The Development of an Institutional IT Policy Process March 18th, 2008

Judith Borreson Caruso,Director, Policy and Planning

Gary De Clute,IT Policy Consultant

Copyright (C) 2008 University of Wisconsin Board of Regents

Permission is granted for this material to be shared for non-commercial, educational purposes.

2

"For a policy to be effective in guiding community behaviors, it must reflect the full range of the community's values, must be understood and embraced by community members, and must reinforce the most important values and the mission of the institution as a whole...”

3

“... An effective policy requires campus-wide discussion and the involvement of each of the major constituencies of the community.“

Virginia E. Rezmierski & Aline Soules,EDUCAUSE Review (March/April 2000)

4

Agenda

I. Why do IT policy?II. What is IT policy?III. Creating an IT policy development processIV. Involving the campus communityV. Developing specific policiesVI. Next stepsVII. Lessons learnedVIII. Questions to considerAppendix: Description of the UW-Madison

IT-related Policy Development Process

5

I. Why do IT policy?

• Compliance with outside mandates

• Compelling internal business needs

6

II. What is IT policy?

• Policy with a significant IT component

• Only a few IT policies are purely IT

IT-related Policy Areas at UW-Madison

8

Informal definitions atUW-MadisonPolicy states what people must or must not do.

Are mandatory. Change slowly. Short. Simple. Exceptions are few.

Guidelines are recommendations.

Are optional. More changeable. More complex. Exceptions are many. Can supplement policy.

Procedures document“how to.”

Are implementation details of policy or guidelines. Changeable.

Standards offer criteria for consistency.

Are measurable, have checkpoints. Are validated through a review process.

9

III. Creating an IT policy development process

Five years of exploring strange new worlds

• No campus policy office

• Commitment to inclusive governance

• Commitment to iterative improvement

• Documenting what we’ve learned

10

Why have a process?

• Consistency and predictability –mitigates the fear factor

• Engages the community

• Needs and concerns are addressed

• “What’s the next step?”

11

UW-Madison culture

• Highly decentralized

• Values inclusion of many constituencies

• Minimalist policy tradition

• Skepticism of “central IT”(2/3 of IT staff are not in central IT)

• Governance challenges

12

Initial focus on Authentication and Authorization (AuthN/Z)

• Many policy issues• Already had inclusive campus team to

coordinate project activity• CIO asked team to coordinate AuthN/Z

policy

13

How we created the IT policy development process

• Addressed one cluster of related policy issues at a time, examples:– Campus NetID for student applicants– Appropriate use of campus NetID– Governance of role-based AuthN\Z

• Usually created a sub-team with additional campus representatives

14

Result: Draft IT policy development process

Demonstrated to work, but:

• Unknown to the larger community

• Unrepeatable in practice

• Not comprehensive across policy areas

15

IV. Involving the Campus Community

• Started quarterly IT Policy forums

• Chartered an IT Policy Planning team– Volunteers from campus!

16

IT Policy Forums

Purpose:

1. converse with faculty and staff

2. ensure widespread engagement on specific policies

17

Forum Design• Emphasis: get information

• Short presentations: by campus community

• Small group discussions

• Started with 1 hour, participantswanted 1 ½ hours!

18

IT Policy Planning Team

Goal - Draft a “Plan for IT Policy”:

• short- and long-term strategies

• process and policy priorities

• roles and responsibilities

• institutional governance

Volunteers!Volunteers!

21

IT Policy Process Recommendations

• Long-term / Strategic

• Definitions

• Roles

• Recommendations

• Key Success Factors

• Process description

22

IT Policy Development Plan

• One year / Detailed

• List of “compelling needs”

• Current IT policy initiatives

• Possible new initiatives, prioritized by community

23

Discussion

How is policy developed on your campus?

Who is involved?

24

V. Developing specificIT policies

Key Success Factors:• Compelling need• Strategic alignment• Appropriate sponsorship• Campus buy-in• Appropriate review• Practical implementation

25

A. Compelling Need

• Never policy for policy’s sake• ‘Softer’ solutions are preferable:

education, principles, procedures, guidelines, voluntary compliance

26

Keeping “policy” in perspective

27

“Factors of compelling need”

• Outside mandates?

• Internal business needs?

• Who is affected?

• What are the risks?

• Act now or later?

• Cost effectiveness?

