UW-Madison - IT Policy Procedure

Applies to all IT Policy development, revision and retirement at UW-Madison. Applies to anyone responsible for implementing and complying with IT policies.

UW-510 IT Policy is the policy for this procedure.


Procedure Statement

The main goals of the IT Policy1 Development Procedure are to better ensure:

  • IT Policies are created in response to a need
  • IT Policies represent the values and norms of the organization.
  • The IT Policy Portfolio is manageable in terms of abstraction level, number of policies and other considerations
  • It is possible to implement and comply with IT Policies
  • Anyone can locate, interpret and determine applicability of an IT Policy

Who Is Affected by This Procedure?

Applies to all IT Policy development, revision and retirement at UW-Madison. Applies to anyone responsible for implementing and complying with IT policies.  

Procedure Detail

Stage 1: Identify Need - Stakeholders propose a policy; IT Policy Staff draft a problem statement. Stage 2: Analyze Need - Stakeholder feedback is solicited and considered; IT Policy Staff follow up with proposer; PAT confirms the need and drafts and iteratively revises a recommendation; ITC and the CIO accept the recommendation. Stage 3: Create Charter - Stakeholder feedback is solicited and considered; IT Policy Staff recruit a working group; PAT drafts a charter.  Stage 4: Draft - Stakeholder feedback is solicited and considered; the Working Group or Drafting Team drafts and iteratively revises the policy or related document. Stage 5: Review and Assess - Stakeholder feedback is solicited and considered; The PAT, Policy Library Coordinator, and ITC accept a draft. Stage 6: Approve - Stakeholder feedback is solicited and considered; the CIO approves the policy or related document; the Policy Library Coordinator publishes the policy in the UW-Madison Policy Library; Stage 7: Maintain - Stakeholder feedback is solicited and considered; the PAT reviews and recommends action on existing policy.

Figure 1: Overview of the Policy Development Process, Including Stages and Responsibilities (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

The following framework guides both the development and the modification of IT Policies and related documents, including Procedures, Standards, Implementation Plans, and Guidelines (hereafter referred to collectively as “IT Policies”).

This framework supports IT Policy goals by ensuring:

  • IT Policy has been selected as the appropriate solution based on a well understood and well defined business case that specifies needs, success criteria, scope and other elements.
  • IT Policies do not duplicate other UW-Madison or UWSA policies
  • IT Policies are not overly specific or prescriptive
  • The right IT Policy mechanism (e.g., Policy, Procedure, Standard, Guidelines) is used to address the need
  • The scope of an IT Policy – to whom, what and when it applies – is appropriate
  • IT Policies reflect an understanding of implications and impacts, including those related to implementation
  • Stakeholders have an opportunity to participate in feedback, review, consensus, and approval of IT Policies at appropriate milestones

Policy Development Stages

IT Policy will be developed using a 7-stage process, as outlined in Table 1 and Figure 2 below.

Table 1: Stages in the Policy Development Process
No. Title Description
1 Identify Need A policy is suggested to address a perceived IT need or obligation.
2 Analyze Need The need is assessed for high-level implications and impacts and an initial estimate of campus risk; approach is determined.
3 Charter Policy work goals, objectives, scope, and other elements are identified.
4 Draft Plans are created and documents are drafted.
5 Review and Assess Plans and documents are assessed for campus implications and impacts.
6 Approve Final plans and documents are reviewed and submitted for approval.
7 Maintain Policies are periodically reviewed for continued applicability and validity.

Stage 1: Identify Need - A policy is suggested to address a perceived IT need or obligation; inputs are IT Policy proposal, laws, regulations, standards, stakeholder views, risk assessments, other info; outputs are problem statement, IT Policy Staff recommendation. Stage 2: Analyze Need - Need is assessed to identify implications/impacts and estimate risk and approach is determined; inputs are Stage 1 inputs and outputs, stakeholder participation, and other information; outputs are written recommendation for action. Stage 3: Create Charter - Policy project goals, objectives, scope, and other elements are identified; inputs are approved recommendation from Stage 2, stakeholder feedback, constraints (e.g., time, info, expertise, decision-making); output is a written charter. Stage 4: Draft - Plans are created and documents are drafted; inputs include charter from Stage 3, laws, rules and regulations, industry standards, risk evaluation, stakeholder feedback, UW-Madison Policy Library template; output is a complete draft of a policy document. Stage 5: Review and Assess - Plans and documents are assessed for campus implications and impacts; inputs are complete draft of policy document from Stage 4, suggested edits and other feedback; outputs are IT recommendation for CIO approval and a final policy draft. Stage 6: Approve - Final plans and documents are reviewed and submitted for approval; inputs are recommendation and policy draft from Stage 5 and stakeholder views/feedback; output is a published policy. Stage 7: Maintain - Policies are periodically reviewed for continued applicability and validity; inputs are published policy and stakeholder feedback; outputs are a reviewed policy and a possible recommendation for revision or retirement.

