Upload
erik-fox
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
The Development of an Institutional IT Policy Process March 18th, 2008
Judith Borreson Caruso,Director, Policy and Planning
Gary De Clute,IT Policy Consultant
Copyright (C) 2008 University of Wisconsin Board of Regents
Permission is granted for this material to be shared for non-commercial, educational purposes.
2
"For a policy to be effective in guiding community behaviors, it must reflect the full range of the community's values, must be understood and embraced by community members, and must reinforce the most important values and the mission of the institution as a whole...”
3
“... An effective policy requires campus-wide discussion and the involvement of each of the major constituencies of the community.“
Virginia E. Rezmierski & Aline Soules,EDUCAUSE Review (March/April 2000)
4
Agenda
I. Why do IT policy?II. What is IT policy?III. Creating an IT policy development processIV. Involving the campus communityV. Developing specific policiesVI. Next stepsVII. Lessons learnedVIII. Questions to considerAppendix: Description of the UW-Madison
IT-related Policy Development Process
5
I. Why do IT policy?
• Compliance with outside mandates
• Compelling internal business needs
6
II. What is IT policy?
• Policy with a significant IT component
• Only a few IT policies are purely IT
IT-related Policy Areas at UW-Madison
8
Informal definitions atUW-MadisonPolicy states what people must or must not do.
Are mandatory. Change slowly. Short. Simple. Exceptions are few.
Guidelines are recommendations.
Are optional. More changeable. More complex. Exceptions are many. Can supplement policy.
Procedures document“how to.”
Are implementation details of policy or guidelines. Changeable.
Standards offer criteria for consistency.
Are measurable, have checkpoints. Are validated through a review process.
9
III. Creating an IT policy development process
Five years of exploring strange new worlds
• No campus policy office
• Commitment to inclusive governance
• Commitment to iterative improvement
• Documenting what we’ve learned
10
Why have a process?
• Consistency and predictability –mitigates the fear factor
• Engages the community
• Needs and concerns are addressed
• “What’s the next step?”
11
UW-Madison culture
• Highly decentralized
• Values inclusion of many constituencies
• Minimalist policy tradition
• Skepticism of “central IT”(2/3 of IT staff are not in central IT)
• Governance challenges
12
Initial focus on Authentication and Authorization (AuthN/Z)
• Many policy issues• Already had inclusive campus team to
coordinate project activity• CIO asked team to coordinate AuthN/Z
policy
13
How we created the IT policy development process
• Addressed one cluster of related policy issues at a time, examples:– Campus NetID for student applicants– Appropriate use of campus NetID– Governance of role-based AuthN\Z
• Usually created a sub-team with additional campus representatives
14
Result: Draft IT policy development process
Demonstrated to work, but:
• Unknown to the larger community
• Unrepeatable in practice
• Not comprehensive across policy areas
15
IV. Involving the Campus Community
• Started quarterly IT Policy forums
• Chartered an IT Policy Planning team– Volunteers from campus!
16
IT Policy Forums
Purpose:
1. converse with faculty and staff
2. ensure widespread engagement on specific policies
17
Forum Design• Emphasis: get information
• Short presentations: by campus community
• Small group discussions
• Started with 1 hour, participantswanted 1 ½ hours!
18
IT Policy Planning Team
Goal - Draft a “Plan for IT Policy”:
• short- and long-term strategies
• process and policy priorities
• roles and responsibilities
• institutional governance
Volunteers!Volunteers!
21
IT Policy Process Recommendations
• Long-term / Strategic
• Definitions
• Roles
• Recommendations
• Key Success Factors
• Process description
22
IT Policy Development Plan
• One year / Detailed
• List of “compelling needs”
• Current IT policy initiatives
• Possible new initiatives, prioritized by community
23
Discussion
How is policy developed on your campus?
Who is involved?
24
V. Developing specificIT policies
Key Success Factors:• Compelling need• Strategic alignment• Appropriate sponsorship• Campus buy-in• Appropriate review• Practical implementation
25
A. Compelling Need
• Never policy for policy’s sake• ‘Softer’ solutions are preferable:
education, principles, procedures, guidelines, voluntary compliance
26
Keeping “policy” in perspective
27
“Factors of compelling need”
• Outside mandates?
• Internal business needs?
• Who is affected?
• What are the risks?
• Act now or later?
• Cost effectiveness?
