The University of Iowa - CIO Office

Enterprise IT Policy Development & Approval Process

IT Policy Process

Assumptions

Enterprise information technology (IT) policies are policies created by the University IT community, under the oversight of the University Chief Information Officer (CIO), and are incorporated by reference into the University of Iowa Operations Manual (Section 19.4.i). Enterprise IT policies have University-wide application and carry institutional force and effect.
Campus IT standards are sets of criteria (some of which may be mandatory), voluntary guidelines, and best practices. Standards may be attached to policy for clarification or to aid with implementation or enforcement, or they may serve as standalone recommendations.
A high priority for policy development is the need to document unwritten de facto policies and to address common concerns.
Individual units within the University may define policies/conditions of use for IT resources under their control. These policy statements must be consistent in principle with enterprise IT policies, but may provide additional detail, guidelines or restrictions.
New policies or substantial changes to existing policies can come from any individual or unit in the campus IT community, but must follow the process outlined below before becoming official University policy.
Non-substantive revisions affecting form, including editorial improvements, may be made at the discretion of the CIO Office.

Role of the Author

Draft policy proposal.
Present to Campus IT Leaders (CITL). This formal presentation should address:
- Why is it needed? (Rationale for the new/changed policy)
- What does it involve? (Effect, influence, or change)
- Who is affected? (Stakeholders and how does it affect them)
Distribute and/or present the policy proposal to other groups specified by the CITL for review and feedback.
Incorporate all (accepted) changes to the policy proposal, based on feedback, consultation, comments, suggestions, etc. forwarded from the CITL Policy Subcommittee.

Role of the Campus IT Leaders (CITL)

Inform the author, CIO, and/or CITL Policy Subcommittee if any advisory committees and councils (e.g., ITAC, ATAC, or STAC) should also review or make recommendations on the proposed policy.
Distribute notice of the proposed policy as appropriate to their constituents and to other stakeholders (e.g., departmental Network Security Contacts).
Provide a response, acknowledgement, and/or feedback to the CITL Policy Subcommittee on recommended changes and next steps.

Role of the CITL Policy Subcommittee

Receive and distill comments from the CITL and other groups as appropriate.
Work with the author to refine the policy and ensure that the language is consistent with other University policy.
Make a final recommendation to the CIO (within 90 days) that the policy be approved or rejected.

Role of the Chief Information Officer (CIO)

Make final decision regarding approval or rejection of the policy proposal, based on feedback from advisory groups and the recommendation of the CITL Policy Subcommittee.
Share with President, Provost, Vice Presidents, General Counsel, Deans, DEO’s, and other groups as appropriate.
Publish the policy for the University community.

Notice and Enforcement

Enterprise IT policies are published by the CIO and available at http://cio.uiowa.edu/policy.
Comments from the University community will be directed to the CIO and the CITL Policy Subcommittee.
Implementation and policy compliance issues will be performed by colleges and administrative units, or through a campus-wide effort, as appropriate.
Concerns of policy violations will usually be addressed informally. Where sanctions are appropriate, they may include a formal reprimand, loss of user privileges for a definite or indefinite period, termination of employment, or, in the case of a student, probation, suspension, or expulsion from the University.