Applies to all IT Policy development, revision and retirement at UW-Madison. Applies to anyone responsible for implementing and complying with IT policies.
UW-510 IT Policy is the policy for this procedure.
The main goals of the IT Policy1 Development Procedure are to better ensure:
Figure 1: Overview of the Policy Development Process, Including Stages and Responsibilities (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)
The following framework guides both the development and the modification of IT Policies and related documents, including Procedures, Standards, Implementation Plans, and Guidelines (hereafter referred to collectively as “IT Policies”).
This framework supports IT Policy goals by ensuring:
IT Policy will be developed using a 7-stage process, as outlined in Table 1 and Figure 2 below.
Figure 2: Policy Development Stages, Including Inputs and Outputs (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)
The policy development stages are often recursive, rather than linear. Multiple stages may be pursued in parallel. Stages that involve iteration may require a return to earlier stages in the process. Stakeholder communication, review, and feedback are encouraged and considered at each stage in the process.
IT Policy et al may be proposed by any stakeholder as a response to a perceived IT need or obligation. Needs may include:
The need or obligation identified in the IT Policy proposal should be thoroughly understood, including its cause(s) and the reason(s) a solution is needed. The following questions may be helpful in developing a thorough understanding of the need or obligation:
Any understanding of the need or obligation should be reached in collaboration with stakeholders. Such a shared understanding helps minimize delays that result from misunderstanding. Stage 1 will result in a clear statement, understood by stakeholders, of the issue, need, obligation or opportunity, along with its scope, risks, and other factors. The statement should identify who decided how to respond to the request.
Once an identified need or obligation is thoroughly understood, a determination of compelling need for IT Policy must be made. This determination should be based, in part, on whether the issue falls within the purview of “IT Policy,” as defined in the PAT Charter. When there is a compelling need for IT Policy, the approach to addressing the need must be determined.
These determinations ensure a reasoned IT Policy Portfolio consisting of policies and related documents that:
Compelling need and approach should be determined based on inputs and outputs from Stage 1, stakeholder views/feedback and other relevant information, as shown in Figure 2 above.
Stage 2 will result in a written recommendation for a course of action in response to the original IT Policy proposal. The Policy Planning and Analysis Team (PAT) will draft an initial recommendation. PAT will then provide its recommendation to the University’s Information Technology Committee (ITC). PAT and ITC will work collaboratively and iteratively to produce a final recommendation for the VP-IT (CIO). The VP-IT (CIO) will have final authority to approve or deny the recommendation.
A charter must be created for each policy action approved by the VP-IT (CIO). The purpose of the charter is to provide a shared understanding of the work to be done. This shared understanding is needed to ensure the team tasked with drafting or revising the IT policy or related document knows how to produce deliverables that meet the expectations of stakeholders and IT Governance.
The PAT may, at its discretion, escalate a draft charter to the ITC for review and comment. Such escalation is advised when there are questions or concerns about the goals and outcomes, success criteria, policy scope, or other details addressed in the draft.
The Working Group may recommend charter revisions to the PAT after this stage. The ability to request charter revisions allows Working Groups the agility to respond to circumstances and knowledge that emerge and evolve after this stage. As with drafts of the initial charter, the PAT may, at its discretion, escalate recommended charter revisions to ITC for review and comment.
Stage 3 will result in a written charter that responds to the VP-IT (CIO)-approved recommendation produced in Stage 2 (see Figure 2 above).
Guided by the IT Policy charter generated in Stage 3, a Drafting Team will develop the policy or related document. The purpose of this stage is to propose core language to be reviewed and approved by appropriate groups, including stakeholders, PAT, ITC and the VP-IT (CIO).
Stage 4 should be considered iterative. Drafting Teams are expected to appropriately seek and address feedback from stakeholders and subject matter experts (SMEs). SMEs may include campus personnel, outside consultants, industry groups, government and other authoritative bodies, and other entities. In particular, Drafting Teams are expected to seek input that helps them identify and understand the potential implications of their proposed language. This discovery may involve a risk evaluation that identifies potential threats, likelihoods and impacts.
Stage 4 will result in a complete draft of the document(s) specified in the project charter. Drafts should follow appropriate templates, where available (see Table 2 below).
All fields and sections in the appropriate document template should be completed by the Drafting Team when possible. Where no template is available, the Drafting Team should make an effort to provide all information relevant to the content of the document.
