University and IT Policies: Match or Mis-match? Marilu Goodyear, Vice Provost for Information...

University and IT Policies: Match or Mis-match?

Marilu Goodyear, Vice Provost for Information Services and CIOJenny Mehmedovic, Coordinator of IT Policy & Planning

University of Kansas

Educause Southwest February 2005

2

Copyright Marilu Goodyear, Jenny Mehmedovic [2005]. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Educause Southwest February 2005

3

Why are policies created?

To reflect the philosophies, attitudes, or values of an organization related to a specific issue/problem

Educause Southwest February 2005

4

Elements of Policy-making in a Higher Ed Environment

Problem to be addressed: Misbehavior - reactive Organizational change - reactive Significant liability assessed- proactive

Institutional influences on policy development: Values related to that problem held by the institution/university Stakeholders (all those in some way responsible for or affected by

the policy)

External influences: Legislative Regulatory Public policy

5

Institutional Influences:Core Academic Values

Community: shared decision making; outreach to connected communities (access to affiliates or other patrons)Autonomy: academic and intellectual freedom; distributed computingPrivacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002)Fairness: due process

From Oblinger, Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors. http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008

Educause Southwest February 2005

6

Influences:EDUCAUSE/Internet2 Principles

Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity and Access Fairness and Process Ethics, Integrity and Responsibility

EDUCAUSE and Internet2 Computer and Network Security Task Force, “Principles to Guide Efforts to Improve Computer and Network Security for Higher Education,” August 2002; available at http://www.educause.edu/ir/library/pdf/sec0310.pdf

Educause Southwest February 2005

7

Policy Life Cycle

1. Setting the stage for policy development2. Writing the policy3. Approving the policy4. Distributing the policy5. Educating the community about the

policy6. Enforcing the policy7. Reviewing the policy at regular intervals

Educause Southwest February 2005

8

Policy Development Processwith Best Practices (ACUPA)

Educause Southwest February 2005

9

University Policy or IT Policy?

How do you know? Who is audience (“scope”)?

Institution? Campus? Department/school/unit? Users of a service? Subset of a population by status?

Who writes it? Who approves it?

Educause Southwest February 2005

10

Power Relationships: Who has control of the policy process on your campus?

Understand who makes decisions Probably somehow related to faculty Probably somehow related to the Chief

Financial Officer

Determine “orientation” of the power players; particularly academic discipline

Determine who influences the power players

Educause Southwest February 2005

11

Identifying Stakeholders

Determine who is interested

Determine who is already working in the area

Determine who has to “sign on” to get the policy approved

Form a stakeholders group to work on the concepts (not the writing)

12

Identified Stakeholders

Educause Southwest February 2005

13

Ensure Stakeholders are Informed

Begin discussions by: Identifying why the policy is needed, what

problem it is solving, what value it is expressing

Understanding underlying legal foundations and related policies

Providing examples of circumstances that require the policy

Educause Southwest February 2005

14

Case Study: Setting the Stage for a Privacy Policy

Stakeholder discussions Provide research on the concern of electronic

users with privacy; Gallup Poll Ask participants to share their own experiences

Gain understanding Learn existing campus issues

Give some examples from other environments

Educause Southwest February 2005

15

Case Study: Privacy Policy Focus on issues, not semantics

Have scenario-based discussions Staff member goes on vacation and there is a change in

a conference speaker; supervisor needs access to her computer

FBI arrives with court order asking for a engineering faculty members email for the last year and his library use records

Human Resources calls and wants the IT staff to review a PC of a staff member suspected of using porn during work time

Educause Southwest February 2005

16

Case Study: Privacy Policy“What” is policy. “How” is not.

Policy: concise statement of what is general organizational intent re: issueProcedures: detailed statement describing how to accomplish policy; generally mandatoryGuidelines: information about how to accomplish a task or goal; not mandatory, but a good ideaChecklists: one or more statements, in sequence, dictating how to accomplish a taskStandards: established by a recognized authority

Educause Southwest February 2005

17

Case Study: Privacy PolicyThe Policy Statement

Policy: concise statement of what is general organizational intent re: issue

The general right to privacy is granted to the extent possible within the electronic environment. Contents should be examined or disclosed only when authorized by the owner, approved by an appropriate University official, or required by law.

Educause Southwest February 2005

18

Case Study: Privacy PolicyProcedures that Support the Policy

Procedures: detailed statement describing how to accomplish policy; generally mandatory

Example: If you are approached by law enforcement in person or by phone with a general request for information, confirm with the investigative agent that release of non-directory information may only occur upon service of a subpoena, search warrant or other court order.

Educause Southwest February 2005

19

Case Study: Privacy PolicyChecklists

Checklists: one or more statements, in sequence, dictating how to accomplish a task

Example: If you are asked by your supervisor to access another staff member’s files, be sure to: Ask the staff member for permission, if possible Ensure the supervisor has obtained approval from the

appropriate Vice Provost or Dean for his/her reporting line

Maintain documentation of original request and your responses

Educause Southwest February 2005

20

Resources

EDUCAUSE/Cornell Institute for Computer, Policy and Law – July 2005http://www.educause.edu/icpl/ Be sure to visit the resource library including links to hundreds of

online policies from colleges and universities around the country. Join the listserv!

Association of College and University Policy Administrators – regular conference calls http://process.umn.edu/ACUPA/about/ Join the listserv!

Annual EDUCAUSE conference - October 2005 Preconference offered on Model Approaches to Policy

Development, with a Writing Workshop

Educause Southwest February 2005

21

Questions?

Marilu Goodyear - goodyear at ku.edu

Jenny Mehmedovic – jmehmedo at ku.edu