Updating IT policies – A pain point?
By Rebecca Gould, Kansas State University
Some form of the policy framework illustrated in Figure 1 is ubiquitous in the literature. The policy is the mainstay while the standards (NIST, ISO, etc.) are more dynamic. The procedures allow for operationalizing the policy.
A good example are the proposed revisions to the institutional data and security policy, Institutional Research provides input on access to data, the Registrar’s office ensures FERPA guidelines and other standards are followed, IT Security is concerned about protection and classifying data, and so on.
Edits are again made, questions posed and the IT Policy Review team reviews again. The policy is then reviewed by university counsel. From there the policy goes back to the IT Policy Review team who propose the policy for final approval. Once approved, the CIO shares the revised version with campus and announces in the university newsletter changes that are beyond administrative (grammar, spelling, verifying URLs, etc.).
Using the process described above, the electronic mail policy has been under review for more than a year. When we compared the policy to other universities, the last revision of this policy occurred in 2010 and the age of the same policy at peer institutions ranged from 1998-2010. A lot has changed in the email landscape in 11 years, thus, the email policy was due for an overhaul. Consultant groups included the Faculty Senate Committee on Technology, the Vice Provost for Student Success, Vice President of Enrollment Management, Registrar, University Records Management, and IT Security. The IT email team was consulted to ensure that proposed revisions could be operationalized.
The next step is to write the communications and talking points for the release of the policy update and then to make the policy public.
One year later in our policy journey, of the 21 existing policies, we will have retired seven policies, updated three and have five under review by various consultant groups. When asking the why of policies such as the video conference or the technology classroom policies, there was no longer a need. Other retired policies were procedural and all that was needed was to update a website or create a knowledge base article.
Lessons learned articulated by the IT Policy Review Team include providing a brief summary along with proposed changes to the consultant groups prior to convening a meeting of the group. Additional suggestions were to:
About a year ago, the Division of Information Technology at K-State embarked on a comprehensive review of IT policies. In conjunction with Office of General Counsel and collaborating with leaders from across campus, the Division updated the policy review process, implemented in the late 1990s. In this synopsis of the review process, examples of policies and updates are shared along with lessons learned.
A comprehensive IT policy review
Some form of the policy framework illustrated in Figure 1 is ubiquitous in the literature. The policy is the mainstay while the standards (NIST, ISO, etc.) are more dynamic. The procedures allow for operationalizing the policy.
Figure 1. Working to Operationalize Policy
Policy review is an iterative process requiring mountains of input and thoughtful dialogue to arrive at the most comprehensive, succinct, yet translatable policy. The process outlined in Figure 2, begins with researching policies from peer institutions and discussions with subject matter experts to determine similarities and differences among policies. Subject matter experts might also propose new policies for consideration. At every step, the following questions are asked:
- Do we need a policy for that?
- Do we have a policy for that?
- Why does this policy exist?
An IT Policy Review Team composed of three noncentral IT members, then review the policy, the research, the questions posed by SMEs, suggest edits, and list the consultant groups that need to weigh in. While consultation solicits input, it does not solicit approval. Every policy has a different set of consultant groups who review. Some policies will require more consultation than others. Typically, a R.A.C.I. chart is developed to ensure all consultant groups have been approached.
Edits are again made, questions posed and the IT Policy Review team reviews again. The policy is then reviewed by university counsel. From there the policy goes back to the IT Policy Review team who propose the policy for final approval. Once approved, the CIO shares the revised version with campus and announces in the university newsletter changes that are beyond administrative (grammar, spelling, verifying URLs, etc.).
Figure 2. IT Policy Review Process
Using the process described above, the electronic mail policy has been under review for more than a year. When we compared the policy to other universities, the last revision of this policy occurred in 2010 and the age of the same policy at peer institutions ranged from 1998-2010. A lot has changed in the email landscape in 11 years, thus, the email policy was due for an overhaul. Consultant groups included the Faculty Senate Committee on Technology, the Vice Provost for Student Success, Vice President of Enrollment Management, Registrar, University Records Management, and IT Security. The IT email team was consulted to ensure that proposed revisions could be operationalized.
What changed in the Policy?
Prior to the review, there were two policies on email, one dealt with email as an official communication channel, and the other was about logistics associated with email. These are now combined into one policy. Additional proposed changes were to:
- Add a statement regarding - FERPA, Gramm Leach Bliley, and the Digital Millennium Copyright Act
- Include a statement about acceptable practices for email signatures
- Discontinue allowing employees including student employees to forward email
- Move procedures to knowledge base articles, and
- Propose guidelines for removing access based on roles at K-State (i.e. a student will have access to email for three semesters after they are no longer enrolled).
The next step is to write the communications and talking points for the release of the policy update and then to make the policy public.
One year later in our policy journey, of the 21 existing policies, we will have retired seven policies, updated three and have five under review by various consultant groups. When asking the why of policies such as the video conference or the technology classroom policies, there was no longer a need. Other retired policies were procedural and all that was needed was to update a website or create a knowledge base article.
Lessons learned articulated by the IT Policy Review Team include providing a brief summary along with proposed changes to the consultant groups prior to convening a meeting of the group. Additional suggestions were to:
- Less is more. Move procedures out of policy. The length of many policies can be reduced substantially by moving procedures to a knowledge base. It is simpler to update a procedure than to update a policy.
- Seek input, yet limit the time for receiving feedback. Conversations and edits will go on forever if limits are not implemented.
- Be proactive and give the consultant groups time to read the policies and changes, but be prepared to spoon feed.
- Understand that no matter how carefully you try to include all the proper groups for input, some groups or someone will be missed. The process gets better with each review.
- For some of the more extensive policies, a review by an outside consultant group might be warranted.
- Policy review is a heavy lift but worth it. Keep perspective on why you are going through this process and how many members of your institution will be positively impacted by these efforts.
The review process once completed, should be regularly repeated which will reduce the time and effort. Policy review should not be a pain point or a thankless job. Everyone is supportive of the process and reaps the benefits of well-conceived policies.
A presentation to Kansas IT professionals
The author co-presented on this topic with Dr. Betsy Draper at CHECK 2021.
About the Author
Rebecca A. Gould was a Director in Information Technology and faculty member in Hospitality Management at Kansas State University. She retired from K-State in early July 2021.
Dr. Gould can be reached at ragou@ksu.edu .
Previous page on path | Cover, page 6 of 21 | Next page on path |
Discussion of "Updating IT policies – A pain point?"
Add your voice to this discussion.
Checking your signed in status ...