Information Technology Policy Development

Information Technology (IT) policies articulate the university's vision, strategy, and principles as they relate to the use of information and information technology resources. They are designed to guide organizational and individual behavior and decision-making. University-wide IT guidance comes in these categories:

• IT Policies

  IT Policies articulate the university's values, principles, strategies, and positions relative to a broad IT topic. They are designed to guide organizational and individual behavior and decision-making. They are concise, high-level, and independent of a given technology. University IT policies are mandatory.

  These policies are approved by U-M executive officers and are part of the Standard Practice Guide, the university's policy repository.

• IT Standards

  IT standards specify requirements for becoming compliant with university IT and other policies, as well as applicable laws and regulations. Standards may include technical specifications and are mandatory.

• IT Guidelines

  IT guidelines provide guidance and best practices relative to a particular IT topic. They may accompany, interpret, or provide guidance for implementing IT policies, other university policies, or applicable laws and regulations. University IT guidelines are not mandatory.

• IT Procedures

  IT Procedures document "how to" accomplish specific IT tasks or use IT services. These procedures may be localized to reflect the practices or requirements of a specific unit.

IT Policy Development

The development and management of IT policies is conducted in compliance with SPG 601.35, Development of University Policy, and follows the Procedures for Development of University Policy.

IT policies must be credible, implementable, enforceable, and sustainable. To that end, they should reflect the following:

• 
  U-M environment
  Alignment to core academic, research, learning and teaching, and administrative missions.
• 
  Legal and regulatory environment
  Compliance with all statutory requirements.
• 
  Risk environment
  Accounting for an ever-changing array of environmental, technological, and operational risks.
• 
  Best practices
  Consideration for industry and higher education best practices.

IT Policy Management and Oversight

The Vice President for Information Technology and Chief Information Officer (VPIT-CIO) has oversight responsibility for IT policy. Information Assurance (IA), by delegation of the VPIT-CIO, coordinates the IT policy function for U-M, with responsibility for policy development, education, and maintenance. IA maintains a repository of institutional IT policies, standards, and guidelines.

The IT Policy Development and Administration Framework specifies the process for drafting new—or revising old IT policies.

The VPIT-CIO has final approval authority for IT standards, guidelines, and procedures.