IT Policy Principles and Procedures FY 2013-2014
Information technology policy will be developed, implemented, monitored, endorsed and enforced using the following principles and procedures at the UW-Madison.1
It is necessary to implement IT policy to comply with federal and state laws, and to meet internal institutional needs. IT policy provides guidance, and establishes expectations for IT consumers and producers in the UW-Madison community.
The IT Policy Principles and Procedures outline the process for creating IT policy at UW-Madison. The policy development process is aligned with the Strategic Plan for Information Technology.2 Policy development procedures encourage collaboration and communication throughout the campus community, and provide a basis for sound planning practices that support strong decision-making. The roles and responsibilities for those involved in the policymaking process, including the role of campus governance groups, are also identified. The principles and procedures detail a policy development process that:
- is transparent,
- aligns IT policies with institutional and local goals and needs,
- ensures only needed policies are developed,
- ensures policies are consistent,
- ensures policies are appropriately reviewed, and
- includes mechanisms for policy implementation and revision.
The IT Policy Principles and Procedures guide IT policy development at UW-Madison. The principles and procedures apply to all components of UW-Madison. The glossary is an extension of these principles and procedures.3
III. Roles and Responsibilities
The following are stakeholders in the IT policy development process.4
- Chief Information Officer and Vice Provost for Information Technology
The Chief Information Officer and Vice Provost for Information Technology is responsible for of IT policy development at UW-Madison.
Role: The CIO, along with advisors and assistants, leads IT policy in order to assure that:
- Policies address compelling needs, are consistent with campus culture and strategies, and there is appropriate sponsorship when planning an IT policy initiative.
- There is campus buy-in, appropriate review and revision, and practical implementation of IT policy.
- Shared Governance
UW-Madison has a strong commitment to shared governance and distributed management. The governance and process for IT policy must incorporate stakeholders from throughout the institution.
Shared governance for IT policies is already in place. The Information Technology Committee^5^ (ITC) is the primary shared governance committee for IT policy. The involvement of shared governance helps assure alignment with institutional culture and the goals and needs of broad campus constituencies.
Role: The ITC and the CIO engage in an ongoing dialogue regarding the specifics of how shared governance should be involved in the policy development process.
- Deans, Directors and other Campus Executives
Executives can provide high-level coordination of IT policy with other areas of institutional policy. Executives help assure alignment with the goals and needs of schools, colleges and divisions, and they encourage the development of the institutional and local infrastructure and procedures needed to support compliance.
Role: One or more representative groups provide a high level coordination and sponsorship.
- Operational--level management
Operational-level leaders assure alignment with the operational goals and needs of their units, integration of institutional policy with local policy and processes, and the development of local infrastructure and procedures to support compliance.
Role: One or more representative teams of operational level leaders and managers analyze the issues and make recommendations related to IT policy proposals. These teams could be chartered by an executive level group of Deans and Directors.
- Technologists, Support Staff and Users
The involvement of technologists, support staff and user communities such as faculty, staff and students helps assure that a proposed policy is desirable and feasible from a technical perspective, and that compliance is practical for those creating, maintaining and using the related technical infrastructure or services.
Role: The operational level team(s) identified above charter policy issues teams to perform specific detailed research, provide specialized expertise, expand involvement by a broad spectrum of those affected (for example: faculty, staff and students) and provide other support to the operational level management team(s).
IV. Principles of the Policy Development Process
The policy development process is used to create new IT policies, and supporting guidelines and standards for policy implementation. Policy development can originate anywhere on campus, but development should follow this process, and these principles.
Principle 1: To ensure campus-wide input and collaboration, planning for new policy initiatives will incorporate needs from many venues and campus groups, including, but not limited to, the UW-Madison Strategic Plan for IT Policy, IT Policy Forums, and the Policy Planning Team.
Principle 2: When planning policy development it is necessary to assure there is:
- compelling need,
- strategic alignment,
- appropriate policy scope, and
- adequate executive sponsorship.