In Stage 5, the draft produced in Stage 4 is reviewed to assess implications and impacts of the policy or related document. This review is necessary to ensure the proposed policy is feasible and viable.
Review is completed by three entities, with stakeholder participation:
The PAT (a sub-committee of ITC) and ITC are Governance bodies whose assessments focus on how a policy will affect the ability of faculty, staff and students to carry out UW-Madison’s teaching, learning and research activities. The Policy Library Coordinator assesses the presentation of the policy to ensure it meets language and formatting criteria for inclusion in the UW-Madison’s Policy Library. Only policies included in the Policy Library are considered to be official UW-Madison policies.Review and assessment of draft policies is consecutive and iterative.
The order of review is as follows:
IT Policy Staff will be responsible for facilitating transitions between steps.
Feedback generated at each level of review should be provided, as appropriate, to the entity or entities responsible for previous levels of review.
PAT will be responsible for coordinating with the policy Drafting Team to:
Multiple rounds of review and revision may be needed to produce a draft that is acceptable to PAT, ITC and the Policy Library Coordinator3. IT Policy Staff will document acceptance of a final draft by each entity, to provide a record of compliance with this Procedure.
The process to be followed in Stage 5 is illustrated in Figure 4 below.
Figure 3: Review and Assessment Process (To view a larger version of this flowchart, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)
Stage 5 will result in a formal recommendation from ITC to the VP-IT (CIO) to approve the final draft of the policy or related document.
In Stage 6, the VP-IT (CIO) approves the final draft. This approval is necessary because only the VP-IT (CIO) has the authority to establish IT Policy at UW-Madison. VP-IT (CIO) approval triggers publication of the policy or related document.
To initiate VP-IT (CIO) approval, the ITC Chair, or a designee, will use an electronic signature tool or suitable alternative to send the following to the VP-IT (CIO):
Upon receipt, the VP-IT (CIO) will consult with staff responsible for IT policy to validate that all previous steps of the IT Policy Procedures were successfully completed and that stakeholder input was solicited and considered. If the VP-IT (CIO) has questions about the policy, completion of steps or appropriate consideration of stakeholder input, they will work with the CISO and ITC to resolve those questions. Depending on the particulars of the resolution, the ITC Chair may need to provide the VP-IT (CIO) a revised draft.
The VP-IT (CIO) will indicate approval of a draft by signing the document package provided by the ITC Chair or designee. Upon approval, the VP-IT (CIO) will designate the date on which the document will take effect and name the party(ies) responsible for implementation.
IT Policy Staff will facilitate communication between the ITC, VP-IT (CIO), CISO, and Policy Library Coordinator as needed throughout Stage 6.
Stage 6 will result in a published IT policy or related document.
In Stage 7, policies et al are reviewed. Review is necessary to ensure the documents in the IT Policy Portfolio are applicable and valid.
The approval authority or their designee is responsible for conducting review of the policy or related document. This review should include participation and input from stakeholders.
Policies et al will be reviewed every 2-3 years unless:
The following shall be considered as part of the review:
The reviewer will recommend one of the following maintenance actions:
For policies, the type of maintenance action taken determines the stage of the policy development process to which the policy will return. All other types of documents will return to Stage 5, unless PAT or ITC requests return to an earlier stage. See Figure 5 below.
Figure 4: Maintenance Action Options and Corresponding Policy Development Stages (To view a larger version of this image, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)
Stage 7 will result in:
The VP-IT (CIO) facilitates the university’s mission by ensuring effective use of information resources and information technology. This position is the approval authority for all IT policies.
1The terms “IT Policy” and “Policy” refer collectively to policies, procedures, standards and guidelines.
2A UWSA mandate will be considered a proposal for IT Policy.
3PLC review is needed only for policies. Standards, procedures, guidelines and other policy-related documents are not published in the UW–Madison Policy Library.
For definitions please see the IT Policy Glossary.
Please address questions or comments to itpolicy@cio.wisc.edu.
Guidelines for Policy Development at UW-Madison (Policy Library)
IT Policy Glossary
PAT Charter
UW-510 IT Policy Development & Management
UW-Madison Policy Library
UW-Madison Policy Library Guidelines
UW-Madison Policy Library Policy Template
UW-Madison Policy Library Procedures Template
IT Policy Standard Template
IT Policy Implementation Plan Template
IT Policy Guidelines Template
UW-Madison Policy Retirement Request Form