IT Policy Development and Administration Framework | Office of the VPIT-CIO

Issued: November 2011
Approved by Executive Officers: September 2011
Last Revised: February 2021

Authorization and Scope
Rationale
Principles
Roles and Responsibilities
IT Policy Governance and Approval
Stakeholder Involvement
IT Policy Structure and Criteria
Approach and Publication
IT Policy Life Cycle Process
Appendix 1: IT Policy Structure Definitions
Appendix 2: IT Policy Criteria Decision Tree
Appendix 3: IT Policy Decision Matrix
Appendix 4: IT Policy Decision Flow Chart

Authorization and Scope

The responsibility for university-wide IT policy management has been assigned to Information Assurance (IA). This includes:

Coordination of IT policy and underlying development, dissemination, and education
Review and analysis of existing policies for continued applicability and effectiveness.
Interpretation of current policy related to specific issues, situations and incidents.

The IT policy framework covers all campuses, including UM-Dearborn, UM-Flint, and Michigan Medicine; unit-level policies and guidelines are out of scope. It is a principle of this framework that, wherever appropriate, policies should apply to all members of the university community. University IT policies apply to all users of U-M IT resources, including students, faculty, staff, workforce members, and sponsored or guest users.

Rationale

Information technology policies articulate the university's vision, strategy, and principles as they relate to the management and use of information and information technology resources, while supporting core academic, research, and teaching and learning missions. Further, IT policies also ensure compliance with applicable laws and regulations, promote operational efficiency, and manage institutional risk by specifying requirements and standards for the consistent management of IT resources across the university. This university-wide IT policy framework specifies:

Structure and criteria for what should be categorized as an IT policy, guideline, or standard
A process for initiating, reviewing, approving, and expiring IT policies
Ongoing roles and responsibilities associated with IT policy development and maintenance

Principles

The IT policy structure and process reflect the following principles:

Policy work shall be initiated when there is a compelling need for new or revised policy. Triggers may include new technologies, new laws or regulations, or operational or compliance needs that are not appropriately covered by existing policies or guidance.
Policies and guidance shall be credible, implementable, enforceable, and sustainable. Impact analysis on both IT systems and end-users should be included in the policy planning and review processes.
Any unit may request consideration of new IT policies or changes to existing policies that apply university-wide; the process to be followed for such consideration is outlined in this IT policy development and administration framework.
IT policy development will be accomplished via individual workgroups convened to address specific topics. Each team will include appropriate subject matter experts. IA will provide a central coordination function to ensure consistency and to address policy dependencies.
The policy development process will be transparent. Input from stakeholders will be addressed and/or incorporated throughout the process. Preliminary/interim policies and guidelines will be posted and disseminated to solicit feedback.
The policy development process will be flexible. Circumstances may necessitate the publishing of best practices as a stop-gap to provide immediate guidance while a policy is being developed, vetted, and approved. In other cases, a policy may be established with detailed guidance to be provided at a later time.
University-wide policies should be considered a floor, not a ceiling. Unit-level policies, guidelines, standards, or procedures may be developed to supplement university-wide guidance. They must meet the minimum criteria set forth in university-wide policies and related guidance, but may be more restrictive.

Roles and Responsibilities

The roles and responsibilities defined below represent the staff positions or groups most directly involved in IT policy development.

Vice President and Chief Information Officer (VP-CIO): The Vice President and CIO has overall responsibility for IT policy and policy development at U-M, and approves new and revised standards and guidelines based on the recommendation of the Chief Information Security Officer.

Chief Information Security Officer (CISO): The CISO works with the Assistant Director of Privacy and IT Policy to ensure alignment of the IT Policy program with Office of the CIO and University of Michigan objectives and priorities. The CISO also serves as the liaison between the IA staff managing the IT policy function and the Vice President and CIO, and the IT Council.

IT Policy and Compliance Staff: IT policy and compliance staff provide overall direction for the IT policy function, including responsibilities for identifying and prioritizing policy needs, ensuring appropriate campus involvement in policy development, and conducting research and benchmarking for emerging policy development.

The Assistant Director of Privacy and IT Policy provides day-to-day support for the policy development function, serves ex officio on policy development working groups, and plans and executes policy education and awareness efforts. Specifically, this includes managing an annual review and analysis of existing policies, standards, and guidelines for continued applicability and effectiveness; interpretation of current policies in response to unit/departmental inquiries or specific incidents.

IT Policy Governance and Approval

The IT governance structure established in 2010 sets campus-wide priorities for IT services, resources, and facilities.

The IT policy function resides with the Office of the Vice President and Chief Information Officer, with delegated responsibilities to Information Assurance for policy development, coordination, education, and maintenance.