28

B. Strategic Alignment

• Consistent with long-term goals– Proactive whenever possible– Reactive only when necessary

29

C. Appropriate Sponsorship

• High-level support from the beginning– Reinforce/enable staff support– Identify and allocate resources– Encourage compliance

30

D. Campus buy-in

• Inclusive and transparent process– Stakeholder involvement– Both technical and functional staff

• Good communications– Forums– Wiki

31

E. Appropriate review

• Broad and thorough initial review– Review by advisory groups– Endorsement by campus governance

• On-going review and revision– Feedback from the community

32

F. Practical Implementation

• Goal: Ease compliance

• Consider from the start:– Understandable– Enforceable– Available resources– Reduce barriers

33

CIO Involvement is critical

• CIO can help assure:– compelling need– strategic alignment– appropriate sponsorship– campus buy-in– appropriate review– practical implementation

34

• What is “good enough”?– Impact on the institution– Urgency of need– Degree of pre-existing consensus

• Adjust complexity and scope at each step

CIO Involvement

35

Discussion

Policy development at your institution:

1. Examples that went well? Why?

2. Not well? Why?

36

7 steps of development for IT policies at UW-Madison

1. Initiation

2. Elaboration

3. Drafting

4. Endorsement

5. Implementation

6. Compliance

7. Revision

Adapted from IBM’s “Rational Unified Process”

37

Planning a policy initiative

• Retain all 7 steps

• Adjust each according to:– impact on the institution– urgency of need– pre-existing consensus

38

Exploring the issues

1. Initiation – by the CIO after consulting with advisors and governance.

2. Elaboration – by stakeholders who forward desired outcomes and implementation considerations to the CIO.

39

Negotiating policy language

3. Drafting - in consultation with the stakeholders, the CIO, the community, advisors and governance.

4. Endorsement - by governance for issuance by the appropriate executive.

40

Achieving compliance

5. Implementation –both central and distributed departments, guided by CIO

6. Compliance – a departmental responsibility, encouraged by CIO.

7. Revision – feedback from central and distributed departments

41

VII. Lessons Learned

• Learn by doing• Include the community• Focus on one active area• Iterative improvement• Document what works• Patience

42

Importance of Roles

• CIO is central to IT policy

• Stakeholders at all levels:– University governance– Executive leadership and advisors– Operational-level management– Technologists, support staff and users

43

Make it official

• Formalize– Involve the community – Forums, planning team

• Adopt– Position CIO in the coordinating role

44

Specific policy initiatives

• Initiation is most critical step

• Key success factors:– Compelling Need– Strategic Alignment– Appropriate Sponsorship

45

Enable compliance

• Unsupported or impractical policies:– compliance problems– discredit other policy efforts

• Key success factors:– Campus buy-in– Appropriate review– Practical Implementation

46

VI. Next steps atUW-Madison

• Several initiatives in progress

• For new initiatives:– high-level advisory groups– operational management groups

• IT Policy Forums– get input for specific initiatives

• Iterative improvement

47

VIII. Questions to Consider

• What is the policy culture at your institution?

• To what extent do you have:– IT governance in place?– support from executives?

• Who is responsible for:– sponsorship/issuing authority?– monitoring?– compliance?

Thank you!

Judy Caruso, Director of Policy and Planningjudy.caruso@cio.wisc.eduGary De Clute, IT Policy Consultantgdeclute@cio.wisc.edu

https://wiki.doit.wisc.edu/ look for:UW-Madison IT Policy (POLICY)

49

Appendix

Description of the UW-MadisonIT-related Policy Development Process

1. Initiation

2. Elaboration

3. Drafting

4. Endorsement

5. Implementation

6. Compliance

7. Revision

51

All seven steps are necessary

• Each step builds on previous steps

• Skipping or skimping generally requires going back and getting it right

• Adjust scope and complexity of each step by considering:

– impact on the institution– urgency of need– pre-existing consensus

52

Step 1. Initiation

• Identify and involve stakeholders

• Create/identify a “Stakeholders Team”(pre-existing teams are more

efficient)

• Careful framing of issues to explore

• Careful definition of deliverables -“desired outcomes and implementation considerations” (not policy language)

53

Step 2. Elaboration

• Explore the issues

• Avoid drafting policy language at this point– wordsmithing consumes a lot of time– language almost always gets changed later

• Optional “Policy Issues Team” to expand representation and bring in

specialized expertise

55

Step 3. Drafting

• Use a good template– Separate policy language (changes slowly)

from implementation (changes quickly)

• Get review and input by stakeholders, CIO, and high-level advisors

• Optional broader vetting– must be genuinely open to input (if not, may

create resistance rather than support)

57

Step 4. Endorsement

• Consult with high-level advisory groups• Formally submit to shared governance

– Usually endorsed by a committee– Sometimes referred to an “executive

committee”– Occasionally referred to the faculty senate

• Keep advisory groups and governance committee informed throughout

59

Step 5. Implementation

• Need to consider from the start:– Practical, makes it easy to comply– Doable with available resources

• Consistent, matches the policy

• Good communications/education

60

6. Compliance

• Need to consider from the start: – Who issues?– Who monitors?– Who enforces?

• Follow up with monitoring

• Continued communications/education

• Enforcement if necessary

62

7. Revision

• Feedback during communications, education, monitoring and enforcement

• Minor revisions are easy: drafting, consultation and endorsement are sufficient

• Major revisions are new policy: use all seven steps, but may be able to make some steps simple and quick