University and IT Policies: Match or Mis-match? Marilu Goodyear, Vice Provost for Information Services and CIO Jenny Mehmedovic, Coordinator of IT Policy

University and IT Policies: Match or Mis-match?

Marilu Goodyear, Vice Provost for Information Services and CIOJenny Mehmedovic, Coordinator of IT Policy & Planning

University of Kansas

Educause Southwest February 2005

2

Copyright Marilu Goodyear, Jenny Mehmedovic [2005]. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


3

Why are policies created?

To reflect the philosophies, attitudes, or values of an organization related to a specific issue/problem


4

Elements of Policy-making in a Higher Ed Environment

Problem to be addressed: Misbehavior - reactive Organizational change - reactive Significant liability assessed- proactive

Institutional influences on policy development: Values related to that problem held by the institution/university Stakeholders (all those in some way responsible for or affected by

the policy)

External influences: Legislative Regulatory Public policy

5

Institutional Influences:Core Academic Values

Community: shared decision making; outreach to connected communities (access to affiliates or other patrons)Autonomy: academic and intellectual freedom; distributed computingPrivacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002)Fairness: due process

From Oblinger, Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors. http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008


6

Influences:EDUCAUSE/Internet2 Principles

Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity and Access Fairness and Process Ethics, Integrity and Responsibility

EDUCAUSE and Internet2 Computer and Network Security Task Force, “Principles to Guide Efforts to Improve Computer and Network Security for Higher Education,” August 2002; available at http://www.educause.edu/ir/library/pdf/sec0310.pdf


7

Policy Life Cycle

1. Setting the stage for policy development2. Writing the policy3. Approving the policy4. Distributing the policy5. Educating the community about the

policy6. Enforcing the policy7. Reviewing the policy at regular intervals


8

Policy Development Processwith Best Practices (ACUPA)


9

University Policy or IT Policy?

How do you know? Who is audience (“scope”)?

Institution? Campus? Department/school/unit? Users of a service? Subset of a population by status?

Who writes it? Who approves it?


10

Power Relationships: Who has control of the policy process on your campus?

Understand who makes decisions Probably somehow related to faculty Probably somehow related to the Chief

Financial Officer

Determine “orientation” of the power players; particularly academic discipline

Determine who influences the power players


11

Identifying Stakeholders

Determine who is interested

Determine who is already working in the area

Determine who has to “sign on” to get the policy approved

Form a stakeholders group to work on the concepts (not the writing)

12

Identified Stakeholders


13

Ensure Stakeholders are Informed

Begin discussions by: Identifying why the policy is needed, what

problem it is solving, what value it is expressing

Understanding underlying legal foundations and related policies

Providing examples of circumstances that require the policy


14

Case Study: Setting the Stage for a Privacy Policy

Stakeholder discussions Provide research on the concern of electronic

users with privacy; Gallup Poll Ask participants to share their own experiences

Gain understanding Learn existing campus issues

Give some examples from other environments


15

Case Study: Privacy Policy Focus on issues, not semantics

Have scenario-based discussions Staff member goes on vacation and there is a change in

a conference speaker; supervisor needs access to her computer

FBI arrives with court order asking for a engineering faculty members email for the last year and his library use records

Human Resources calls and wants the IT staff to review a PC of a staff member suspected of using porn during work time


16

Case Study: Privacy Policy“What” is policy. “How” is not.

Policy: concise statement of what is general organizational intent re: issueProcedures: detailed statement describing how to accomplish policy; generally mandatoryGuidelines: information about how to accomplish a task or goal; not mandatory, but a good ideaChecklists: one or more statements, in sequence, dictating how to accomplish a taskStandards: established by a recognized authority


17

Case Study: Privacy PolicyThe Policy Statement

Policy: concise statement of what is general organizational intent re: issue

The general right to privacy is granted to the extent possible within the electronic environment. Contents should be examined or disclosed only when authorized by the owner, approved by an appropriate University official, or required by law.


18

Case Study: Privacy PolicyProcedures that Support the Policy

Procedures: detailed statement describing how to accomplish policy; generally mandatory

Example: If you are approached by law enforcement in person or by phone with a general request for information, confirm with the investigative agent that release of non-directory information may only occur upon service of a subpoena, search warrant or other court order.


19

Case Study: Privacy PolicyChecklists

Checklists: one or more statements, in sequence, dictating how to accomplish a task

Example: If you are asked by your supervisor to access another staff member’s files, be sure to: Ask the staff member for permission, if possible Ensure the supervisor has obtained approval from the

appropriate Vice Provost or Dean for his/her reporting line

Maintain documentation of original request and your responses


20

Resources

EDUCAUSE/Cornell Institute for Computer, Policy and Law – July 2005http://www.educause.edu/icpl/ Be sure to visit the resource library including links to hundreds of

online policies from colleges and universities around the country. Join the listserv!

Association of College and University Policy Administrators – regular conference calls http://process.umn.edu/ACUPA/about/ Join the listserv!

Annual EDUCAUSE conference - October 2005 Preconference offered on Model Approaches to Policy

Development, with a Writing Workshop


21

Questions?

Marilu Goodyear - goodyear at ku.edu

Jenny Mehmedovic – jmehmedo at ku.edu

Documents

University and IT Policies: Match or Mis-match? Marilu Goodyear, Vice Provost for Information Services and CIO Jenny Mehmedovic, Coordinator of IT Policy