The following identifies the different levels of governance review, approval, and vetting of policies, standards and guidelines (initially drafted by IT policy development working groups):

CISO: Initial review of policies, guidelines, and standards.
VP-CIO: First level of governance review for IT policies; final approval of guidelines and standards before adoption and dissemination to campus; the VP-CIO is the sponsoring executive officer responsible for presenting proposed and revised SPGs to the IT Executive Committee for final approval.
IT Council: Second level of governance review for IT policies; new or substantially revised policies require IT Council approval.
IT Executive Committee: Final level of governance review for IT policies; policies recommended for adoption as a new or revised Standard Practice Guide require approval of the IT Executive Committee.

Stakeholder Involvement

Campus stakeholders will be engaged throughout the IT policy development process—in both individual and group settings—to ensure that all appropriate perspectives are accounted for and incorporated as feasible in final versions of new or revised policies, standards, and guidelines. IA maintains a list of potential stakeholders to be involved at various stages in the IT policy life cycle process.

Specific individuals and groups will be identified during the planning and initiation phase of a given policy, standard, or guideline. Membership in policy development working groups will vary based on the primary content of a policy being developed. The IT Policy and Compliance Lead will serve ex officio and provide staff support to all working groups. In general, any faculty or staff member will be able to provide comments on draft and interim policies, standards, and guidelines on the IT policy web site. Specific stakeholders may be identified and solicited to provide input and review draft documents, while others may be only in the need to inform category.

Students, student groups, and student governments will have opportunities to provide input and feedback on draft policies, standards, and guidelines that deal with student code of conduct amendments or have the potential to impact availability of, or access to, IT resources for students.

IT Policy Structure and Criteria

Categories of university-wide guidance (see Appendix 1 for additional information about these categories):

University IT Policies articulate the university's values, principles, strategies, and positions relative to a broad IT topic. They are designed to guide organizational and individual behavior and decision making. They are concise, high-level, and independent of a given technology. University IT policies are mandatory. All new or substantially revised policies, once approved by the IT Executive Committee, will be submitted to University Audit for inclusion in the online Standard Practice Guide.
Example: Information Security Policy (SPG 601.27)
University IT standards specify requirements for becoming compliant with university IT policies, other university policies, as well as applicable laws and regulations. Standards may include technical specifications. Standards are mandatory.
Example: Third Party Vendor Security and Compliance (DS-20)
University IT guidelines provide guidance and best practices relative to a particular IT topic. They may accompany, interpret, or provide guidance for implementing IT policies, other university policies, or applicable laws and regulations. University IT guidelines are not mandatory.
Example: eDiscovery at the University of Michigan (DM-08)
IT Procedures document "how to" accomplish specific IT tasks or use IT services. These procedures may be localized to reflect the practices or requirements of a specific unit.

Approach and Publication

The IT policy framework will create processes and structures that are consistent with the university Standard Practice Guide, specifically the Procedures for Development of University Policy on the SPG website as they apply to information and information technology policies. The SPG website maintains in its Policies by Category a section with all current information technology policies. All prospective new IT policies as well as existing IT policies that are being formally reviewed will be highlighted in Policies Under Review. Multiple communication methods and vehicles will be employed to widely disseminate policies, standards, and guidelines, both while under review and after final approval.

While it is necessary to provide a flexible policy/guidance structure that keeps pace with technological innovations, process simplicity will be balanced with concerns over legal exposure and assurance of stakeholder collaboration. Ultimately, this policy framework will result in a process that provides proper scoping, collaborative development, and structured vetting and approval.

IT Policy Life Cycle Process

The IT policy life cycle process is based on the policy development processes published by several universities and guidance issued by the Association of College and University Policy Administrators (ACUPA). It applies to university-level guidance including policies, standards, and guidelines. Standards and guidelines require fewer approvals than policies submitted for approval to be added to the SPG catalogue.

