American University of Beirut
Doc ID: AUB-IT-000001
Page 1 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
www.aub.edu.lb/it
July 2013
Contact Person
Joseph Hage
Interim, Chief IT Quality & Compliance Officer
American University of Beirut
joe.hage@aub.edu.lb | Tel: +961-1-350-000 ext. 2568 | Mobile: +961-70-266-623
Beirut
PO Box 11-0236, Riad El Solh 1107 2020, Beirut, Lebanon | Tel: 961-1-350-000 | Email: IT.compliance@aub.edu.lb
New York 3 Dag Hammarskjold Plaza, 8th Floor | New York, NY 10017–2303, USA | Tel: 1-212-583-7600 | Fax: 1-212-583-7651
Note: When this document is released, it is to be followed and adhered to, and is
subject to document AUB-IT-000001 “IT Document Control Policy”.
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 2 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
TABLE OF CONTENTS
1.
PURPOSE
3
2.
DOCUMENTATION TYPES
3
2.1.
Policies – Why?
3
2.2.
Processes – What?
3
2.3.
Procedures – How?
3
2.4.
Templates
3
2.5.
Documentation Categories
4
3.
DEFINITIONS
4
4.
POLICY
6
4.1.
General Documentation Guidelines
6
4.2.
IT Document Control
7
4.3.
Revision Control
8
4.3.1.
Revision Number Controlled Documentation
8
4.3.2.
Date Controlled Documentation
9
4.4.
Effectivity Date
9
4.5.
Authoring History Log
10
4.6.
Pre-Submission Checklist
10
4.7.
Document Approvals
11
4.8.
Transfer Authority and Escalation
11
4.9.
Control and Approval by Document Type
12
5.
COMPLIANCE WITH THIS POLICY
13
6.
VIOLATION OF THIS POLICY
13
7.
AUTHORING HISTORY
15
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 3 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
1. Purpose
The purpose of this document is to serve as the official information technology (IT)
document control policy within the American University of Beirut (AUB). It is to be
maintained under change control by the Office of Information Technology (OOIT).
The purpose of this policy is to:
Establish a uniform and consistent method for preparing and handling IT
documentation
Specify who controls IT documentation
Identify the location of IT documentation storage
This Document Control Policy (DCP) governs the control, distribution, and removal of
IT documentation, both hard copy and electronic. The DCP applies to all IT
documentation within the Document Management System (DMS). All staff and
faculty of AUB must adhere to the provisions set forth in this policy.
2. Documentation Types
The University shall have four major types of IT documentation including Policies,
Processes, Procedures, and Templates.
2.1. Policies – Why?
Policies are guiding principles or course of action adopted towards an
objective or objectives. Policy documents also describe why AUB is engaged
in the activity.
2.2. Processes – What?
Processes are collections of related procedures that start at a specific point
and end at another as work tasks, activities, and functions are performed.
Process documents describe what AUB does to achieve a certain result.
2.3. Procedures – How?
Procedures consist of a collection of tasks that are performed by one or more
resources. Procedure documents describe how AUB employees are expected
to perform their tasks according to a process and as dictated by one or more
policies.
2.4. Templates
Templates are used as a tool and a starting point for creating various types of
documents.
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 4 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
2.5. Documentation Categories
Documentation is classified under the following two categories:
Internally Generated Documents are produced by AUB faculty and
staff. Examples of such documents include Specifications, Plans,
Organizational Charts, Job Definitions, and more.
Externally Generated Documents are produced by companies or
individuals other and outside of AUB. Examples of such documents
include Supplier Documents, Governmental Documents, and more.
The system may also include miscellaneous documents, which must be date
controlled. Examples of such documents include Templates, Frequent Dated
Reports, Individual Objectives, and more. Miscellaneous Information may be
either Internally Generated Documents or Externally Generated Documents.
3. Definitions
Term
Definition
Affected
Stakeholder(s)
Individuals within or outside the University who are affected by
the policy.
Appendices
Contain laws, regulations, and checklists that may pertain to the
document.
Approver(s)
The University stakeholder(s) who approve(s) a document.
Author(s)
The document author is either the document owner or the
person(s) designated by the document owner to write the
document. This may include a cross-functional team to develop
the document.
Contacts
Names the University office(s) that can answer specific questions
regarding the document or approve exceptions.
Definitions
Alphabetical listing of the terms used in the document, to define
unfamiliar terms that have a specialized meaning in the document.
Doc Owner
Person who “owns’ the process, procedure, policy, manual, or
form defined in the document. A document owner is the person
responsible for defining and improving the information in the
document. A document must have one and only one owner.
Forms/Instructions
Lists forms the reader must use to comply with the policy, explains
the purpose of each form, and may provide a hyperlink to the
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 5 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
Term
Definition
applicable form(s).