Principle 3: Throughout the policy development process it is necessary to ensure there is:
- transparent process,
- inclusive representation,
- appropriate review and revision, and
- practical implementation.
Principle 4: Policy development follows a designated process with specific sequential phases that must be followed under the direction of the CIO.
General Process for IT Policy Development6
With community input, community leaders and the CIOs office plan initiatives.
The CIOs office begins an initiative by identifying sponsors, stakeholders and issues.
The stakeholders consider the issues and present recommendations to the sponsors.
Documents are drafted in consultation with the sponsors, stakeholders, and the community.
Documents are reviewed and endorsed for issuance by the appropriate executive.
Departments and offices collaborate to deploy a practical implementation.
Community leaders and the CIOs office encourage widespread implementation.
The community provides feedback to the CIOs office to guide periodic review.
*NOTE: In March of 2011 re-numbered the steps of the IT Policy Process. Planning is now step 1, Initiation step 2, etc.
Principle 5: The resources required to complete each phase of the policy development process will vary depending on:
- pre-existing consensus,
- impact on the institution,
- urgency of need, and
- relative priorities.
Principle 6: The roles and responsibilities described in Section III should be followed throughout the policy development process.
V. Policy Development Practices
The following practices are used when conducting the policy development process.
- Communication. Communication of IT policy development will occur at multiple stages during the development process. Policy forums will be conducted by the CIO's IT policy office to discuss policy development with the campus community. To promote transparency and obtain campus input, individual policy teams will present the status of IT policy initiatives at regular intervals during policy development. IT policy initiatives in development phases will be available on the wiki maintained by the IT Policy and Planning Department.7 Official IT policies will published on the CIO's website.8
- Participation. The CIO's IT policy office encourages active participation from the campus community during the development stages. Individuals are encouraged to participate on policy development teams.
- Vetting. The CIO's IT policy office engages stakeholders during the policy development process.
- Campus Coordination of Development. IT policy development that originates outside the CIO's policy office should coordinate with the CIO and follow the policy development process listed above.
- Awareness and Training. IT policies will be published with appropriate guidelines for IT user and producer implementation.
VI. Policy Mandates
Policies may be initiated, preempted or set by Federal, State, Regents, UW-System or Campus Executive mandates, and policy or guidelines issued to carry out the mandate.
Due to urgent situations, the CIO may create executive mandates that are effective immediately, and have the authority of policy. They will be reviewed using the General Process for IT Policy Development listed above and an official policy will be developed.
 This document is available at https://wiki.doit.wisc.edu/confluence/display/POLICY/PPT
 Further detail on the UW-Madison Strategic Plan for Information Technology can be found at http://www.cio.wisc.edu/plan/
 The complete glossary is located at https://wiki.doit.wisc.edu/confluence/display/POLICY/Glossary
 Appendix C includes a more detailed list of stakeholders
 The ITC is described at http://www.secfac.wisc.edu/governance/FPP/Chapter_6.htm#642
 Further detail on the IT Policy Development Process can be found at https://wiki.doit.wisc.edu/confluence/display/POLICY/IT+Policy+Process
 The wiki maintained by the IT Policy and Planning Department is available at https://wiki.doit.wisc.edu/confluence/display/POLICY/
 IT Policies are published at <http://www.cio.wisc.edu/policies/
Stakeholders in the IT Policy Process
This list is not comprehensive, but provides examples of individuals and groups who have a role in policy development.
- Information Technology consumers and producers
- University Leadership
- Faculty Senate
- WisconsinState Legislature
- Information Technology Council (ITC)
- CIO's IT policy office
- Administrative Legal Services
- Internal Audit
- Data Stewards
- IT Policy Planning Team
- Authentication/Authorization Coordinating Team (ACT)
- Network Advisory Group (NAG)
- Identification Authentication Authorization Group (IAA)
- Madison Technology Advisory Group (MTAG)
- Identity Management Leadership Group (IMLG)
- Campus Records Review Group (CRRG)
IT Policy and Planning Department
Published IT Policies
Policy Department Wiki