UW-Madison - IT Policy Procedure

Applies to all IT Policy development, revision and retirement at UW-Madison. Applies to anyone responsible for implementing and complying with IT policies.

UW-510 IT Policy is the policy for this procedure.

Procedure Statement

The main goals of the IT Policy¹ Development Procedure are to better ensure:

IT Policies are created in response to a need
IT Policies represent the values and norms of the organization.
The IT Policy Portfolio is manageable in terms of abstraction level, number of policies and other considerations
It is possible to implement and comply with IT Policies
Anyone can locate, interpret and determine applicability of an IT Policy

Who Is Affected by This Procedure?

Applies to all IT Policy development, revision and retirement at UW-Madison. Applies to anyone responsible for implementing and complying with IT policies.

Procedure Detail

Figure 1: Overview of the Policy Development Process, Including Stages and Responsibilities (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

The following framework guides both the development and the modification of IT Policies and related documents, including Procedures, Standards, Implementation Plans, and Guidelines (hereafter referred to collectively as “IT Policies”).

This framework supports IT Policy goals by ensuring:

IT Policy has been selected as the appropriate solution based on a well understood and well defined business case that specifies needs, success criteria, scope and other elements.
IT Policies do not duplicate other UW-Madison or UWSA policies
IT Policies are not overly specific or prescriptive
The right IT Policy mechanism (e.g., Policy, Procedure, Standard, Guidelines) is used to address the need
The scope of an IT Policy – to whom, what and when it applies – is appropriate
IT Policies reflect an understanding of implications and impacts, including those related to implementation
Stakeholders have an opportunity to participate in feedback, review, consensus, and approval of IT Policies at appropriate milestones

Policy Development Stages

IT Policy will be developed using a 7-stage process, as outlined in Table 1 and Figure 2 below.

Table 1: Stages in the Policy Development Process
No.	Title	Description
1	Identify Need	A policy is suggested to address a perceived IT need or obligation.
2	Analyze Need	The need is assessed for high-level implications and impacts and an initial estimate of campus risk; approach is determined.
3	Charter	Policy work goals, objectives, scope, and other elements are identified.
4	Draft	Plans are created and documents are drafted.
5	Review and Assess	Plans and documents are assessed for campus implications and impacts.
6	Approve	Final plans and documents are reviewed and submitted for approval.
7	Maintain	Policies are periodically reviewed for continued applicability and validity.

Figure 2: Policy Development Stages, Including Inputs and Outputs (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

The policy development stages are often recursive, rather than linear. Multiple stages may be pursued in parallel. Stages that involve iteration may require a return to earlier stages in the process. Stakeholder communication, review, and feedback are encouraged and considered at each stage in the process.

Stage 1: Identify Need

IT Policy et al may be proposed by any stakeholder as a response to a perceived IT need or obligation. Needs may include:

Perceived gaps in existing IT Policies or related documents
Need to address risks
Changes to people, processes, budgets, technology or data
Mandates from UW System Administration (UWSA)² or other higher authority

The need or obligation identified in the IT Policy proposal should be thoroughly understood, including its cause(s) and the reason(s) a solution is needed. The following questions may be helpful in developing a thorough understanding of the need or obligation:

What is the need or obligation to be met?
What is driving the need for a solution? Some possibilities to consider: regulatory or other compliance requirements, risk reduction, or increased accountability.
What are the risks/potential losses now and if nothing is done?
What is the scope of the need or obligation? Who is affected by it and when?
What are the success criteria? How will we know the need or obligation has been successfully addressed?
What requirements or constraints must the proposed solution consider?
What is the appropriate IT Policy mechanism to address the need or obligation?
How quickly does the need or obligation need to be addressed?

Any understanding of the need or obligation should be reached in collaboration with stakeholders. Such a shared understanding helps minimize delays that result from misunderstanding.
Stage 1 will result in a clear statement, understood by stakeholders, of the issue, need, obligation or opportunity, along with its scope, risks, and other factors. The statement should identify who decided how to respond to the request.

Stage 2: Analyze Need

Once an identified need or obligation is thoroughly understood, a determination of compelling need for IT Policy must be made. This determination should be based, in part, on whether the issue falls within the purview of “IT Policy,” as defined in the PAT Charter. When there is a compelling need for IT Policy, the approach to addressing the need must be determined.

These determinations ensure a reasoned IT Policy Portfolio consisting of policies and related documents that:

Respond to needs appropriately addressed by IT Governance
Can feasibly address the identified needs

Compelling need and approach should be determined based on inputs and outputs from Stage 1, stakeholder views/feedback and other relevant information, as shown in Figure 2 above.