Figure 2: Policy Development Stages, Including Inputs and Outputs (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

The policy development stages are often recursive, rather than linear. Multiple stages may be pursued in parallel. Stages that involve iteration may require a return to earlier stages in the process. Stakeholder communication, review, and feedback are encouraged and considered at each stage in the process.

Stage 1: Identify Need

IT Policy et al may be proposed by any stakeholder as a response to a perceived IT need or obligation. Needs may include:

  • Perceived gaps in existing IT Policies or related documents
  • Need to address risks
  • Changes to people, processes, budgets, technology or data
  • Mandates from UW System Administration (UWSA)2 or other higher authority

The need or obligation identified in the IT Policy proposal should be thoroughly understood, including its cause(s) and the reason(s) a solution is needed. The following questions may be helpful in developing a thorough understanding of the need or obligation:

  • What is the need or obligation to be met?
  • What is driving the need for a solution? Some possibilities to consider: regulatory or other compliance requirements, risk reduction, or increased accountability.
  • What are the risks/potential losses now and if nothing is done?  
  • What is the scope of the need or obligation? Who is affected by it and when?
  • What are the success criteria? How will we know the need or obligation has been successfully addressed?
  • What requirements or constraints must the proposed solution consider?
  • What is the appropriate IT Policy mechanism to address the need or obligation?
  • How quickly does the need or obligation need to be addressed?

Any understanding of the need or obligation should be reached in collaboration with stakeholders. Such a shared understanding helps minimize delays that result from misunderstanding. 
Stage 1 will result in a clear statement, understood by stakeholders, of the issue, need, obligation or opportunity, along with its scope, risks, and other factors. The statement should identify who decided how to respond to the request.

Stage 2: Analyze Need

Once an identified need or obligation is thoroughly understood, a determination of compelling need for IT Policy must be made. This determination should be based, in part, on whether the issue falls within the purview of “IT Policy,” as defined in the PAT Charter. When there is a compelling need for IT Policy, the approach to addressing the need must be determined.

These determinations ensure a reasoned IT Policy Portfolio consisting of policies and related documents that:

  • Respond to needs appropriately addressed by IT Governance
  • Can feasibly address the identified needs

Compelling need and approach should be determined based on inputs and outputs from Stage 1, stakeholder views/feedback and other relevant information, as shown in Figure 2 above.

Stage 2 will result in a written recommendation for a course of action in response to the original IT Policy proposal. The Policy Planning and Analysis Team (PAT) will draft an initial recommendation. PAT will then provide its recommendation to the University’s Information Technology Committee (ITC). PAT and ITC will work collaboratively and iteratively to produce a final recommendation for the VP-IT (CIO). The VP-IT (CIO) will have final authority to approve or deny the recommendation.

Stage 3: Create Charter

A charter must be created for each policy action approved by the VP-IT (CIO). The purpose of the charter is to provide a shared understanding of the work to be done. This shared understanding is needed to ensure the team tasked with drafting or revising the IT policy or related document knows how to produce deliverables that meet the expectations of stakeholders and IT Governance.

The PAT may, at its discretion, escalate a draft charter to the ITC for review and comment. Such escalation is advised when there are questions or concerns about the goals and outcomes, success criteria, policy scope, or other details addressed in the draft.

The Working Group may recommend charter revisions to the PAT after this stage. The ability to request charter revisions allows Working Groups the agility to respond to circumstances and knowledge that emerge and evolve after this stage. As with drafts of the initial charter, the PAT may, at its discretion, escalate recommended charter revisions to ITC for review and comment.

Stage 3 will result in a written charter that responds to the VP-IT (CIO)-approved recommendation produced in Stage 2 (see Figure 2 above).

Stage 4: Draft

Guided by the IT Policy charter generated in Stage 3, a Drafting Team will develop the policy or related document. The purpose of this stage is to propose core language to be reviewed and approved by appropriate groups, including stakeholders, PAT, ITC and the VP-IT (CIO).

Stage 4 should be considered iterative. Drafting Teams are expected to appropriately seek and address feedback from stakeholders and subject matter experts (SMEs). SMEs may include campus personnel, outside consultants, industry groups, government and other authoritative bodies, and other entities. In particular, Drafting Teams are expected to seek input that helps them identify and understand the potential implications of their proposed language. This discovery may involve a risk evaluation that identifies potential threats, likelihoods and impacts.

Stage 4 will result in a complete draft of the document(s) specified in the project charter. Drafts should follow appropriate templates, where available (see Table 2 below).

