Model Approaches to IT Policy Development EDUCAUSE Pre-Conference Seminar 05A, October 19, 2004 Amy Ginther, Coordinator of Policy Development and Education, University of Maryland Merri Beth Lavagnino, Deputy IT Policy Officer, Indiana University Jenny Mehmedovic, Coordinator of IT Policy & Planning, University of Kansas

2 Seminar Overview Check-In and Logistics I. Introduction II. The Policy Process III. IT Policy Examples IV. Conclusion

3 I. Introduction

4 What is a Policy? This term can be used to describe: The strategic direction or operating philosophy of an organization Legislative and regulatory developments, also known as “public policy” Operational statements or directions, also known as “institutional policy”

5 Institutional Policies Statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. Concise statement of what the policy is intended to accomplish, not how to accomplish it One or two sentence description of general organizational intent General enough to provide flexibility

6 Policy Example Indiana University will provide access to appropriate central and campus computing resources…to all members of the University community whose work requires it. Excerpt from “General Policies: Access” section of Computer Users’ Privileges and Responsibilities, Fall 1999

7 What About the “How”? The “how” is accomplished through: Procedures Guidelines Checklists Standards Resist the temptation to put the “how” into the policy statement!!

8 Procedures Detailed statements (often supporting a policy) describing how to accomplish a task or reach a goal Actions are generally mandatory More explanatory text included

9 Procedure Example Requests for access to central campus computing and networking resources should be directed to the regional Chief Information Officer or their delegate on the campus where the required service is located. Excerpt from “Procedure Reference” section of Policy on Eligibility to Use Indiana University Information Technology Resources, March 26, 2002

10 Guidelines Information about how to accomplish a task or reach a goal Provided as suggestions – not mandatory, but a good idea May contain an element of “best practices” Alternate actions might work, but these have been found to work the best More explanatory text included

11 Guideline Example Authentication is the process of ensuring that the person supplying an identity is the person to whom the supplied identity has been assigned. There are industry-standard methods for authenticating the identity of users. Generally, it is accepted that the forms of authentication come in three types -- something the user knows (e.g., a password), something the user carries (e.g., an ID card), or something about the user (e.g., a fingerprint). A combination of at least two of these is necessary to adequately ensure appropriate access to the most sensitive/confidential information, while a simple password may be adequate for less sensitive (e.g., non-restricted) materials. Six (6) standard levels of authentication for access to services are currently recognized, and selection of the appropriate method will be commensurate with the type of access and the sensitivity of the data involved. The Data Steward for the data area involved will, with input from others, make the decision about the level and type of authentication that will be deployed: 1) Network Address/Physical Location. May be used where it is only important to restrict access to data or a particular service to persons using a specific or any Indiana University networked device. "Proxy"-type services may be deployed where it is necessary to provide this access to IU users who are not physically attached to an IU network segment. However, some additional form of authentication is necessary to ensure that the person accessing this proxy mechanism is indeed a member of the IU community and as such authorized to access the network address-protected services. Excerpt from “Appropriate Access” section of Guidelines for Handling Electronic Institutional and Personal Information, Indiana University, October 26, 2000

12 Checklists One or more statements dictating how to accomplish a task Considered as commands Apply to an immediate circumstance and mandatory in that situation Simple language, no explanatory text Sequence important

13 Checklist Example 1) Immediately inform senior administrators present in the office of any request by a law enforcement agency. 2) All efforts will be made by the staff to ensure that, to the extent possible, communications with the law enforcement officer are made in a conference room or other area removed from any students or visitors who may be present. 3) If the request of the law enforcement agency is not submitted in writing, staff should make a written record of all information requested. 4) Senior administrators will notify University Counsel ((812) or (317) on the IUPUI campus) of the law enforcement agency’s visit and request. The University Counsel will advise the administrator(s) regarding the appropriate response to the request. Excerpt from “Protocol for Police or FBI Requests for Information,” Indiana University

14 Standards Statements dictating the state of affairs or action in a particular circumstance A rule established by a recognized authority, with no deviation allowed

