IT Policy et al may be proposed by any stakeholder as a response to a perceived IT need or obligation. Needs may include:

• Perceived gaps in existing IT Policies or related documents
• Need to address risks
• Changes to people, processes, budgets, technology or data
• Mandates from UW System Administration (UWSA)² or other higher authority

The need or obligation identified in the IT Policy proposal should be thoroughly understood, including its cause(s) and the reason(s) a solution is needed. The following questions may be helpful in developing a thorough understanding of the need or obligation:

• What is the need or obligation to be met?
• What is driving the need for a solution? Some possibilities to consider: regulatory or other compliance requirements, risk reduction, or increased accountability.
• What are the risks/potential losses now and if nothing is done?  
• What is the scope of the need or obligation? Who is affected by it and when?
• What are the success criteria? How will we know the need or obligation has been successfully addressed?
• What requirements or constraints must the proposed solution consider?
• What is the appropriate IT Policy mechanism to address the need or obligation?
• How quickly does the need or obligation need to be addressed?

Any understanding of the need or obligation should be reached in collaboration with stakeholders. Such a shared understanding helps minimize delays that result from misunderstanding. 
Stage 1 will result in a clear statement, understood by stakeholders, of the issue, need, obligation or opportunity, along with its scope, risks, and other factors. The statement should identify who decided how to respond to the request.

Once an identified need or obligation is thoroughly understood, a determination of compelling need for IT Policy must be made. This determination should be based, in part, on whether the issue falls within the purview of “IT Policy,” as defined in the PAT Charter. When there is a compelling need for IT Policy, the approach to addressing the need must be determined.

These determinations ensure a reasoned IT Policy Portfolio consisting of policies and related documents that:

• Respond to needs appropriately addressed by IT Governance
• Can feasibly address the identified needs

Compelling need and approach should be determined based on inputs and outputs from Stage 1, stakeholder views/feedback and other relevant information, as shown in Figure 2 above.

Stage 2 will result in a written recommendation for a course of action in response to the original IT Policy proposal. The Policy Planning and Analysis Team (PAT) will draft an initial recommendation. PAT will then provide its recommendation to the University’s Information Technology Committee (ITC). PAT and ITC will work collaboratively and iteratively to produce a final recommendation for the VP-IT (CIO). The VP-IT (CIO) will have final authority to approve or deny the recommendation.

A charter must be created for each policy action approved by the VP-IT (CIO). The purpose of the charter is to provide a shared understanding of the work to be done. This shared understanding is needed to ensure the team tasked with drafting or revising the IT policy or related document knows how to produce deliverables that meet the expectations of stakeholders and IT Governance.

The PAT may, at its discretion, escalate a draft charter to the ITC for review and comment. Such escalation is advised when there are questions or concerns about the goals and outcomes, success criteria, policy scope, or other details addressed in the draft.

The Working Group may recommend charter revisions to the PAT after this stage. The ability to request charter revisions allows Working Groups the agility to respond to circumstances and knowledge that emerge and evolve after this stage. As with drafts of the initial charter, the PAT may, at its discretion, escalate recommended charter revisions to ITC for review and comment.

Stage 3 will result in a written charter that responds to the VP-IT (CIO)-approved recommendation produced in Stage 2 (see Figure 2 above).

Guided by the IT Policy charter generated in Stage 3, a Drafting Team will develop the policy or related document. The purpose of this stage is to propose core language to be reviewed and approved by appropriate groups, including stakeholders, PAT, ITC and the VP-IT (CIO).

Stage 4 should be considered iterative. Drafting Teams are expected to appropriately seek and address feedback from stakeholders and subject matter experts (SMEs). SMEs may include campus personnel, outside consultants, industry groups, government and other authoritative bodies, and other entities. In particular, Drafting Teams are expected to seek input that helps them identify and understand the potential implications of their proposed language. This discovery may involve a risk evaluation that identifies potential threats, likelihoods and impacts.

Stage 4 will result in a complete draft of the document(s) specified in the project charter. Drafts should follow appropriate templates, where available (see Table 2 below).

All fields and sections in the appropriate document template should be completed by the Drafting Team when possible. Where no template is available, the Drafting Team should make an effort to provide all information relevant to the content of the document.

In Stage 5, the draft produced in Stage 4 is reviewed to assess implications and impacts of the policy or related document. This review is necessary to ensure the proposed policy is feasible and viable.

Review is completed by three entities, with stakeholder participation:

• Policy Planning and Analysis Team (PAT)
• IT Committee (ITC)
• UW-Madison Policy Library Coordinator (PLC)

The PAT (a sub-committee of ITC) and ITC are Governance bodies whose assessments focus on how a policy will affect the ability of faculty, staff and students to carry out UW-Madison’s teaching, learning and research activities. The Policy Library Coordinator assesses the presentation of the policy to ensure it meets language and formatting criteria for inclusion in the UW-Madison’s Policy Library. Only policies included in the Policy Library are considered to be official UW-Madison policies.
Review and assessment of draft policies is consecutive and iterative.

The order of review is as follows:

1. PAT
2. PLC³
3. ITC

IT Policy Staff will be responsible for facilitating transitions between steps.

Feedback generated at each level of review should be provided, as appropriate, to the entity or entities responsible for previous levels of review. 

PAT will be responsible for coordinating with the policy Drafting Team to:

• Make appropriate edits and revisions based on feedback
• Address feedback not incorporated into subsequent drafts 

Multiple rounds of review and revision may be needed to produce a draft that is acceptable to PAT, ITC and the Policy Library Coordinator³. IT Policy Staff will document acceptance of a final draft by each entity, to provide a record of compliance with this Procedure.

The process to be followed in Stage 5 is illustrated in Figure 4 below.

Figure 3: Review and Assessment Process (To view a larger version of this flowchart, right-click on it and select "Open image in new tab." Then click on the newly opened tab.)

Stage 5 will result in a formal recommendation from ITC to the VP-IT (CIO) to approve the final draft of the policy or related document.

In Stage 6, the VP-IT (CIO) approves the final draft. This approval is necessary because only the VP-IT (CIO) has the authority to establish IT Policy at UW-Madison. VP-IT (CIO) approval triggers publication of the policy or related document.

To initiate VP-IT (CIO) approval, the ITC Chair, or a designee, will use an electronic signature tool or suitable alternative to send the following to the VP-IT (CIO):

• Final document draft
• Minutes from the ITC Meeting in which the draft was approved

Upon receipt, the VP-IT (CIO) will consult with staff responsible for IT policy to validate that all previous steps of the IT Policy Procedures were successfully completed and that stakeholder input was solicited and considered. If the VP-IT (CIO) has questions about the policy, completion of steps or appropriate consideration of stakeholder input, they will work with the CISO and ITC to resolve those questions. Depending on the particulars of the resolution, the ITC Chair may need to provide the VP-IT (CIO) a revised draft.

The VP-IT (CIO) will indicate approval of a draft by signing the document package provided by the ITC Chair or designee. Upon approval, the VP-IT (CIO) will designate the date on which the document will take effect and name the party(ies) responsible for implementation.

IT Policy Staff will facilitate communication between the ITC, VP-IT (CIO), CISO, and Policy Library Coordinator as needed throughout Stage 6.

Stage 6 will result in a published IT policy or related document.