UW-Madison - IT Policy Procedure

Applies to all IT Policy development, revision and retirement at UW-Madison. Applies to anyone responsible for implementing and complying with IT policies.

UW-510 IT Policy is the policy for this procedure.


Procedure Statement

The main goals of the IT Policy1 Development Procedure are to better ensure:

  • IT Policies are created in response to a need
  • IT Policies represent the values and norms of the organization.
  • The IT Policy Portfolio is manageable in terms of abstraction level, number of policies and other considerations
  • It is possible to implement and comply with IT Policies
  • Anyone can locate, interpret and determine applicability of an IT Policy

Who Is Affected by This Procedure?

Applies to all IT Policy development, revision and retirement at UW-Madison. Applies to anyone responsible for implementing and complying with IT policies.  

Procedure Detail

Stage 1: Identify Need - Stakeholders propose a policy; IT Policy Staff draft a problem statement. Stage 2: Analyze Need - Stakeholder feedback is solicited and considered; IT Policy Staff follow up with proposer; PAT confirms the need and drafts and iteratively revises a recommendation; ITC and the CIO accept the recommendation. Stage 3: Create Charter - Stakeholder feedback is solicited and considered; IT Policy Staff recruit a working group; PAT drafts a charter.  Stage 4: Draft - Stakeholder feedback is solicited and considered; the Working Group or Drafting Team drafts and iteratively revises the policy or related document. Stage 5: Review and Assess - Stakeholder feedback is solicited and considered; The PAT, Policy Library Coordinator, and ITC accept a draft. Stage 6: Approve - Stakeholder feedback is solicited and considered; the CIO approves the policy or related document; the Policy Library Coordinator publishes the policy in the UW-Madison Policy Library; Stage 7: Maintain - Stakeholder feedback is solicited and considered; the PAT reviews and recommends action on existing policy.

Figure 1: Overview of the Policy Development Process, Including Stages and Responsibilities (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

The following framework guides both the development and the modification of IT Policies and related documents, including Procedures, Standards, Implementation Plans, and Guidelines (hereafter referred to collectively as “IT Policies”).

This framework supports IT Policy goals by ensuring:

  • IT Policy has been selected as the appropriate solution based on a well understood and well defined business case that specifies needs, success criteria, scope and other elements.
  • IT Policies do not duplicate other UW-Madison or UWSA policies
  • IT Policies are not overly specific or prescriptive
  • The right IT Policy mechanism (e.g., Policy, Procedure, Standard, Guidelines) is used to address the need
  • The scope of an IT Policy – to whom, what and when it applies – is appropriate
  • IT Policies reflect an understanding of implications and impacts, including those related to implementation
  • Stakeholders have an opportunity to participate in feedback, review, consensus, and approval of IT Policies at appropriate milestones

Policy Development Stages

IT Policy will be developed using a 7-stage process, as outlined in Table 1 and Figure 2 below.

Table 1: Stages in the Policy Development Process
No. Title Description
1 Identify Need A policy is suggested to address a perceived IT need or obligation.
2 Analyze Need The need is assessed for high-level implications and impacts and an initial estimate of campus risk; approach is determined.
3 Charter Policy work goals, objectives, scope, and other elements are identified.
4 Draft Plans are created and documents are drafted.
5 Review and Assess Plans and documents are assessed for campus implications and impacts.
6 Approve Final plans and documents are reviewed and submitted for approval.
7 Maintain Policies are periodically reviewed for continued applicability and validity.

Stage 1: Identify Need - A policy is suggested to address a perceived IT need or obligation; inputs are IT Policy proposal, laws, regulations, standards, stakeholder views, risk assessments, other info; outputs are problem statement, IT Policy Staff recommendation. Stage 2: Analyze Need - Need is assessed to identify implications/impacts and estimate risk and approach is determined; inputs are Stage 1 inputs and outputs, stakeholder participation, and other information; outputs are written recommendation for action. Stage 3: Create Charter - Policy project goals, objectives, scope, and other elements are identified; inputs are approved recommendation from Stage 2, stakeholder feedback, constraints (e.g., time, info, expertise, decision-making); output is a written charter. Stage 4: Draft - Plans are created and documents are drafted; inputs include charter from Stage 3, laws, rules and regulations, industry standards, risk evaluation, stakeholder feedback, UW-Madison Policy Library template; output is a complete draft of a policy document. Stage 5: Review and Assess - Plans and documents are assessed for campus implications and impacts; inputs are complete draft of policy document from Stage 4, suggested edits and other feedback; outputs are IT recommendation for CIO approval and a final policy draft. Stage 6: Approve - Final plans and documents are reviewed and submitted for approval; inputs are recommendation and policy draft from Stage 5 and stakeholder views/feedback; output is a published policy. Stage 7: Maintain - Policies are periodically reviewed for continued applicability and validity; inputs are published policy and stakeholder feedback; outputs are a reviewed policy and a possible recommendation for revision or retirement.

