Related Organizational Processes

premiumlexicographerInternet και Εφαρμογές Web

8 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

85 εμφανίσεις

Jenny Mehmedovic



Michele Gross

Assistant to the Provost


Program Director

Provost’s Office



President’s Office

University of Kansas



University of Minnesota

IT Policy Development and
Related Organizational Processes

EDUCAUSE 2011

Today’s Policy Discussion


Organization made easy


Documentation of processes and policies


Communication and enforcement


Periodic reviews and updates



Institutional Profiles


University of Minnesota


Five campuses, incl. 1
medical center


68,000 students


19,274 employees


$823 mil. in sponsored
awards (2010)


102 governing policies


192 central
administrative policies

University of Kansas


Four campuses, incl. 1
medical center


29,000 students



9,700 employees


$225 million in sponsored
awards

(2010)


1 governing policy manual


641 central administrative
policies

Evolution of Policy Approach

2008: Launch of
KU Online Policy
Library

2011: Director of Policy
Office position
established

2010: Policy Office established

1993: U of M Online
Policy Library launched

1992: Policy Office
established

1992: Director of Policy Office
position established

Getting to Know You


Who are you? Where are you from? What is your
role?


Why did you choose
this

EDUCAUSE session?

Getting to Know You


Where does your organization fit in the IT policy
development/structure continuum?

University of Kansas


Information Technology Organization

University of Minnesota


Information Technology Organization

Connecting to IT People

University of Minnesota


IT Leadership Alliance


Academic Technology Advisory
Committee


Course Management System
Implementation Group


Privacy Committee


Senate Committee on
Information Technology


Enterprise Data Access Group


University Video Users
Community


Mass E
-
mail User Group


UMContent

Developers



University of Kansas


IT Technical Liaisons


KU Policy Office Partners


Information Management
Policy Group


Academic Computing and
Electronic Communications
Committee (Governance)


Enterprise Application
Resources Planning group


Center for Online and Distance
Education

Contrasts: Policy Offices

University of Minnesota


Director, policy librarian (80%),
and graphic designer (80%)


Use a content management
system (Oracle, was
Stellent
)


Director leads the Policy
Advisory Committee, and
staffs the Presidents Policy
Committee

University of Kansas


Director (in progress), admin
support (also policy librarian),
and time from a Web
programmer (in Provost’s
Office)


Use a document management
system (
Xythos
)


Jenny providing strategic
direction, longer term
improvement opportunities,
transitioning out

IT Policy Hot Topics


Where is your IT Policy Focus Today?


List IT issues under consideration at your institution


In small groups, share the lists

IT Policy Hot Topics

Top 5 Higher Ed Policy Issues


Federal and state regulations


IT security


Privacy


Intellectual property and copyright law


Campus IT policy issues and best practices


IT Policy Hot Topics

Where is IT Policy Focus Today?


Social media


Cloud services/guidelines


Mobile device encryption & provisioning & security


Identity management/validation


Security policy for shared services and shared cyber
infrastructure


Data classification, stewardship, and records
management


Electronic/digital signatures


Website privacy notices

IT Policy Hot Topics

Choose One


Select one of your topics on which you’d like
to work throughout our time together

IT Policy Hot Topics

Organizational Processes for Policy Development, or

How to Get “It” Done Right!

Policy Basics

Definition (from BusinessDictionary.com)

The set of basic principles and associated guidelines,
formulated and enforced by the governing body of
an organization, to
direct and limit its actions
in
pursuit of long
-
term goals.

Policy Development

Institutional Policies


Statements that reflect the philosophies, attitudes,
or values of an organization related to a specific issue


Concise statement of what the policy is intended to
accomplish, not how to accomplish it


One or two sentence description of general organization
intent


General enough to provide flexibility where flexibility is
allowable

Policy Development

Components of a Policy


Policy statement(s), including scope and
purpose


Terms, roles, contacts


Support documents


Procedures


Guidelines


Appendices


FAQ






POLICY TITLE:

Electronic Data Disposal Policy


POLICY PURPOSE:

Data confidentiality is an issue of legal and ethical
concern.

The purpose of this policy is to…


APPLIES TO:

University employees (e.g., faculty, staff, student
employees) and other covered individuals (e.g., affiliates,
vendors, independent ...



POLICY STATEMENT:

The University of Kansas requires that before any
computer system, electronic device or electronic media
is disposed, recycled or transferred…


POLICY LIBRARY

http://www.policy.ku.edu

Policy Development

University of Minnesota:

Policy on Policy


The University establishes administrative policies to
align
operations
,
set behavioral expectation
, and
communicate roles
and
responsibilities.


Administrative policies will either
require or prohibit specific actions
of faculty, staff, or students as well as external individuals who use
University resources or services, as appropriate.