15 Standards Example A DES key consists of 64 binary digits ("0"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, may be used for error detection. The 8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each 8-bit byte1. A TDEA key consists of three DES keys, which is also referred to as a key bundle. Authorized users of encrypted computer data must have the key that was used to encipher the data in order to decrypt it. The encryption algorithms specified in this standard are commonly known among those using the standard. The cryptographic security of the data depends on the security provided for the key used to encipher and decipher the data. Excerpt from “Explanation” section of Data Encryption Standard (DES), National Institute of Standards and Technology, 1999 October 25

16 In Practice… Procedures, guidelines, checklists, and standards all must implement, reflect, and support the applicable policy or policies The entire set of statements is sometimes considered to be the “Policy.” They are often located together, even as sections in the same document.

17 Why are Policies Created? As a result of internal influences: Correction of misbehavior (reactive) Organizational change (reactive) Assessment of significant liabilities or problems (proactive) As a result of external influences: Legislative Regulatory Public policy

18 Who are Policies Created For? We can refer to this as the “scope”: Institution Campus Department/School/Unit Or… Users of a service Or… Subset of population by status

19 Who Creates Policies? Likely differs by the scope of the policy as outlined in the previous slide Likely differs also by size of the scope Large scope = dedicated policy office Medium scope = dedicated policy person Small scope = committee

20 Organizing for the Policy Process Institution may have organized it for you (generally only for institution-wide policies) Look for a “Policy on Policies” At minimum: Establish authority Create a common and consistent format Set up an online home for all your policies

21 II. The Policy Process

22 Policy Development Process with Best Practices (ACUPA)

23 ACUPA’s Policy Stages Pre-development: Identify issues Conduct analysis Development: Draft language Get approvals Determine distribution/education Maintenance: Solicit evaluation & review Plan measurement & compliance

24 Policy Life Cycle 1) Setting the stage for policy development 2) Writing the policy 3) Approving the policy 4) Distributing the policy 5) Educating the community about the policy 6) Enforcing the policy 7) Reviewing the policy at regular intervals

25 Traits of Sound Policy Processes Setting the Stage WritingApprovingDistributingEducatingEnforcingReviewing Consistency with University values and mission Identification and involvement of stakeholders Informed participants Assess cost- benefit Preventing reinvention of the wheel Discussion and consensus building Use a common format Agree on common definitions & terms Wide review and input Allow for user feedback Approval from senior administrative levels Accessible from one online location Allow for text and other searches Send to official distribution lists Include contacts to answer questions New and existing users Hold a policy day Have traveling road shows Signed user agreements Require policies to be read before services granted Create policy enforcement office Assess liability/ feasibility Respond to complaints Identify an owner for each policy Develop a plan for active maintenance Archive, date, and notify constituencies of major changes

26 1) Setting the Stage Understanding the Environment What makes IT policy development in our institutions different?

27 1) Setting the Stage Higher Education Values The higher education environment tends to be more open than corporate or government environments Reality of student residential environments Academic values Policy measures must protect and not impede the expression of these values Balance need for policies with important aspects of higher education environment

28 1) Setting the Stage Core Academic Values Community: shared decision making; outreach to connected communities (access to affiliates or other patrons) Autonomy: academic and intellectual freedom; distributed computing Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002) Fairness: due process From Oblinger, Computer and Network Security in Higher Education, Mark Luker and Rodney Petersen, editors.

29 1) Setting the Stage Influences on IT Policy EDUCAUSE/Internet2 six principles to guide policy development: Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity and Access Fairness and Process Ethics, Integrity and Responsibility

30 1) Setting the Stage Get Authorization and Support Are you here because you have been assigned to do IT policies by some authority? Or, are you still trying to figure out how to establish authority for creation and maintenance of IT policies?