Identification, Planning and Initiation
1. Identify compelling need for new or updated policy/guidance. Drivers may include new regulatory requirements, technology developments, operational needs, and identification of current issues or gaps. Request may come from any unit, central office, or IA.
2. Determine whether the need should be satisfied by a policy, guideline, or standard (See Appendix 2: IT Policy Criteria Decision Tree)
3. Identify sponsorship, stakeholders, working group members and their relevant roles
4. Develop high level implementation impact analysis
5. Obtain approval to proceed with draft policy (or guideline, standard)
6. Prioritize and schedule policy work
Development, Review, and Approval
1. Draft initial policy (guideline, standard)
2. Distribute to a small group of stakeholders for initial review and input
3. Incorporate initial feedback
4. Distribute to a larger group of stakeholders for review and input
5. Post final draft on the IT policy web site for general feedback
6. Review and, where appropriate, incorporate feedback
7. Present to appropriate governance entity for approval
8. Obtain approval
Rollout
1. Post and announce guidance (policy standard, guideline)
2. Conduct educational activities
3. Initiate implementation activities (efforts to develop/update standards and guidelines may be needed for some new policies)
4. Determine ongoing review cycle.
Compliance, Review and Maintenance
1. Monitor compliance and effectiveness of implemented guidance
2. Review and implement modifications per review cycle (last revision and review dates shall be posted on each policy). IA, the policy owner will generally be responsible for most policy reviews.
Policy Retirement
1. As part of the maintenance and review process, policies, standards, and/or guidelines may be identified as out-of-date or no longer needed. They will be retired via the same process by which they were approved.

Appendix 1: IT Policy Structure Definitions

Category	Purpose	Applicability	Approval Authority	Communications Approach	Frequency of Change	Other Characteristics and Notes
University IT Policies	Have broad application throughout the university Articulate university’s values, principles, strategies, and positions Guide institutional decisions and direct individual behavior Support and enhance university’s mission Clarify requirements and exceptions Interpret and help comply with laws and regulations Help manage institutional risk Help promote operational efficiency	University-wide, all campuses Typically apply to all users of university information resources (students may have separate policies/codes of conduct)	One or more university executives (Provost, EVP/CFO, EVPMA, VP-CIO)	Formally published as SPGs Web version published on IT policy site	Review every 5 years	Mandatory Independent of specific technologies Short, concise, clear Must be credible, implementable and enforceable Consequences of non-compliance are typically provided Accountability for implementation must be specified Includes definition of terms (that are consistent across policies) Template (link tbd)
University IT Standards	May accompany, interpret, or specify requirements for implementing IT policies or policy aspects Serve to accomplish compliance or risk mitigation May interpret laws and regulations (for example, may specify acceptable encryption methods to accomplish HIPAA compliance) May specify rules for using a specific IT service	University-wide, all campuses (for a given topic)	IT process owner for a given topic or IT service provider	Web version published at IT policy site	Review every 2 years	Mandatory May depend on specific technologies Clear and specific
University IT Guidelines	Provide guidance and best practices relative to a particular IT topic May accompany, interpret, or provide guidance for implementing IT policies or policy aspects	University-wide, all campuses	IT process owner for a given topic	Web version published at IT policy site	Review annually	Not mandatory, may provide alternative approaches May depend on specific technologies Typically reference a parent policy Template (link tbd)
University IT Procedures	Detailed step-by-step instructions May implement policies or guidelines	As stated	Applicable IT service provider	Posted at appropriate website	Review every 2 years	Must be consistent with IT policies and applicable standards
Campus IT Policies, Standards, or Guidelines	As defined above when unique campus-level requirements exist. For example, UMHS has a set of detailed campus-level policies to address HIPAA requirements.	Campus-wide (Health System, Flint, Dearborn)	Applicable campus authority	Posted at appropriate website		Out of scope for IT policy project Needed only when campus-level unique situations need special handling Consistent with university policies but may be more restrictive
Unit-Level IT Policies, Standards, or Guidelines	As defined above when unique unit-level requirements exist	Unit-wide	Applicable campus authority	Posted at appropriate website	Review every 2 years	Out of scope for IT policy project Must be consistent with IT policies and applicable standards but may be more restrictive Needed only when campus-level unique situations require special conditions

Appendix 2: IT Policy Criteria Decision Tree

An IT Policy Decision Matrix and Decision Tree flow chart are available as planning guides and process reminders for policy development working groups. Both are based on the process flow described below.

IT Policy Decision Matrix (Appendix 3)
IT Policy Decision Tree Flow Chart (Appendix 4)

During the Planning and Initiation step of the IT policy life cycle process, the need for new or updated guidance may be triggered by various issues such as:

Laws, regulations or best practices which require new or updated guidance
Implementation of IT services or new technologies that require new or updated policies
Risk assessment, audits, and/or reviews of existing policies/guidance that reveal inconsistencies or gaps
Operational issues that require clarification of university's position

The planning process involves stepping through a list of questions to determine whether there is a compelling need for a guidance effort and, if so, what type of guidance (policy, standard, guideline) needs to be created. Questions and suggestions for relevant decisions are listed below.

