Policy Administration Process Summary
Summary of the Policy Process for University-Wide Information Technology Policies at Indiana University
I. Authorization and Support
In 2001, the Trustees directed the Office of the Vice President for Information Technology and CIO:
- To develop and implement policies necessary to minimize the possibility of unauthorized access to Indiana University's information technology infrastructure regardless of the Indiana University office involved; and
- To assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the Indiana University office involved.
Vice President McRobbie delegated responsibility for these tasks to the University Information Security and Policy Offices
The University Information Technology Security and Policy Office is charged with:
- Information technology policy development, dissemination, and education.
- Information usage/management policy development and education (in conjunction with data management committees).
- Review and analysis of existing policies for continued applicability and effectiveness.
- Interpretation of current policy related to specific issues, situations and incidents.
- Coordinating response to incidents of abuse, misuse, or inappropriate use of Indiana University information technology resources.
- Computer accounts management (for central accounts).
- Information technology security assessment and reporting.
- Information technology security standards development, dissemination, and education.
- Providing technical security and information resources.
- Developing and administering security education and awareness programs.
- Security consulting.
II. Policy Process
Institutional policies are operational statements or directions that outline the philosophies, attitudes, and values of an organization related to a specific issue. They are concise statements of what the policy is intended to accomplish, not how to accomplish it. Policies are stated in sufficiently general terms to provide flexibility as technology changes.
Campuses, schools, colleges, departments, and other administrative units have considerable latitude in developing complementary technology use policies and procedures, as long as they are consistent with the university-wide policy and any other applicable technology use policies of the university. Such policies may be more restrictive than university policy, but must not be more permissive.
The process used at Indiana University is based on the Policy Development Process With Best Practices issued by the Association of College and University Policy Administrators. It consists of the following major steps:
- Identification of policy needs (primarily through monitoring legislative and technology developments, institutional experience, and evaluation of policy suggestions from the university community).
- Drafting of initial policy language.
- Distribution to small group of stakeholders for initial review and input.
- Editing based on input from step 3.
- Presentation to large group of stakeholders for review and input.
- Editing based on input from step 5.
- Presentation to Vice President for Information Technology for approval, and as determined by the Vice President, to the President and/or Trustees.
- Posting and announcing.
- Educational activities.
- Maintenance, typically involving review every three to five years.
III. Stakeholders List
The University Information Policy and Security Offices maintains a list of potential stakeholders for IT policies. This list is used for contacts in steps three and five of the Policy Process for those who are involved in direct review and input, and for communication purposes with those who do not participate in direct review and input. These roles are identified depending on the nature of the policy in process and its potential relevance to the stakeholder.
- Incident Response (within the Information Policy and Security Offices)
- UITS Senior Management
- Vice President for Information Technology & Chief Information Officer
- University Counsel
- Internal Audit
- Policy Advisory Council
- Local Support Providers (IUB and IUPUI)
- Regional CIOs
- Deans (IUB and IUPUI)
- Faculty Council Technology Committee (IUB and IUPUI)
- University Faculty Council Technology Committee
- Information Security & Privacy Risk Council
- Faculty Council (IUB and IUPUI)
- Staff Council (IUB and IUPUI)
- Committee of Data Stewards (for applicable policies)
- University Faculty Council
- IU Research & Technology Corporation
- IU Alumni Association
- IU Foundation
- Student Associations (IUB and IUPUI)
- Residential Programs and Services (IUB and IUPUI)
- Vice Chancellors for Student Affairs/Dean of Students (IUB and IUPUI)
- Vice Chancellors for Faculty Affairs/Dean of Faculties (IUB and IUPUI)
- University Human Resource Services/Employee Relations (IUB and IUPUI)
- Campus Chancellors
- Executive VP & IU Bloomington Provost
- Executive VP & IUPUI Chancellor
- Vice President for Capital Projects and Facilities
- Vice President & Chief Financial Officer
- Vice President & Director for Intercollegiate Athletics
- Vice President for Diversity, Equity, & Multicultural Affairs
- Vice President for Engagement
- Vice President & General Counsel
- Vice President for International Affairs
- Vice President for Public Affairs and Government Relations
- Vice President for Research
- Executive Vice President for University Regional Affairs, Planning, and Policy
- Office of the President
- Board of Trustees
(Note: Regional CIOs are responsible for coordination with all appropriate offices and committees for their campuses.)