Stage 2 will result in a written recommendation for a course of action in response to the original IT Policy proposal. The Policy Planning and Analysis Team (PAT) will draft an initial recommendation. PAT will then provide its recommendation to the University’s Information Technology Committee (ITC). PAT and ITC will work collaboratively and iteratively to produce a final recommendation for the VP-IT (CIO). The VP-IT (CIO) will have final authority to approve or deny the recommendation.

Stage 3: Create Charter

A charter must be created for each policy action approved by the VP-IT (CIO). The purpose of the charter is to provide a shared understanding of the work to be done. This shared understanding is needed to ensure the team tasked with drafting or revising the IT policy or related document knows how to produce deliverables that meet the expectations of stakeholders and IT Governance.

The PAT may, at its discretion, escalate a draft charter to the ITC for review and comment. Such escalation is advised when there are questions or concerns about the goals and outcomes, success criteria, policy scope, or other details addressed in the draft.

The Working Group may recommend charter revisions to the PAT after this stage. The ability to request charter revisions allows Working Groups the agility to respond to circumstances and knowledge that emerge and evolve after this stage. As with drafts of the initial charter, the PAT may, at its discretion, escalate recommended charter revisions to ITC for review and comment.

Stage 3 will result in a written charter that responds to the VP-IT (CIO)-approved recommendation produced in Stage 2 (see Figure 2 above).

Stage 4: Draft

Guided by the IT Policy charter generated in Stage 3, a Drafting Team will develop the policy or related document. The purpose of this stage is to propose core language to be reviewed and approved by appropriate groups, including stakeholders, PAT, ITC and the VP-IT (CIO).

Stage 4 should be considered iterative. Drafting Teams are expected to appropriately seek and address feedback from stakeholders and subject matter experts (SMEs). SMEs may include campus personnel, outside consultants, industry groups, government and other authoritative bodies, and other entities. In particular, Drafting Teams are expected to seek input that helps them identify and understand the potential implications of their proposed language. This discovery may involve a risk evaluation that identifies potential threats, likelihoods and impacts.

Stage 4 will result in a complete draft of the document(s) specified in the project charter. Drafts should follow appropriate templates, where available (see Table 2 below).

Table 2: Available Templates by IT Policy Document Type
Type of Policy Document	Template to Use
Policy	UW-Madison Policy Library Policy Template
Procedure	UW-Madison Policy Library Procedures Template
Standard	IT Policy Standard Template
Implementation Plan	IT Policy Implementation Plan Template
Guidelines	IT Policy Guidelines Template

All fields and sections in the appropriate document template should be completed by the Drafting Team when possible. Where no template is available, the Drafting Team should make an effort to provide all information relevant to the content of the document.

Stage 5: Review and Assess

In Stage 5, the draft produced in Stage 4 is reviewed to assess implications and impacts of the policy or related document. This review is necessary to ensure the proposed policy is feasible and viable.

Review is completed by three entities, with stakeholder participation:

Policy Planning and Analysis Team (PAT)
IT Committee (ITC)
UW-Madison Policy Library Coordinator (PLC)

The PAT (a sub-committee of ITC) and ITC are Governance bodies whose assessments focus on how a policy will affect the ability of faculty, staff and students to carry out UW-Madison’s teaching, learning and research activities. The Policy Library Coordinator assesses the presentation of the policy to ensure it meets language and formatting criteria for inclusion in the UW-Madison’s Policy Library. Only policies included in the Policy Library are considered to be official UW-Madison policies.
Review and assessment of draft policies is consecutive and iterative.

The order of review is as follows:

PAT
PLC³
ITC

IT Policy Staff will be responsible for facilitating transitions between steps.

Feedback generated at each level of review should be provided, as appropriate, to the entity or entities responsible for previous levels of review.

PAT will be responsible for coordinating with the policy Drafting Team to:

Make appropriate edits and revisions based on feedback
Address feedback not incorporated into subsequent drafts

Multiple rounds of review and revision may be needed to produce a draft that is acceptable to PAT, ITC and the Policy Library Coordinator³. IT Policy Staff will document acceptance of a final draft by each entity, to provide a record of compliance with this Procedure.

The process to be followed in Stage 5 is illustrated in Figure 4 below.

Figure 3: Review and Assessment Process (To view a larger version of this flowchart, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

Stage 5 will result in a formal recommendation from ITC to the VP-IT (CIO) to approve the final draft of the policy or related document.

Stage 6: Approve

In Stage 6, the VP-IT (CIO) approves the final draft. This approval is necessary because only the VP-IT (CIO) has the authority to establish IT Policy at UW-Madison. VP-IT (CIO) approval triggers publication of the policy or related document.