What are the consequences/risks of not having documented guidance covering this topic? If the answer to any of the above is "yes," documented guidance may be necessary.
1. Is there is a legal requirement to have documented guidance?
2. Are there operational issues that require clear statement of direction?
3. Is there new technology (such as cloud computing) that requires university-wide guidance?
4. Will documenting (and implementing) this guidance mitigate risks?
What are the consequences/risks of having documented guidance covering this topic? If the guidance is necessary but not implementable across the university within a reasonable time frame, starting with guidelines (rather than a policy) is preferable. If there is a contradiction or inconsistency between the proposed guidance and existing policies or laws, further analysis is necessary with the participation of appropriate stakeholders to determine how to handle. An existing policy may be obsolete or substantially out-of-date; therefore, updating or expiring the existing policy may be the appropriate option.
1. Is this guidance implementable?
2. Does this guidance represent a strategy that we would like units to plan for, although it may not be currently implementable?
3. Is there an existing policy (SPG) that already addresses this topic?
4. Does the proposed guidance contradict (explicitly or implicitly) current university policy, bylaw, or other laws/regulations?
Should this guidance be mandatory? Is it technology-dependent? If the guidance is mandatory, implementable, and applicable across the university, and technology-independent, it should be stated as a policy. If it is mandatory, implementable, and applicable across the university, but specific to a particular technology, it should be stated as a standard. Another option is to create a combination of a short, high-level policy statement, and a detailed, technology-dependent standard.
1. Is there a federal or state law requiring the university to follow this?
2. Is there a contractual obligation for the university to follow this?
3. Is there another reason why this should be mandatory?
4. Will this guideline change when new technology is implemented? What part of the guidance is technology-dependent and what part can be stated as a general policy?
Can the essence of this guidance be summarized in no more than one page?
Short, high-level policy statements will typically be documented as a policy. More detailed documentation can be provided as standards, guidelines, or procedures. If the guidance cannot be summarized succinctly, and an umbrella policy does not exist, it may need to be represented as a combination of a policy and guidelines or standards.
How often do policies and related guidance need to be reviewed in order to stay current and applicable?
The review periods for policies and related guidance vary depending on the type of policy. University policies (SPG) should be reviewed at least every five years to ensure that policies are meeting legal and regulatory obligations, best practices, and keeping up with technological change.
Are policy exemptions or exceptions allowed?
Exemptions to policies and related guidance are generally not allowed. If an exemption is necessary, then the requesting party must comply with the policy exception process. This process will be maintained and coordinated by the IA IT Policy Lead.
What determines whether a policy is university-wide or unit-level? These questions do not determine the category (policy, guideline, standard) but rather the scope for applicability.
1. Should this guidance apply university-wide to all users of university information resources?
2. Should this guidance apply university-wide to all IT providers?
Is this guidance specific to information technology? What other campus domains are involved and who should be included in policy drafting and decision-making?
Sometimes, the implementation of an IT service may trigger the need for a policy that relates to multiple domains (HR, student, other), and it may or may not involve IT decisions. It is important to assess this situation with the appropriate stakeholders and determine who should be the primary owner of the policy. There may be cases where an HR or Communications Office policy, for example, should be implemented and supported by an IT Standard or Guideline (e.g., Preferred Name Policy; Web Privacy Policy or Web Accessibility Policy).

Appendix 3: IT Policy Decision Matrix

Overview

This document outlines the decision points to determine if a policy, standard, or guideline is required.

Prerequisites

If the answer to any of the following is "yes", then continue with the questions to determine what kind of documented guidance may be necessary.
Is there is a legal requirement to have documented guidance?
Are there operational issues that require clear statement of direction or policy?
Is there new technology (such as cloud computing) that requires university-wide guidance?
Will risks be mitigated by documenting (and implementing) this guidance?

Criteria	If Yes	If No
Is it implementable across the University?	Continue to #2	Create a Guideline
Is it compliant with existing policies or laws?	Continue to #3	Conduct further analysis with participation of appropriate stakeholders to determine how to handle
Is it applicable across the University?	Continue to #4	Skip to #9
Can it stand more than 1 year without review?	Continue to #5	Skip to #9
Would there be only a low number of exceptions?	Continue to #6	Skip to #9
Is it independent of a specific technology?	Continue to #7	Create a Standard or Create a high-level Policy and a detailed technology-dependent Standard
Does an umbrella policy not exist?	Continue to #8	Use the umbrella Policy and Create detailed Standard(s), Guideline(s), or Procedure(s)
Can it be summarized in approximately one page?	Create a Policy * and * Detailed Standard(s), Guideline(s), or Procedure(s), if needed	Create a high level Policy and A combination of Standard(s) and/or Guideline(s)
Is it mandatory?	Create a Standard	Create a Guideline

Appendix 4: IT Policy Decision Flow Chart

Download PDF