31 1) Setting the Stage Identify Policy Issues What are the IT issues affecting your organization that appear to need to be addressed through policy? Ensure there aren’t already policies at your institution covering these issues

32 1) Setting the Stage Identify Stakeholders

33 1) Setting the Stage Assemble a Team Usually it is a different team for each policy, because it depends on the issue being addressed in the policy Remember some important stakeholders may be better reviewers than writers

34 1) Setting the Stage Ensure Participants are Informed Begin discussions with an understanding of underlying legal foundations and related policies

35 1) Setting the Stage Consistency with University Values How to achieve? Develop understanding of core values and mission by meeting with upper administrators Outline various scenarios that might arise and then discuss what values are around those scenarios

36 1) Setting the Stage Assessing Cost-Benefit Analyze need for policy in light of benefits, costs, liabilities Must not cost more (in any terms) than the problem or situation addressed

37 1) Setting the Stage Wait a Minute! Is there a place for IT policies?

38 1) Setting the Stage Discussion

39 2) Writing the Policy Don’t Reinvent the Wheel! Is anyone else out there? Using others’ work to fit your environment Ask and ye shall receive! Just give credit Asking questions of colleagues at other institutions

40 2) Writing the Policy Don’t Reinvent the Wheel! Are you writing a University-wide or departmental policy? Highlight gaps in non-IT policy language Insert IT needs into existing University policy Add a paragraph, rather than write an entirely new policy

41 2) Writing the Policy Consensus Building Start discussions with a blank page to avoid getting caught up in semantics Build consensus on issues not words THEN, draft policy language

42 2) Writing the Policy Define Terms Agree on common definitions and terms related to the policy topic Document these for a section of the policy

43 2) Writing the Policy Use a Common Format Check for a common format used for other policies at your institution Check EDUCAUSE Policy Library for samples of other formats Establish a format to be used for all your IT policies

44 2) Writing the Policy Example: KU IT Policy Template The University of Kansas Information Services Policy and Procedures Template Policy Name: Policy Purpose: Scope: Responsible Office: Approval: Provost and Executive Vice Chancellor Approved: date Effective: Review Cycle: General Policy Provisions Responsibilities of Information Services Responsibilities of University Departments Consequences/Sanctions

45 2) Writing the Policy Example: IU IT Policy Template Subject Source (what office produced it) Policy Number Date Issued Rationale Policy Applicability Definitions Procedure Reference Responsible Organization

46 2) Writing the Policy Writing Style Use simple, exact text Remember everyone needs to be able to understand what it says Not florid and fancy Does “should” mean they have to? If technical terms must be used, define them Check to see if your campus has a Style Manual

47 2) Writing the Policy Discussion

48 3) Approving the Policy Initial Feedback Solicit comment for drafts throughout the writing process from: the approving officers senior administrative levels the identified stakeholders Solicit and allow for user feedback Consider a “Request for Comment” period

49 3) Approving the Policy Final Approval Secure approvals for final version from all stakeholders and approving bodies

50 3) Approving the Policy Discussion

51 4) Distributing the Policy Make the Policy Available Create a policy website Ease of access Web-based directories Allow for searches Codify policies in an easy to understand format Ensure any central policy web site at your institution has a link to your IT policy site Include contact information for asking questions

52 4) Distributing the Policy Plan the Publicity Strategy Establish a regular communication channel for announcing new and revised policies distribution lists Institutional publications Faculty Staff Students IT publications, online user support documents Direct mailings

53 4) Distributing the Policy Discussion

54 5) Educating the Community New Users Try to get on Orientation agendas for new faculty, staff, and students Speaker Handouts Video Signed user agreements Use your IT influence! “I agree” statements to click through when obtaining accounts, registering to the network, etc. Direct mailing

55 5) Educating the Community Existing Users Educational postcards, posters, etc. Have a traveling road show! Policy person attend departmental and faculty meetings to talk about policies Hold policy brown bags Sponsor a “Policies Day”

56 5) Educating the Community Discussion

57 6) Enforcing the Policy Liability Issues Are there liability concerns in creating unenforceable policies? Standard of care/negligence Do you have adequate staff to support enforcement? Is information distributed to educate users on consequences of non-compliance?