Administrative policies must:


Be warranted in order to implement Board of Regents policy; achieve
compliance with laws, rules, or regulations; or address a risk to the
institution that cannot be adequately addressed elsewhere;


Address a significant risk after factoring in the number of people affected,
type of risk and impact; and


Promote operational efficiency and effectiveness.

Policy Development

Identify
Issues

Solicit
Evaluate &
Review

Draft
Language

Get
Approvals

Distribute
/
E
ducate

Conduct
Analysis

Measurement
& Compliance

Policy owner creates a draft,
with standard templates.
Engages key users in
drafting stage.

Presents all policy documents to Policy Advisory
Committee. Captures comments and revises
as needed.


Final product to President’s Policy Committee for
review and approval.

Policy draft is announced
University
-
wide,
posted for open 30
-
day comment period.

Gathers data. Determines a new
or revised policy is needed.
Prepares a
policy plan
for
Policy Advisory Committee.

Policy owner watches for
changes in law, changes
to Board Policies,
operational needs, etc.

Do we
have a
policy?

Revise as needed at end of
30
-
days. Publish policy.
Respond to questions
captured through
comment box at end of
each policy. Tweak as
needed (informal) or
modify (formal).

Policy owners
monitors. Results
should drive any
needed
enhancements or
training or
communications.

Is policy
approved?


Process for Developing a University Policy

U of M Model: Critical Success Factors


Stakeholder consultation


The “right” review/approval groups


Transparency and accountability


System of organization


Templates


Strong policy website


If you build it, they will come.


If you build it WELL, they will come back.

Policy Development

University of Kansas Policy on Policy


Historically institution has been policy
-
averse


Thus, we are working to define the KU Policy
Process rather than a policy

Policy Development

Identify Issues

Periodic

Review

Draft Initial

Language

Review & Revise

Final Review &

Approval

Implement

Identification

Development

Maintenance

1.
Raise
awareness
of the issue

2.
Inform
Policy Office
that a policy
has been
identified
for revision


4.
Ensure
accuracy and
consistency with
existing policies by
working with
the Policy
Office and other
relevant offices

5. Review by Office of
the Provost with input
sought from General
Counsel

6. 21
-
day* university
comment
period

7. Respond to
comments; may
involve revision of
policy, minor or major

8. Signature
approval
by Provost,
Chancellor, or
appropriate Vice
Provost or Vice
Chancellor

9.
Post policy to KU
Policy Library

10.
Announce policy

11.
Educate community

12.
Encourage feedback

13.
Grant exceptions,
as
necessary

14.
Update periodically
to ensure accuracy

Process for Developing
a University Policy

March 30, 2011

3.
Coordinate
within
administrative
office
sponsoring the
policy

This roadmap is intended to assist units who generate policy applicable to faculty, staff, and students in understanding the
process and responsibility for policy
-
making at KU. Specific policies may require adjustment of this process to ensure
adequate review by stakeholders.

* In rare circumstances, the comment period may be
reduced in order to comply with federal or state mandate.


U of Kansas: Critical Success Factors


Know who the primary policy
-
making partners are


Cultivate partnerships and generate input


Provide tools to make life easier for partners


Be positive about smallest incremental changes


we
have far to go, but we have come a long way in a few
years.

Policy Development

Your Current Policy Structure


Share what you are doing well and where you have
the greatest room for improvement


Do you have a University
-
wide policy library?


Are your IT policies contained within it or separate?


Do you have a University
-
wide tool for
developing/maintaining policies?


Do you have a policy on policy?


Do you have standard templates for your policy work?


Policy Development

Predevelopment: Identify Issues


Recognize a trigger for creating or revising an IT
policy


Change in law, rule or regulation


Legislative, regulatory, or public policy


Weakness in current structure


Correct misbehavior (reactive); organizational change (reactive)


New technical opportunity


That reduces risk, streamlines operations, etc. (proactive)




Policy Development

Predevelopment: Define Your Audience


Understand who will be impacted by a policy or
policy change


Who is the owner


Whose actions are you directing (primary)


Who are the other stakeholders


How can you capture their input during the development
and review phases




Technical Staff?


All end users?


Subset of end users?



Policy Development

Predevelopment: Conduct Analysis


Determine the approach to develop the policy


Research the subject


Laws


EDUCAUSE


Peer institutions (e.g., through ACUPA)


Know how decisions will be made when there are
management choices


Identify required deadlines (is an interim policy needed?)


Confirm scope of the policy


Policy Development

Predevelopment
: Conduct Analysis


Understand the scope and impact of the gap


What are the risks?


Who is impacted?


How widespread is the problem or need?


What are the options for solving it?


Is a policy needed to address the issue?


