University and IT Policies: Match or Mis-match?
Marilu Goodyear, Vice Provost for Information Services and CIOJenny Mehmedovic, Coordinator of IT Policy & Planning
University of Kansas
Educause Southwest February 2005
2
Copyright Marilu Goodyear, Jenny Mehmedovic [2005]. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Educause Southwest February 2005
3
Why are policies created?
To reflect the philosophies, attitudes, or values of an organization related to a specific issue/problem
Educause Southwest February 2005
4
Elements of Policy-making in a Higher Ed Environment
Problem to be addressed: Misbehavior - reactive Organizational change - reactive Significant liability assessed- proactive
Institutional influences on policy development: Values related to that problem held by the institution/university Stakeholders (all those in some way responsible for or affected by
the policy)
External influences: Legislative Regulatory Public policy
5
Institutional Influences:Core Academic Values
Community: shared decision making; outreach to connected communities (access to affiliates or other patrons)Autonomy: academic and intellectual freedom; distributed computingPrivacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library Association, 2002)Fairness: due process
From Oblinger, Computer and Network Security in Higher Education, 2003. Mark Luker and Rodney Petersen, editors. http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008
Educause Southwest February 2005
6
Influences:EDUCAUSE/Internet2 Principles
Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity and Access Fairness and Process Ethics, Integrity and Responsibility
EDUCAUSE and Internet2 Computer and Network Security Task Force, “Principles to Guide Efforts to Improve Computer and Network Security for Higher Education,” August 2002; available at http://www.educause.edu/ir/library/pdf/sec0310.pdf
Educause Southwest February 2005
7
Policy Life Cycle
1. Setting the stage for policy development2. Writing the policy3. Approving the policy4. Distributing the policy5. Educating the community about the
policy6. Enforcing the policy7. Reviewing the policy at regular intervals
Educause Southwest February 2005
8
Policy Development Processwith Best Practices (ACUPA)
Educause Southwest February 2005
9
University Policy or IT Policy?
How do you know? Who is audience (“scope”)?
Institution? Campus? Department/school/unit? Users of a service? Subset of a population by status?
Who writes it? Who approves it?
Educause Southwest February 2005
10
Power Relationships: Who has control of the policy process on your campus?
Understand who makes decisions Probably somehow related to faculty Probably somehow related to the Chief
Financial Officer
Determine “orientation” of the power players; particularly academic discipline
Determine who influences the power players
Educause Southwest February 2005
11
Identifying Stakeholders
Determine who is interested
Determine who is already working in the area
Determine who has to “sign on” to get the policy approved
Form a stakeholders group to work on the concepts (not the writing)
12
Identified Stakeholders
Educause Southwest February 2005
13
Ensure Stakeholders are Informed
Begin discussions by: Identifying why the policy is needed, what
problem it is solving, what value it is expressing
Understanding underlying legal foundations and related policies
Providing examples of circumstances that require the policy
Educause Southwest February 2005
14
Case Study: Setting the Stage for a Privacy Policy
Stakeholder discussions Provide research on the concern of electronic
users with privacy; Gallup Poll Ask participants to share their own experiences
Gain understanding Learn existing campus issues
Give some examples from other environments
Educause Southwest February 2005
15
Case Study: Privacy Policy Focus on issues, not semantics
Have scenario-based discussions Staff member goes on vacation and there is a change in
a conference speaker; supervisor needs access to her computer
FBI arrives with court order asking for a engineering faculty members email for the last year and his library use records
Human Resources calls and wants the IT staff to review a PC of a staff member suspected of using porn during work time
Educause Southwest February 2005
16
Case Study: Privacy Policy“What” is policy. “How” is not.
Policy: concise statement of what is general organizational intent re: issueProcedures: detailed statement describing how to accomplish policy; generally mandatoryGuidelines: information about how to accomplish a task or goal; not mandatory, but a good ideaChecklists: one or more statements, in sequence, dictating how to accomplish a taskStandards: established by a recognized authority
Educause Southwest February 2005
17
Case Study: Privacy PolicyThe Policy Statement
Policy: concise statement of what is general organizational intent re: issue
The general right to privacy is granted to the extent possible within the electronic environment. Contents should be examined or disclosed only when authorized by the owner, approved by an appropriate University official, or required by law.
Educause Southwest February 2005
18
Case Study: Privacy PolicyProcedures that Support the Policy
Procedures: detailed statement describing how to accomplish policy; generally mandatory
Example: If you are approached by law enforcement in person or by phone with a general request for information, confirm with the investigative agent that release of non-directory information may only occur upon service of a subpoena, search warrant or other court order.
Educause Southwest February 2005
19
Case Study: Privacy PolicyChecklists
Checklists: one or more statements, in sequence, dictating how to accomplish a task
Example: If you are asked by your supervisor to access another staff member’s files, be sure to: Ask the staff member for permission, if possible Ensure the supervisor has obtained approval from the
appropriate Vice Provost or Dean for his/her reporting line
Maintain documentation of original request and your responses
Educause Southwest February 2005
20
Resources
EDUCAUSE/Cornell Institute for Computer, Policy and Law – July 2005http://www.educause.edu/icpl/ Be sure to visit the resource library including links to hundreds of
online policies from colleges and universities around the country. Join the listserv!
Association of College and University Policy Administrators – regular conference calls http://process.umn.edu/ACUPA/about/ Join the listserv!
Annual EDUCAUSE conference - October 2005 Preconference offered on Model Approaches to Policy
Development, with a Writing Workshop
Educause Southwest February 2005
21
Questions?
Marilu Goodyear - goodyear at ku.edu
Jenny Mehmedovic – jmehmedo at ku.edu