58 6) Enforcing the Policy Be Prepared for Complaints Typical way to enforce is to respond to complaints Create a policy enforcement office, if possible, or at least identify one person who will coordinate Establish relationships with disciplinary authorities (Dean of Students for students; Human Resources for staff; Dean of Faculties for faculty) Establish relationships with Legal Counsel, auditing, University police, local prosecutors Publicize procedures for reporting, especially within IT support units

59 6) Enforcing the Policy Responding to Complaints Focus on gathering evidence: If there is no evidence, there is nothing to pursue If technology is not the root problem, pass it off… Determine which types of infractions: can receive a warning from your office are sent to disciplinary official require law enforcement involvement Ensure records are kept confidential

60 6) Enforcing the Policy Discussion

61 7) Reviewing the Policy Plan for Active Maintenance Assign an owner for each policy, or assign one person to maintain them all Develop a timeline for regular review Encourage feedback Don’t forget IT support personnel Archive changes, date new releases Measure outcomes by monitoring or testing

62 7) Reviewing the Policy Discussion

63 III. IT Policy Examples

64 Policy Feud!!

65 Policy Library Demo EDUCAUSE Policy Library Demo University of Kansas University of Minnesota

66 Questions? (Time for a little writing?)

67 IV. Conclusion

68 (net)Working It! Identify your peers at other institutions Attend EDUCAUSE/Cornell Institute for Computer, Policy and Law Join ACUPA, ICPL listservs Ask many questions! Benefit from others’ expertise!

69 Presenter Contact Information Amy Ginther: aginther at umd.edu, (301) aginther at umd.edu Merri Beth Lavagnino: mbl at iu.edu, (317) mbl at iu.edu Jenny Mehmedovic: jmehmedo at ku.edu, (785) jmehmedo at ku.edu © Copyright 2004 Amy Ginther, Merri Beth Lavagnino, Jenny Mehmedovic. Permission to make and distribute verbatim copies is granted for non-profit, educational purposes provided this copyright and permission notice is preserved on all copies.

Policy Writing Workshop EDUCAUSE Pre-Conference Seminar 05P, October 19, 2004 Amy Ginther, Coordinator of Policy Development and Education, University of Maryland Merri Beth Lavagnino, Deputy IT Policy Officer, Indiana University Jenny Mehmedovic, Coordinator of IT Policy & Planning, University of Kansas

71 Workshop Overview Check-In and Logistics I. Introduction II. Review of Sample IT Policies III. Review of Policy Tools IV. Policy Writing Exercise V. Conclusion

72 I. Introduction

73 Goals for Today Lead all through one example of planning for and drafting a policy We’ll make up a lot of assumptions in order to do this! Participants will plan for and draft at least one local policy You may do as many as you have time for You will have feedback from others on at least one of them

74 II. Review of Sample IT Policies

75 Most Common IT Policies Review Identify what issue each of us will start work on today

76 III. Review of Policy Tools

77 Tools of the Trade Policy Process Planning Template Policy Writing Template Your institution’s Style Guide, or your choice of commercial style guide (such as Chicago Manual of Style, APA, Strunk’s, etc.) Samples of the type of policy you are writing, from other institutions

78 Leading Questions Is this a University-wide or a departmental policy? Who needs to approve the policy? Who are the stakeholders? What are some scenarios needing a resolution that could use this policy? What are the values of the institution in relation to these scenarios? (institutional culture) What are the risks of not having a policy about this? Is it an IT policy or somebody else’s policy that’s just related to IT? Is there a difference between student, faculty, staff for this policy?

79 Hints More leading questions in your packet Be imaginative at this stage – you won’t know all the answers but you can make something up which can be tweaked later. The key is to START! Don’t get caught up on one section or issue. If you find you’ve spent more than ten minutes on something without a result, mark it for feedback and move on.

80 IV. Policy Writing Exercise

81 Policy Writing Exercise Demo

82 Policy Writing

83 Feedback Time!

84 V. Conclusion

85 Presenter Contact Information Amy Ginther: aginther at umd.edu, (301) aginther at umd.edu Merri Beth Lavagnino: mbl at iu.edu, (317) mbl at iu.edu Jenny Mehmedovic: jmehmedo at ku.edu, (785) jmehmedo at ku.edu © Copyright 2004 Amy Ginther, Merri Beth Lavagnino, Jenny Mehmedovic. Permission to make and distribute verbatim copies is granted for non-profit, educational purposes provided this copyright and permission notice is preserved on all copies.