Highlights key changes
• History “snapshot” available in the policy itself
Operational Choices
• Should you make historical versions readily available,
vs. available upon request?
• Do you save any of the draft versions of the policies?
• How long should you retain policy versions?
• Who will keep the “working” documents?
• Do you need physical or electronic approval prior to
posting a policy or policy revision? Is documentation
of this retained anywhere?
Only show current version. Historical
version(s) available upon request. Print as of
date displayed on copy.
Practices and Pain
• How does your institute handle policy and
procedure documentation?
• Where is the “pain” in your process? (What
could be working better)
Communication and Enforcement
Communicating Policies
Clarity of message
Right communication vehicle(s)
The view long-term
“Put your ear to the ground”
Communication and Enforcement
When making an IT change, not all audiences are “equal”.
• Consider whether or not the message directly impacts the
average user of technical services, or geared towards
technical support staff
• Typical audiences
Technical staff
Incoming or current
• Determine whether or not the change will be visible to the
average user or primarily a “behind-the-scenes” enhancement
Communication and Enforcement
Clarity of the Message
• Be direct
• Specify the change date
• Develop targeted communications appropriate for
the different audiences
• Contrast the changes (old, new)
• Highlight the need or rationale for the change
• Extend the offer of help (if staffed for it)
Communication and Enforcement
• Limit sentences laden with technical phrases, if other
more common phrases will adequately convey the
• Ensure that you have a complete definitions section
• Provide examples where useful (e.g., electronic devices
include cellular phones, personal digital assistants,
electronic storage mechanisms, removal media)
• Test the communication out on representatives from
your target audiences, and fix, if there are challenges
Communication and Enforcement
Getting the Word Out
• Orientation agendas
– Speakers, handouts, videos
• Direct emails, mailings
• Educational postcards,
posters, etc.
• Desk side coaching
• “I agree” statements to click
through when obtaining
accounts, registering to the
network, etc.
Communication and Enforcement
• Partner with tech staff in
• Key policy lists for new
• Signed user agreements, if
• Have a traveling road show!
– Anyone who shows an
• Hold policy brown bags
• Sponsor a “Policies Day”
The “Cost” of Unenforced Policies
Communication and Enforcement
The Cost to Enforce Policies
People (resources)
Marketing/communication expenses
Competition with other priorities
Internal politics (big brother)
Management support
Communication and Enforcement
Monitoring and Enforcement
• Do you, as policy owners, have an institutional
requirement to know how compliant your audience is with
your IT policies?
• Is there an expected frequency for monitoring?
• Do different policies have different requirements?
• Is there management support for addressing noncompliance?
• What are your enforcement options?
• Do you have staff to adequately monitor and enforce your
IT policies?
Communication and Enforcement
Enforcing IT Policies
• The groundwork includes:
Understanding your culture
Identifying partners
Clearly defining roles
Establishing procedures
And educating the community about all four!
Communication and Enforcement
Responding to Complaints
• Focus on gathering evidence
– Determine the root problem. If not technology, get it to
the right hands
– If technology is the root problem, gather evidence. If there
is no evidence, there is nothing to pursue.
• Determine which types of infractions
– Warning, suspension, termination
– Elevate to upper management
– Require law enforcement involvement
• Ensure records are kept confidential
Communication and Enforcement
Consequences of Enforcement
• Intentional vs. unintentional
• Punishment as an example may have an unintended
consequence for the broader organization (no one
will speak up)
Communication and Enforcement
Periodic Reviews and Updates
Core Questions
• Who is responsible for maintaining IT policies in your
• Do you have an established schedule for routine and
comprehensive reviews?
• What triggers the frequency of reviews (e.g.,
importance, most frequently used, volatility of the
technical world)?
• Is there a formal process to follow?
• How do you capture your audience feedback on the
Periodic Reviews and Updates
Maintenance Comparison
• Policy owner updates when
needed (contacts, etc.)
• Annual reminder to review
policy for accuracy
• Comprehensive review
every 3 years
• Requires completion of a
• Flows through established
committee structure
Periodic Reviews and Updates
• Policy owner updates when
needed (contacts, etc.)
• Comprehensive review
every year or as needed
• Working on routinizing a
review schedule and
triggers that can be
Periodic Reviews
Review targets
A deeper dive
• Alignment of policy specifics
to practice
• Alignment of procedures to
• Required vs. best practice
• Accuracy of the
supplemental information
(contacts, links to related
information, forms, etc.)
• Is the requirement too
restrictive for the risk
managed? (cost/benefit)
• Are the requirements
associated to an individual
or unit (departments vs.
• Is the language broad
enough to stand over time?
Periodic Reviews and Updates
Planning and Conducting the Reviews
• Identify the responsible individual(s) for completing
the review
• Identify key contacts to contribute to the particular
• Gather comments/feedbacks/open issues
• Identify issues
– Solicit input from peer institutions
Periodic Reviews and Updates
Revising an Existing Policy
• Is it still needed?
– For example, do you have technical controls in place that
prevents the activity that used to be controlled by policy.
• Are the thresholds, approval levels, requirements
appropriate for the risk managed? What would
be the impact of changing these?
• What have been the weak points in the policy?
• What is the level of compliance?
Periodic Reviews and Updates
It’s a Wrap
Adding to Your Toolbox
• What were the most helpful aspects of this
• What new or different things will you do when
back at your institution?
• How will you expand your base of support?
It’s a Wrap
Your Go-To Resources
• EDUCAUSE Policy Digest newsletter
Subscription-based (free), semimonthly e-newsletter that summarizes, analyzes, and provides
recommendations on public and campus policy issues affecting higher education. From the
EDUCAUSE Policy Analysis and Advocacy program.
• EDUCAUSE Policy Discussion Group
[email protected]
A place for fruitful, engaging discussion on campus policy issues, for sharing about current
practices, and learning from each other about emerging areas of concern to the campus IT
policy community.
• Information Security Guide
A compendium of information providing guidance on effective approaches to the application of
information security at institutions of higher education. From the Higher Education
Information Security Council. Its content is actively maintained by a large group of volunteers
who are information security practitioners at a variety of colleges and universities.
It’s a Wrap
Your Go-To Resources
• Institute for Computer Policy and Law (ICPL)
The Institute for Computer Policy and Law at Cornell University is an intensive
annual four-day seminar examining the impact that widespread use of the
Internet has on college and university policies, procedures, and judicial
• Association of College and University Policy
Administrators (ACUPA)
An informal association of professionals who formed a network to discuss college
and university policy issues.
It’s a Wrap
Your Go-To Resources
• Here at EDUCAUSE 2011
– Meet the EDUCAUSE Policy Analysis and Advocacy Staff
Thursday, October 20th, 10:00-10:30 a.m. at EDUCAUSE
– EDUCAUSE Policy Team Community Update
Thursday, October 20th, 4:00-4:50 p.m. at Meeting Room
– Campus IT Policy Discussion Session
Thursday, October 20th, 5:00-5:50 p.m. at Meeting Room
It’s a Wrap
Your Go-To Resources
• NACUA Workshop, in cooperation with
EDUCAUSE, on “College and University
Compliance Programs: Organization and Key
Compliance Obligations”
November 9-11 in Washington, D.C.
It’s a Wrap
Our Thanks to You!
Jenny Mehmedovic
University of Kansas
[email protected]
Michele Gross
University of Minnesota
[email protected]