Figure 2: Policy Development Stages, Including Inputs and Outputs (To view a larger version of this diagram, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

The policy development stages are often recursive, rather than linear. Multiple stages may be pursued in parallel. Stages that involve iteration may require a return to earlier stages in the process. Stakeholder communication, review, and feedback are encouraged and considered at each stage in the process.

 Roles and Responsibilities

Table 3: IT Policy Procedure Roles and Responsibilities
Position Title Role Responsibilities
IT Policy Staff IT Policy Staff are responsible for supporting IT policy development. IT Policy Staff sit on the PAT and may serve as facilitative consultants on Working Groups and Drafting Teams.
  • Field IT policy requests
  • Facilitate overall IT policy development process
  • Liaise between other roles and facilitate the transfer of documents and feedback
  • Document completion of IT Policy Procedures steps
  • Maintain an archive of IT policy documents, both in-process and approved
Policy Planning & Analysis Team (PAT) The PAT is a subcommittee. Membership is determined according to the PAT Charter
  • Advise ITC on IT policy
  • Review policy proposals to assess implications and impact
  • Provide feedback on policy proposals
  • Draft policy recommendations
  • Draft charters
  • Review and respond to drafts
  • Advise Working Groups and Drafting Teams in responding to feedback provided by ITC
Working Group Working Groups are ad hoc committees appointed by PAT to carry out the work of developing or revising policy. Members are subject matter experts (SMEs) and other stakeholders.
  • Liaise with other stakeholders and SMEs
  • May draft and revise documents
  • Interpret and respond appropriately to feedback from PAT, ITC, PLC, and VP-IT (CIO)
Drafting Team Drafting Teams are ad hoc committees appointed by Working Groups to draft policy language. Members may be a subset of the corresponding Working Group or they may be other subject matter experts (SMEs) or stakeholders.
  • Draft and revise documents
  • Interpret and respond appropriately to feedback from Working Groups, PAT, ITC, PLC, and VP-IT (CIO)
Policy Library Coordinator (PLC) The PLC is a member of the Office of Strategic Consulting who maintains the UW-Madison Policy Library. The PLC helps ensure consistency among policies in the Policy Library.
  • Review and provide feedback on drafts provided by PAT
  • Publish approved policies to Policy Library
Information Technology Committee (ITC) ITC is the faculty shared governance body for policy and planning for information technology throughout the university. It is composed of faculty, academic staff and students.
  • Advise VP-IT (CIO) on IT policy
  • Review policy proposals to assess implications and impact
  • Provide feedback on policy proposals
  • Review and provide feedback on drafts provided by PAT
Vice President of Information Technology and Chief Information Officer (CIO)

The VP-IT (CIO) facilitates the university’s mission by ensuring effective use of information resources and information technology. This position is the approval authority for all IT policies.

  • Review policy proposals to assess implications and impact
  • Provide feedback on policy proposals
  • Review and provide feedback on drafts provided by ITC
  • Approve policies et al

1The terms “IT Policy” and “Policy” refer collectively to policies, procedures, standards and guidelines.

2A UWSA mandate will be considered a proposal for IT Policy.

3PLC review is needed only for policies. Standards, procedures, guidelines and other policy-related documents are not published in the UW–Madison Policy Library.

Definitions

For definitions please see the IT Policy Glossary.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.




Keywords:
policy procedure pat development management stakeholder pat itc governance drafting
Doc ID:
137988
Owned by:
Heather J. in IT Policy
Created:
2024-06-19
Updated:
2024-12-05
Sites:
IT Policy