Who owns the issue/policy? Is it an IT policy or a
component of a broader business policy?


What are the onetime and recurring costs associated with
solutions?


Policy Development

Pen to Paper (or Fingers to Keyboard)


Draft the policy language


Generally NOT a group activity


Align with required format (template)


Identify definitions needed


Ensure title is appropriate for content, and content aligns
with scope


Use style specified by institution


Review with stakeholder representatives, and revise
if needed


Obtain required approvals


Policy Development

Policy Approval Comparison


Process/policy owner
obtains internal
management approval


Presents to a policy
advisory committee


Presents final draft to
President’s Policy
Committee for approval





Policy owner ensures
consensus around issue
with primary stakeholders


Share draft with Counsel


21 day campus comment
period


Submit to Provost for
approval





Policy Development

Documentation of Policies and Procedures

Oh Give Me a Home…


A University
-
wide administrative policy library or
policies held on local (HR, IT, etc.) sites


Best practice: single site for all policies


One
-
stop shop for end users


Many of the policies are related so this facilitates
movement between policies


More consistency possible

Documentation

Documenting Policies and Procedures


Maintain historical and current policy version(s)


Assists with legal queries


Supports standing practices (e.g., students are permitted
to go by policies that were in effect when they
matriculated)


Provides the historical view


Highlights key changes


History “snapshot” available in the policy itself

Documentation

Operational Choices


Should you make historical versions readily available,
vs. available upon request?


Do you save any of the draft versions of the policies?


How long should you retain policy versions?


Who will keep the “working” documents?


Do you need physical or electronic approval prior to
posting a policy or policy revision? Is documentation
of this retained anywhere?



Only show current version. Historical
version(s) available upon request. Print as of
date displayed on copy.

Documentation

Practices and Pain


How does your institute handle policy and
procedure documentation?


Where is the “pain” in your process? (What
could be working better)

Documentation

Communication and Enforcement

Communicating Policies


Audience


Messenger


Clarity of message


Frequency


Right communication vehicle(s)


The view long
-
term


“Put your ear to the ground”


Communication and Enforcement

Audience

When making an IT change, not all audiences are “equal”.



Consider whether or not the message directly impacts the
average user of technical services, or geared towards
technical support staff


Typical audiences


Faculty


Staff


Students




Incoming or current


Technical staff


Guests/visitors


Determine whether or not the change will be visible to the
average user or primarily a “behind
-
the
-
scenes” enhancement

Communication and Enforcement

Clarity of the Message


Be direct


Specify the change date


Develop targeted communications appropriate for
the different audiences


Contrast the changes (old, new)


Highlight the need or rationale for the change


Extend the offer of help (if staffed for it)

Communication and Enforcement



Limit sentences laden with technical phrases, if other
more common phrases will adequately convey the
message


Ensure that you have a complete definitions section


Provide examples where useful (e.g., electronic devices
include cellular phones, personal digital assistants,
electronic storage mechanisms, removal media)


Test the communication out on representatives from
your target audiences, and
fix
, if there are challenges

Communication and Enforcement

Getting the Word Out


Orientation agendas


Speakers, handouts, videos


Direct emails, mailings


Educational postcards,
posters, etc.


Desk side coaching


“I agree” statements to click
through when obtaining
accounts, registering to the
network, etc.



Partner with tech staff in
units


Key policy lists for new
employees


Signed user agreements, if
appropriate…


Have a traveling road show!


Anyone who shows an
interest!!!!


Hold policy brown bags


Sponsor a “Policies Day”


Communication and Enforcement

The “Cost” of Unenforced Policies


Legal


Reputational


Financial


Managerial

Communication and Enforcement

The Cost to Enforce Policies


People (resources)


Marketing/communication expenses


Competition with other priorities


Internal politics (big brother)


Management support

Communication and Enforcement

Monitoring and Enforcement


Do you, as policy owners, have an institutional
requirement to know how compliant your audience is with
your IT policies?


Is there an expected frequency for monitoring?


Do different policies have different requirements?


Is there management support for addressing non
-
compliance?


What are your enforcement options?


Do you have staff to adequately monitor and enforce your
IT policies?

Communication and Enforcement

Enforcing IT Policies


The groundwork includes:


Understanding your culture


Identifying partners


Clearly defining roles


Establishing procedures


And educating the community about all four!

Communication and Enforcement

Responding to Complaints


Focus on gathering evidence


Determine the root problem. If not technology, get it to
the right hands


If technology is the root problem, gather evidence. If there
is no evidence, there is nothing to pursue.