Table 2: Available Templates by IT Policy Document Type
Type of Policy Document Template to Use
Policy UW-Madison Policy Library Policy Template
Procedure UW-Madison Policy Library Procedures Template
Standard IT Policy Standard Template
Implementation Plan IT Policy Implementation Plan Template
Guidelines IT Policy Guidelines Template

All fields and sections in the appropriate document template should be completed by the Drafting Team when possible. Where no template is available, the Drafting Team should make an effort to provide all information relevant to the content of the document.

Stage 5: Review and Assess

In Stage 5, the draft produced in Stage 4 is reviewed to assess implications and impacts of the policy or related document. This review is necessary to ensure the proposed policy is feasible and viable.

Review is completed by three entities, with stakeholder participation:

  • Policy Planning and Analysis Team (PAT)
  • IT Committee (ITC)
  • UW-Madison Policy Library Coordinator (PLC)

The PAT (a sub-committee of ITC) and ITC are Governance bodies whose assessments focus on how a policy will affect the ability of faculty, staff and students to carry out UW-Madison’s teaching, learning and research activities. The Policy Library Coordinator assesses the presentation of the policy to ensure it meets language and formatting criteria for inclusion in the UW-Madison’s Policy Library. Only policies included in the Policy Library are considered to be official UW-Madison policies.
Review and assessment of draft policies is consecutive and iterative.

The order of review is as follows:

  1. PAT
  2. PLC3
  3. ITC

IT Policy Staff will be responsible for facilitating transitions between steps.

Feedback generated at each level of review should be provided, as appropriate, to the entity or entities responsible for previous levels of review. 

PAT will be responsible for coordinating with the policy Drafting Team to:

  • Make appropriate edits and revisions based on feedback
  • Address feedback not incorporated into subsequent drafts 

Multiple rounds of review and revision may be needed to produce a draft that is acceptable to PAT, ITC and the Policy Library Coordinator3. IT Policy Staff will document acceptance of a final draft by each entity, to provide a record of compliance with this Procedure.

The process to be followed in Stage 5 is illustrated in Figure 4 below.A flowchart shows that once the process starts, a Working Group preps a draft policy. The PAT then reviews and assesses the draft. If the PAT accepts the draft as final, the draft is sent for Policy Library Coordinator Review. If the PAT does not accept the draft as final, they provide feedback and return the draft to the Working Group for further preparation and drafting, following the initial process. When the Policy Library Coordinator receives a draft, they review it. If they accept the draft as final, it is sent to the ITC for review and assessment. If the Policy Library Coordinator does not accept the draft as final, it is returned to the PAT for further review and assessment, per the process previously described. When the ITC has reviewed and assessed a policy, if they accept it as the final draft, they recommend for approval by the CIO. If they do not accept the draft as final, they provide feedback and return the draft to the PAT for further review and assessment per the process already described. Note that all transitions between steps will be facilitated by IT Policy Staff. In particular, the Policy Library Coordinator will not directly provide an accepted draft to the ITC for review. Also note, that Policy Library Coordinator review is a sub-process that may be skipped after an initial round of review.

Figure 3: Review and Assessment Process (To view a larger version of this flowchart, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

Stage 5 will result in a formal recommendation from ITC to the VP-IT (CIO) to approve the final draft of the policy or related document.

Stage 6: Approve

In Stage 6, the VP-IT (CIO) approves the final draft. This approval is necessary because only the VP-IT (CIO) has the authority to establish IT Policy at UW-Madison. VP-IT (CIO) approval triggers publication of the policy or related document.

To initiate VP-IT (CIO) approval, the ITC Chair, or a designee, will use an electronic signature tool or suitable alternative to send the following to the VP-IT (CIO):

  • Final document draft
  • Minutes from the ITC Meeting in which the draft was approved

Upon receipt, the VP-IT (CIO) will consult with staff responsible for IT policy to validate that all previous steps of the IT Policy Procedures were successfully completed and that stakeholder input was solicited and considered. If the VP-IT (CIO) has questions about the policy, completion of steps or appropriate consideration of stakeholder input, they will work with the CISO and ITC to resolve those questions. Depending on the particulars of the resolution, the ITC Chair may need to provide the VP-IT (CIO) a revised draft.

The VP-IT (CIO) will indicate approval of a draft by signing the document package provided by the ITC Chair or designee. Upon approval, the VP-IT (CIO) will designate the date on which the document will take effect and name the party(ies) responsible for implementation.

IT Policy Staff will facilitate communication between the ITC, VP-IT (CIO), CISO, and Policy Library Coordinator as needed throughout Stage 6.

Stage 6 will result in a published IT policy or related document.

Stage 7: Maintain

In Stage 7, policies et al are reviewed. Review is necessary to ensure the documents in the IT Policy Portfolio are applicable and valid.

The approval authority or their designee is responsible for conducting review of the policy or related document. This review should include participation and input from stakeholders.