To initiate VP-IT (CIO) approval, the ITC Chair, or a designee, will use an electronic signature tool or suitable alternative to send the following to the VP-IT (CIO):

Final document draft
Minutes from the ITC Meeting in which the draft was approved

Upon receipt, the VP-IT (CIO) will consult with staff responsible for IT policy to validate that all previous steps of the IT Policy Procedures were successfully completed and that stakeholder input was solicited and considered. If the VP-IT (CIO) has questions about the policy, completion of steps or appropriate consideration of stakeholder input, they will work with the CISO and ITC to resolve those questions. Depending on the particulars of the resolution, the ITC Chair may need to provide the VP-IT (CIO) a revised draft.

The VP-IT (CIO) will indicate approval of a draft by signing the document package provided by the ITC Chair or designee. Upon approval, the VP-IT (CIO) will designate the date on which the document will take effect and name the party(ies) responsible for implementation.

IT Policy Staff will facilitate communication between the ITC, VP-IT (CIO), CISO, and Policy Library Coordinator as needed throughout Stage 6.

Stage 6 will result in a published IT policy or related document.

Stage 7: Maintain

In Stage 7, policies et al are reviewed. Review is necessary to ensure the documents in the IT Policy Portfolio are applicable and valid.

The approval authority or their designee is responsible for conducting review of the policy or related document. This review should include participation and input from stakeholders.

Policies et al will be reviewed every 2-3 years unless:

The Drafting Team designates an alternative review period as part of the drafting process or
The approval authority or a designee determines a different cadence is appropriate.

The following shall be considered as part of the review:

What the policy or standard requires (or what other types of documents recommend)
The impact(s) of the policy or related document (e.g., risk, cost)
Presentation and language

The reviewer will recommend one of the following maintenance actions:

Retire the document and replace it with a new document
Make major modifications to the document
Make minor revisions to the document
Retire the document without replacing it
Leave the current document in place with no changes

For policies, the type of maintenance action taken determines the stage of the policy development process to which the policy will return. All other types of documents will return to Stage 5, unless PAT or ITC requests return to an earlier stage. See Figure 5 below.

Figure 4: Maintenance Action Options and Corresponding Policy Development Stages (To view a larger version of this image, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

Stage 7 will result in:

Execution of a specific maintenance action and
Updates to the document history to indicate the date of review and maintenance action taken.

Roles and Responsibilities

Table 3: IT Policy Procedure Roles and Responsibilities
Position Title	Role	Responsibilities
IT Policy Staff	IT Policy Staff are responsible for supporting IT policy development. IT Policy Staff sit on the PAT and may serve as facilitative consultants on Working Groups and Drafting Teams.	Field IT policy requests Facilitate overall IT policy development process Liaise between other roles and facilitate the transfer of documents and feedback Document completion of IT Policy Procedures steps Maintain an archive of IT policy documents, both in-process and approved
Policy Planning & Analysis Team (PAT)	The PAT is a subcommittee. Membership is determined according to the PAT Charter	Advise ITC on IT policy Review policy proposals to assess implications and impact Provide feedback on policy proposals Draft policy recommendations Draft charters Review and respond to drafts Advise Working Groups and Drafting Teams in responding to feedback provided by ITC
Working Group	Working Groups are ad hoc committees appointed by PAT to carry out the work of developing or revising policy. Members are subject matter experts (SMEs) and other stakeholders.	Liaise with other stakeholders and SMEs May draft and revise documents Interpret and respond appropriately to feedback from PAT, ITC, PLC, and VP-IT (CIO)
Drafting Team	Drafting Teams are ad hoc committees appointed by Working Groups to draft policy language. Members may be a subset of the corresponding Working Group or they may be other subject matter experts (SMEs) or stakeholders.	Draft and revise documents Interpret and respond appropriately to feedback from Working Groups, PAT, ITC, PLC, and VP-IT (CIO)
Policy Library Coordinator (PLC)	The PLC is a member of the Office of Strategic Consulting who maintains the UW-Madison Policy Library. The PLC helps ensure consistency among policies in the Policy Library.	Review and provide feedback on drafts provided by PAT Publish approved policies to Policy Library
Information Technology Committee (ITC)	ITC is the faculty shared governance body for policy and planning for information technology throughout the university. It is composed of faculty, academic staff and students.	Advise VP-IT (CIO) on IT policy Review policy proposals to assess implications and impact Provide feedback on policy proposals Review and provide feedback on drafts provided by PAT
Vice President of Information Technology and Chief Information Officer (CIO)	The VP-IT (CIO) facilitates the university’s mission by ensuring effective use of information resources and information technology. This position is the approval authority for all IT policies.	Review policy proposals to assess implications and impact Provide feedback on policy proposals Review and provide feedback on drafts provided by ITC Approve policies et al

¹The terms “IT Policy” and “Policy” refer collectively to policies, procedures, standards and guidelines.

²A UWSA mandate will be considered a proposal for IT Policy.

³PLC review is needed only for policies. Standards, procedures, guidelines and other policy-related documents are not published in the UW–Madison Policy Library.