Information technology policies articulate the university's vision, strategy, and principles as they relate to the use of information and information technology resources. IT policies interpret applicable laws and regulations and ensure that the policies are consistent with legal and contractual requirements. In addition, IT policies specify requirements and standards for the consistent use of IT resources across the university.
Policy Oversight and Approval
The Vice President for Information Technology and Chief Information Officer (VPIT-CIO) has oversight responsibility for IT policy. Information Assurance (IA), by delegation of the VPIT-CIO, coordinates the IT policy function for U-M, with responsibility for policy development, education, and maintenance; IA maintains a complete repository of institutional IT policies, standards and guidelines.
The IT Policy Development and Administration Framework specifies the process for drafting new—or revising old IT policies. The IT Council and IT Executive Committee have reviewed and approved the framework.
The U-M IT governance groups set campus-wide priorities for IT services, resources and facilities. Policies and standards and guidelines have different levels of final approval authority. Specifically:
- The VPIT-CIO has final approval authority for IT guidelines and standards.
- The IT Executive Committee has final approval authority for new or revised Standard Practice Guide policies.
IT Policy Development
The IT Policy and Development Administration framework describes four levels of U-M IT policy documentation:
- IT Policies articulate the university's values, principles, strategies, and positions relative to a broad IT topic. They are designed to guide organizational and individual behavior and decision-making. They are concise, high-level, and independent of a given technology. University IT policies are mandatory. These policies are approved by U-M executive officers and are part of the Standard Practice Guide, the university's policy repository.
- IT standards specify requirements for becoming compliant with university IT policies, other university policies, as well as applicable laws and regulations. Standards may include technical specifications and are mandatory.
- IT guidelines provide guidance and best practices relative to a particular IT topic. They may accompany, interpret, or provide guidance for implementing IT policies, other university policies, or applicable laws and regulations. University IT guidelines are not mandatory.
- IT Procedures document "how to" accomplish specific IT tasks or use IT services. These procedures may be localized to reflect the practices or requirements of a specific unit.
Several key drivers will help determine IT policy priorities. These include:
- U-M environment: Policies should align to core academic, research, learning and teaching, and administrative missions.
- Legal and regulatory environment: Policies should be in compliance with all statutory requirements.
- Risk environment: Policies should satisfactorily account for an ever-changing array of environmental, technological, and operational risks.
- Best practices: Policies should reflect industry and higher education best practices.
Information Assurance (IA) coordinates university-wide, systematic IT policy initiative. This IT policy program will develop and maintain IT policies that are in step with emerging technologies and align with the university's mission. To support the IT policy development process, a detailed framework was adopted that:
- Determines when to establish a policy, guideline or standard
- Determines the criteria for what should be in a policy, guideline or standards
- Creates a collaborative methodology for the drafting, approving, updating, and expiration of policies, standards, and guidelines
- Documents and publishes policies, standards, and guidelines
- Serves as a campus-wide resource to consistently interpret and arbitrate policies
- Measures policy effectiveness and level of adoption