Determine which types of infractions


Warning, suspension, termination


Elevate to upper management


Require law enforcement involvement


Ensure records are kept confidential

Communication and Enforcement

Consequences of Enforcement


Intentional vs. unintentional


Punishment as an example may have an unintended
consequence for the broader organization (no one
will speak up)

Communication and Enforcement

Periodic Reviews and Updates

Core Questions


Who is responsible for maintaining IT policies in your
organization?


Do you have an established schedule for routine and
comprehensive reviews?


What triggers the frequency of reviews (e.g.,
importance, most frequently used, volatility of the
technical world)?


Is there a formal process to follow?


How do you capture your audience feedback on the
policies?

Periodic Reviews

and Updates

Maintenance Comparison


Policy owner updates when
needed (contacts, etc.)


Annual reminder to review
policy for accuracy


Comprehensive review
every 3 years


Requires completion of a
form


Flows through established
committee structure


Policy owner updates when
needed (contacts, etc.)


Comprehensive review
every year or as needed


Working on
routinizing

a
review schedule and
triggers that can be
followed


Periodic Reviews

and Updates

Periodic Reviews

Review targets


Alignment of policy specifics
to practice


Alignment of procedures to
actual


Required vs. best practice


Accuracy of the
supplemental information
(contacts, links to related
information, forms, etc.)

A deeper dive


Is the requirement too
restrictive for the risk
managed? (cost/benefit)


Are the requirements
associated to an individual
or unit (departments vs.
employees?)


Is the language broad
enough to stand over time?


Periodic Reviews

and Updates

Planning and Conducting the Reviews


Identify the responsible individual(s) for completing
the review


Identify key contacts to contribute to the particular
policy


Gather comments/feedbacks/open issues


Identify issues


Solicit input from peer institutions

Periodic Reviews

and Updates

Revising an Existing Policy


Is it still needed?


For example, do you have technical controls in place that
prevents the activity that used to be controlled by policy.


Are the thresholds, approval levels, requirements
appropriate for the risk managed? What would
be the impact of changing these?


What have been the weak points in the policy?


What is the level of compliance?

Periodic Reviews

and Updates

It’s a Wrap

Adding to Your Toolbox


What were the most helpful aspects of this
session?


What new or different things will you do when
back at your institution?


How will you expand your base of support?

It’s a Wrap

Your Go
-
To Resources



EDUCAUSE Policy Digest newsletter

http://www.educause.edu/PolicyDigest


Subscription
-
based (free), semimonthly e
-
newsletter that summarizes, analyzes, and provides
recommendations on public and campus policy issues affecting higher education. From the
EDUCAUSE Policy Analysis and Advocacy program.


EDUCAUSE Policy Discussion Group

POLICY
-
DISCUSSION@listserv.educause.edu

A place for fruitful, engaging discussion on campus policy issues, for sharing about current
practices, and learning from each other about emerging areas of concern to the campus IT
policy community.


Information Security Guide

www.educause.edu/security/guide

A compendium of information providing guidance on effective approaches to the application of
information security at institutions of higher education. From the
Higher Education
Information Security Council
. Its content is actively maintained by a large group of volunteers
who are information security practitioners at a variety of colleges and universities.

It’s a Wrap

Your Go
-
To Resources



Institute for Computer Policy and Law (ICPL)

http://ICPL.cornell.edu


The Institute for Computer Policy and Law at Cornell University is an intensive
annual four
-
day seminar examining the impact that widespread use of the
Internet has on college and university policies, procedures, and judicial
systems.



Association of College and University Policy
Administrators (ACUPA)

www.acupa.org

An informal association of professionals who formed a network to discuss college
and university policy issues.

It’s a Wrap

Your Go
-
To Resources



Here at EDUCAUSE 2011


Meet the EDUCAUSE Policy Analysis and Advocacy Staff

Thursday, October 20
th
, 10:00
-
10:30 a.m. at EDUCAUSE
Central

http://www.educause.edu/E2011/Program/BRK41


EDUCAUSE Policy Team Community Update

Thursday, October 20
th
, 4:00
-
4:50 p.m. at Meeting Room
103B

http://www.educause.edu/E2011/Program/UPD14


Campus IT Policy Discussion Session

Thursday, October 20
th
, 5:00
-
5:50 p.m. at Meeting Room
103B

http://www.educause.edu/E2011/Program/DISC88


It’s a Wrap

Your Go
-
To Resources



NACUA Workshop, in cooperation with
EDUCAUSE, on “College and University
Compliance Programs:


Organization and Key
Compliance Obligations”

November 9
-
11 in Washington, D.C.

http://www.nacua.org/meetings/november2011/ho
me.html


It’s a Wrap

Our Thanks to You!

Jenny
Mehmedovic



Michele Gross

University of Kansas


University of Minnesota

jmehmedo@ku.edu


m
-
gros@umn.edu






www.policy.ku.edu



www.policy.umn.edu