Enterprise IT Policy Development and Approval Process
Enterprise IT Policies are broad requirements that provide a link between the University of Iowa Manual of Operations and underlying Standards and Best Practices. Because Policies have a wide impact, their creation and modification require broad input and feedback from the OneIT community and other stakeholders, typically involving a minimum of 90 days for comment prior to adoption. Policies are created and maintained by the Information Security and Policy Office (ISPO), under the oversight of the University Chief Information Officer (CIO), and are incorporated by reference into the University of Iowa Operations Manual (Section 19.4.i). Enterprise IT policies have University-wide application and carry institutional force and effect.
Standards cover more granular and specific requirements to support policies. They may reference specific technologies, protocol versions, or other well-defined items. Both policies and standards may be used by Internal Audit and other groups to measure compliance. Because standards are often driven by forces outside our control (e.g., contract, regulation, technology lifecycles, etc.), they may have more limited feedback and review periods shorter than 90 days. However, community notification is required as these standards change.
Best Practices are a collection of effective procedures that help guide members of the University community in their use of technology. Best practices may cover emerging technologies where standards do not yet exist, or they may provide more detail for adherence to policies and standards.
Enterprise IT Policies, Standards, and Best Practices serve to ensure the University’s obligations for compliance with laws, regulations, contracts and agreements, as well as reducing both individual and institutional risk.
- Individual units within the University may define policies and conditions of use for IT resources under their control. These policy statements must be consistent in principle with enterprise IT policies, but they may provide additional details, guidelines or restrictions. This is not a means for creating exceptions to enterprise policies.
- New policies or changes to existing policies can come from any individual or unit in the campus IT community but must follow the process outlined below before becoming official University policy.
- Non-substantive revisions, including formatting, editorial improvements and lists of related resources, may be made at the discretion of the Information Security and Policy Office (ISPO).
- High priorities for policy development include the need to remain current with evolving legal, compliance, and regulatory requirements; to document unwritten de facto policies; and to address common concerns.
Role of the Information Security and Policy Office (ISPO)
- Oversee the policy development and approval process, including the regular, periodic review of policies and standards, as well as the creation of new policies and standards.
- Present proposed changes to the OneIT community via email and public presentation (e.g., during the monthly Security Seminar).
- Receive and distill comments from the members of the OneIT community and from other campus individuals and groups as appropriate.
- Ensure that the language is consistent with other University policies, state and federal laws and regulations, and University contracts and agreements.
- Make a final recommendation to the CIO (after a review period, including review by the IRPC) that the policy be approved or rejected.
- Publish the policy on the University IT Policy website.
Role of the Campus OneIT Community
- Inform the ISPO of the need for policy additions and changes as these needs arise.
- Inform the ISPO, CIO, and/or Information Risk & Policy Council if any advisory committees and councils (e.g., ITAC, ATAC, or STAC) should also review or make recommendations on the proposed policy.
- Distribute notice of the proposed policy as appropriate to their constituents and to other stakeholders.
- Provide a response, acknowledgement, and/or feedback to ISPO on recommended changes.
Role of the Information Risk & Policy Council
- Provide feedback to the ISPO and CIO on the policy development and approval process.
- Inform the ISPO and CIO if other stakeholders should provide feedback on proposed policy changes.
- Receive feedback from the university community.
- Perform final review of proposed changes prior to CIO approval.
Role of the Chief Information Officer (CIO)
- Make final decision regarding approval or rejection of the policy proposal, based on feedback from and in consultation with the OneIT Community, advisory groups, and others, as well as the recommendation of ISPO and IRPC.
- Share final policy with President, Provost, Vice Presidents, General Counsel, Deans, DEO’s, and other groups as appropriate.
Notice and Enforcement
- Enterprise IT policies are published by ISPO at http://itsecurity.uiowa.edu/university-it-policy.
- Comments from the University community may be addressed to the CIO, ISPO, and the Information Risk & Policy Council.
- Implementation and policy compliance issues will be performed by colleges and administrative units, or through a campus-wide effort, as appropriate. Certain areas of policy compliance will be supervised by designated units (e.g., Treasury and ISPO for PCI compliance). The Office of Internal Audit may also monitor policy compliance as part of its official role.
- Concerns of policy violations will usually be addressed informally. Technical enforcement may include isolating a non-compliant device from the campus network, disabling network access for a specific user account, etc.. Where sanctions are appropriate, they will be handled in accordance with the Acceptable Use Policy in the University of Iowa Manual of Operations.