Information Technology (IT) policies articulate the university's vision, strategy, and principles as they relate to the use of information and information technology resources. They are designed to guide organizational and individual behavior and decision-making. University-wide IT guidance comes in these categories:
-
IT Policies
IT Policies articulate the university's values, principles, strategies, and positions relative to a broad IT topic. They are designed to guide organizational and individual behavior and decision-making. They are concise, high-level, and independent of a given technology. University IT policies are mandatory.
These policies are approved by U-M executive officers and are part of the Standard Practice Guide, the university's policy repository.
-
IT Standards
IT standards specify requirements for becoming compliant with university IT and other policies, as well as applicable laws and regulations. Standards may include technical specifications and are mandatory.
-
IT Guidelines
IT guidelines provide guidance and best practices relative to a particular IT topic. They may accompany, interpret, or provide guidance for implementing IT policies, other university policies, or applicable laws and regulations. University IT guidelines are not mandatory.
-
IT Procedures
IT Procedures document "how to" accomplish specific IT tasks or use IT services. These procedures may be localized to reflect the practices or requirements of a specific unit.
IT Policy Development
The development and management of IT policies is conducted in compliance with SPGĀ 601.35, Development of University Policy, and follows the Procedures for Development of University Policy.
IT policies must be credible, implementable, enforceable, and sustainable. To that end, they should reflect the following:
-
U-M environment
Alignment to core academic, research, learning and teaching, and administrative missions. -
Legal and regulatory environment
Compliance with all statutory requirements. -
Risk environment
Accounting for an ever-changing array of environmental, technological, and operational risks. -
Best practices
Consideration for industry and higher education best practices.
To aid the development and management of IT policies, ITS has adopted a detailed IT Policy Development and Administration Framework. The framework specifies:
- Structure and criteria for what should be categorized as an IT policy, standard, guideline, or procedure
- A process for initiation, review, approval, and expiration
- Ongoing roles and responsibilities for development and maintenance.
IT Policy Management and Oversight
The Vice President for Information Technology and Chief Information Officer (VPIT-CIO) has oversight responsibility for IT policy. Information Assurance (IA), by delegation of the VPIT-CIO, coordinates the IT policy function for U-M, with responsibility for policy development, education, and maintenance. IA maintains a repository of institutional IT policies, standards, and guidelines.
The VPIT-CIO has final approval authority for IT standards, guidelines, and procedures.
The IT Executive Committee has final approval authority for new or revised Standard Practice Guide policies related to Information Technology.