Policies et al will be reviewed every 2-3 years unless:

  • The Drafting Team designates an alternative review period as part of the drafting process or
  • The approval authority or a designee determines a different cadence is appropriate.

The following shall be considered as part of the review:

  • What the policy or standard requires (or what other types of documents recommend)
  • The impact(s) of the policy or related document (e.g., risk, cost)
  • Presentation and language

The reviewer will recommend one of the following maintenance actions:

  • Retire the document and replace it with a new document
  • Make major modifications to the document
  • Make minor revisions to the document
  • Retire the document without replacing it
  • Leave the current document in place with no changes

For policies, the type of maintenance action taken determines the stage of the policy development process to which the policy will return. All other types of documents will return to Stage 5, unless PAT or ITC requests return to an earlier stage. See Figure 5 below.

Diagram shows the 7 stages of the policy development process. For policies, recommendations for retirement and replacement or major modification return the policy to Stage 1 of the process, Identify Need. For policies, recommendations for minor revisions or retirement without replacement return the policy to Stage 5 in the process, Review and Assess. For policies, a recommendation for no change leaves the policy at Stage 7 in the process, Maintain. For other, non-policy document types, a recommendation for any change returns the document to Stage 5, Review and Assess. For other, non-policy documents, a recommendation of no change leaves the document at Stage 7 in the process, Maintain.

Figure 4: Maintenance Action Options and Corresponding Policy Development Stages (To view a larger version of this image, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

Stage 7 will result in:

  1. Execution of a specific maintenance action and
  2. Updates to the document history to indicate the date of review and maintenance action taken.

 Roles and Responsibilities

Table 3: IT Policy Procedure Roles and Responsibilities
Position Title Role Responsibilities
IT Policy Staff IT Policy Staff are responsible for supporting IT policy development. IT Policy Staff sit on the PAT and may serve as facilitative consultants on Working Groups and Drafting Teams.
  • Field IT policy requests
  • Facilitate overall IT policy development process
  • Liaise between other roles and facilitate the transfer of documents and feedback
  • Document completion of IT Policy Procedures steps
  • Maintain an archive of IT policy documents, both in-process and approved
Policy Planning & Analysis Team (PAT) The PAT is a subcommittee. Membership is determined according to the PAT Charter
  • Advise ITC on IT policy
  • Review policy proposals to assess implications and impact
  • Provide feedback on policy proposals
  • Draft policy recommendations
  • Draft charters
  • Review and respond to drafts
  • Advise Working Groups and Drafting Teams in responding to feedback provided by ITC
Working Group Working Groups are ad hoc committees appointed by PAT to carry out the work of developing or revising policy. Members are subject matter experts (SMEs) and other stakeholders.
  • Liaise with other stakeholders and SMEs
  • May draft and revise documents
  • Interpret and respond appropriately to feedback from PAT, ITC, PLC, and VP-IT (CIO)
Drafting Team Drafting Teams are ad hoc committees appointed by Working Groups to draft policy language. Members may be a subset of the corresponding Working Group or they may be other subject matter experts (SMEs) or stakeholders.
  • Draft and revise documents
  • Interpret and respond appropriately to feedback from Working Groups, PAT, ITC, PLC, and VP-IT (CIO)
Policy Library Coordinator (PLC) The PLC is a member of the Office of Strategic Consulting who maintains the UW-Madison Policy Library. The PLC helps ensure consistency among policies in the Policy Library.
  • Review and provide feedback on drafts provided by PAT
  • Publish approved policies to Policy Library
Information Technology Committee (ITC) ITC is the faculty shared governance body for policy and planning for information technology throughout the university. It is composed of faculty, academic staff and students.
  • Advise VP-IT (CIO) on IT policy
  • Review policy proposals to assess implications and impact
  • Provide feedback on policy proposals
  • Review and provide feedback on drafts provided by PAT
Vice President of Information Technology and Chief Information Officer (CIO)

The VP-IT (CIO) facilitates the university’s mission by ensuring effective use of information resources and information technology. This position is the approval authority for all IT policies.

  • Review policy proposals to assess implications and impact
  • Provide feedback on policy proposals
  • Review and provide feedback on drafts provided by ITC
  • Approve policies et al

1The terms “IT Policy” and “Policy” refer collectively to policies, procedures, standards and guidelines.

2A UWSA mandate will be considered a proposal for IT Policy.

3PLC review is needed only for policies. Standards, procedures, guidelines and other policy-related documents are not published in the UW–Madison Policy Library.

Definitions

For definitions please see the IT Policy Glossary.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.




Keywords:
policy procedure pat development management stakeholder pat itc governance drafting 
Doc ID:
137988
Owned by:
Heather J. in IT Policy
Created:
2024-06-19
Updated:
2024-10-08
Sites:
IT Policy