IT Policy Process PDF iconit-policy-process-flowchart2014.pdf

IT Policy Digest  


  1. Enterprise information technology (IT) policies are policies created by the University IT community, under the oversight of the University Chief Information Officer (CIO), and are incorporated by reference into the University of Iowa Operations Manual (Section 19.4.i).  Enterprise IT policies have University-wide application and carry institutional force and effect.
  2. Campus IT standards are sets of criteria (some of which may be mandatory), voluntary guidelines, and best practices.  Standards may be attached to policy for clarification or to aid with implementation or enforcement, or they may serve as standalone recommendations.
  3. A high priority for policy development is the need to document unwritten de facto policies and to address common concerns.
  4. Individual units within the University may define policies/conditions of use for IT resources under their control.  These policy statements must be consistent in principle with enterprise IT policies, but may provide additional detail, guidelines or restrictions.
  5. New policies or substantial changes to existing policies can come from any individual or unit in the campus IT community, but must follow the process outlined below before becoming official University policy.
  6. Non-substantive revisions affecting form, including editorial improvements, may be made at the discretion of the Information Security and Policy Office. 

Role of the Author 

  1. Draft policy proposal.
  2. Present to OneIT Leaders committee.  This formal presentation should address:
  • Why is it needed?  (Rationale for the new/changed policy)
  • What does it involve?  (Effect, influence, or change)
  • Who is affected?  (Stakeholders and how does it affect them)
  1. Distribute and/or present the policy proposal to other groups specified by the Information Security Risk & Policy Committee and OneIT Leaders for review and feedback.
  2. Incorporate all (accepted) changes to the policy proposal, based on feedback, consultation, comments, suggestions, etc. forwarded from the Information Security Risk & Policy committee. 

Role of the Campus OneIT Leaders  

  1. Inform the author, CIO, and/or Information Security Risk & Policy Committee if any advisory committees and councils (e.g., ITAC, ATAC, or STAC) should also review or make recommendations on the proposed policy.
  2. Distribute notice of the proposed policy as appropriate to their constituents and to other stakeholders (e.g., departmental Network Security Contacts).
  3. Provide a response, acknowledgement, and/or feedback to the Information Security Risk & Policy Committee on recommended changes and next steps. 

Role of the Information Security Risk & Policy Committee  

  1. Receive and distill comments from the OneIT Leaders, IT staffs, and other campus individuals and groups as appropriate.
  2. Work with the author to refine the policy and ensure that the language is consistent with other University policy.
  3. Make a final recommendation to the CIO (after the 90 days review period) that the policy be approved or rejected. 

Role of the Chief Information Officer (CIO) 

  1. Make final decision regarding approval or rejection of the policy proposal, based on feedback from IT, advisory groups and others, as well as the recommendation of the Information Security Risk & Policy Committee.
  2. Share final policy with President, Provost, Vice Presidents, General Counsel, Deans, DEO’s, and other groups as appropriate.
  3. Publish the policy for the University community. 

Notice and Enforcement 

  1. Enterprise IT policies are published by the CIO and available at
  2. Comments from the University community will be directed to the CIO and the Information Security Risk & Policy Committee.
  3. Implementation and policy compliance issues will be performed by colleges and administrative units, or through a campus-wide effort, as appropriate.
  4. Concerns of policy violations will usually be addressed informally. Where sanctions are appropriate, they may include a formal reprimand, loss of user privileges for a definite or indefinite period, termination of employment, or, in the case of a student, probation, suspension, or expulsion from the University.