28
B. Strategic Alignment
• Consistent with long-term goals– Proactive whenever possible– Reactive only when necessary
29
C. Appropriate Sponsorship
• High-level support from the beginning– Reinforce/enable staff support– Identify and allocate resources– Encourage compliance
30
D. Campus buy-in
• Inclusive and transparent process– Stakeholder involvement– Both technical and functional staff
• Good communications– Forums– Wiki
31
E. Appropriate review
• Broad and thorough initial review– Review by advisory groups– Endorsement by campus governance
• On-going review and revision– Feedback from the community
32
F. Practical Implementation
• Goal: Ease compliance
• Consider from the start:– Understandable– Enforceable– Available resources– Reduce barriers
33
CIO Involvement is critical
• CIO can help assure:– compelling need– strategic alignment– appropriate sponsorship– campus buy-in– appropriate review– practical implementation
34
• What is “good enough”?– Impact on the institution– Urgency of need– Degree of pre-existing consensus
• Adjust complexity and scope at each step
CIO Involvement
35
Discussion
Policy development at your institution:
1. Examples that went well? Why?
2. Not well? Why?
36
7 steps of development for IT policies at UW-Madison
1. Initiation
2. Elaboration
3. Drafting
4. Endorsement
5. Implementation
6. Compliance
7. Revision
Adapted from IBM’s “Rational Unified Process”
37
Planning a policy initiative
• Retain all 7 steps
• Adjust each according to:– impact on the institution– urgency of need– pre-existing consensus
38
Exploring the issues
1. Initiation – by the CIO after consulting with advisors and governance.
2. Elaboration – by stakeholders who forward desired outcomes and implementation considerations to the CIO.
39
Negotiating policy language
3. Drafting - in consultation with the stakeholders, the CIO, the community, advisors and governance.
4. Endorsement - by governance for issuance by the appropriate executive.
40
Achieving compliance
5. Implementation –both central and distributed departments, guided by CIO
6. Compliance – a departmental responsibility, encouraged by CIO.
7. Revision – feedback from central and distributed departments
41
VII. Lessons Learned
• Learn by doing• Include the community• Focus on one active area• Iterative improvement• Document what works• Patience
42
Importance of Roles
• CIO is central to IT policy
• Stakeholders at all levels:– University governance– Executive leadership and advisors– Operational-level management– Technologists, support staff and users
43
Make it official
• Formalize– Involve the community – Forums, planning team
• Adopt– Position CIO in the coordinating role
44
Specific policy initiatives
• Initiation is most critical step
• Key success factors:– Compelling Need– Strategic Alignment– Appropriate Sponsorship
45
Enable compliance
• Unsupported or impractical policies:– compliance problems– discredit other policy efforts
• Key success factors:– Campus buy-in– Appropriate review– Practical Implementation
46
VI. Next steps atUW-Madison
• Several initiatives in progress
• For new initiatives:– high-level advisory groups– operational management groups
• IT Policy Forums– get input for specific initiatives
• Iterative improvement
47
VIII. Questions to Consider
• What is the policy culture at your institution?
• To what extent do you have:– IT governance in place?– support from executives?
• Who is responsible for:– sponsorship/issuing authority?– monitoring?– compliance?
Thank you!
Judy Caruso, Director of Policy and [email protected] De Clute, IT Policy [email protected]
https://wiki.doit.wisc.edu/ look for:UW-Madison IT Policy (POLICY)
49
Appendix
Description of the UW-MadisonIT-related Policy Development Process
1. Initiation
2. Elaboration
3. Drafting
4. Endorsement
5. Implementation
6. Compliance
7. Revision
51
All seven steps are necessary
• Each step builds on previous steps
• Skipping or skimping generally requires going back and getting it right
• Adjust scope and complexity of each step by considering:
– impact on the institution– urgency of need– pre-existing consensus
52
Step 1. Initiation
• Identify and involve stakeholders
• Create/identify a “Stakeholders Team”(pre-existing teams are more
efficient)
• Careful framing of issues to explore
• Careful definition of deliverables -“desired outcomes and implementation considerations” (not policy language)
53
Step 2. Elaboration
• Explore the issues
• Avoid drafting policy language at this point– wordsmithing consumes a lot of time– language almost always gets changed later
• Optional “Policy Issues Team” to expand representation and bring in
specialized expertise
55
Step 3. Drafting
• Use a good template– Separate policy language (changes slowly)
from implementation (changes quickly)
• Get review and input by stakeholders, CIO, and high-level advisors
• Optional broader vetting– must be genuinely open to input (if not, may
create resistance rather than support)
57
Step 4. Endorsement
• Consult with high-level advisory groups• Formally submit to shared governance
– Usually endorsed by a committee– Sometimes referred to an “executive
committee”– Occasionally referred to the faculty senate
• Keep advisory groups and governance committee informed throughout
59
Step 5. Implementation
• Need to consider from the start:– Practical, makes it easy to comply– Doable with available resources
• Consistent, matches the policy
• Good communications/education
60
6. Compliance
• Need to consider from the start: – Who issues?– Who monitors?– Who enforces?
• Follow up with monitoring
• Continued communications/education
• Enforcement if necessary
62
7. Revision
• Feedback during communications, education, monitoring and enforcement
• Minor revisions are easy: drafting, consultation and endorsement are sufficient
• Major revisions are new policy: use all seven steps, but may be able to make some steps simple and quick