Internal Process
Customer
Person who benefits from the implemented process
Internal Process
Supplier
Person who supplies goods and/or services to the implemented
process.
Policies and
Procedures Office
(PPO)
The Policies and Procedures Office (hereinafter referred to as
“PPO”) is responsible for maintaining the University’s online
policies, procedures, bylaws, and manuals, and for ensuring that
they are available to the appropriate staff. The PPO provides
assistance in the formatting and editing of faculty and/or
departmental manuals to ensure consistency of format, language,
and content. All policies shall conform to the published University
templates.
Policies and
Procedures Review
Committee (PPRC)
Standing committee of the University tasked with overseeing the
development and/or revision of all University wide policies,
bylaws, procedures, and manuals (also referred to herein as
“documents”). The PPRC is also responsible for identifying lacunae
and obsolete passages in AUB’s bylaws, policies, procedures, and
manuals, and directing the development and/or the review of the
documents identified.
Members of the PPRC are appointed by the President and are
tasked with reviewing departmental manuals whenever those
manuals include procedures that have broader application than
the department concerned.
The committee shall meet to consider agenda items that may be
submitted to it by the President, the Provost, the Policies and
Procedures Office, or any of the University’s senior management
staff.
The PPRC shall obtain legal and other advice, as it deems
necessary. It shall ensure that the documents it reviews are clear
and consistent with those already approved. It shall submit to the
President all university-wide policies, procedures, bylaws, and
manuals for his/her final approval. The PPRC reports to the
president and shall keep minutes of its meetings.
Process Owner
Person who is ultimately accountable for defining, measuring,
implementing, and continuously improving the process. The
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 6 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
Term
Definition
process owner must be able to manage the process across
functional or organizational boundaries.
Process User
Person who uses the process. Responsibilities of process users
include understanding the process, gathering any measurement
data, recommending process corrections and improvements, and
managing process participants relationships.
Purpose of Policy
States the legitimate interests of all parties, describes the problem
or conflict the policy addresses, and cites any legal or regulatory
reasons for the policy.
Responsible Office
Under the direction of the responsible university official, the
Responsible Office shall develop and administer particular policies
and procedures and shall be accountable for the accuracy of their
subject matter, their issuance, and their timely updates.
Scope
A document must have a scope as to imply how wide it applies.
For example, a procedure might not have broad impact on the
University community as it could be limited in its scope and
application to a specific department. Those with University-wide
scope must be reviewed by the PPRC and approved by the
President.
4. Policy
4.1. General Documentation Guidelines
The following are general documentation guidelines to follow:
All internally generated documentation should be assigned document
numbers by the controlling organization.
The document number must be created without any logic to it.
The electronic copy of each document must be accessed by a file
name, which includes the document number.
Any member of staff or faculty may suggest amendments or
corrections following consultation with the Document Owner.
The Document Owner will be responsible for making the amendments
or corrections to the document, which must be performed as soon as
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 7 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
possible. The Document Owner may delegate such responsibility to
one or more Document Author(s).
In case the documents had been printed, all copies in circulation must
then be reprinted and inserted in place of the outdated and obsolete
documents. The obsolete documents must be destroyed by shredding
immediately.
The Revisions and/or Authoring History page in the document must
be completed to summarize what work has been done by the
document editor. Revisions to any document must be approved by its
owner whose name appears on the cover page as well as at least one
other person.
IT Documents affecting people outside of the IT organization must
also be approved by the Policies and Procedures Review Committee
(PPRC) and the President.
Sole self-approval of documents is not accepted.
4.2. IT Document Control
The following are IT document control guidelines to follow:
All documentation is stored online in a Document Management
System (DMS).
Documents are assigned a Document ID formatted as AUB-NNMMMMMM, whereby NN represents the controlling organization
and MMMMMM represents a serial number for the document.
Documentation is controlled by the DMS Administrator and a DMS
Document Control Manager.
No hyperlinks to documents outside DMS are permitted, except to
those within the AUB and AUBMC websites.
References may be made to any documents outside DMS as long as
the references are clear as to how the documents can be located.
Upon the last approval, the documentation status becomes
“Approved” in the DMS.
Document control includes those documents required under the
University’s adopted processes, procedures, policies, plans that direct
or affect the course or content of the University’s activities and
programs.
Major changes must result in the immediate review and reissue of the
procedure with a new Revision Number. A major change is defined as
one that materially changes the operation of the procedure. Such
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 8 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
reviews and approvals occur via a document change in the DMS.
Document amendment does not replace the document review
process.
The official controlled electronic version of all documents is the
electronic file accessible in the DMS. Any document printed from the
DMS is considered an uncontrolled document. Any person or
organization, using uncontrolled documents, is responsible for
ensuring that documentation used is current and that obsolete
documentation is removed, deleted, shredded or otherwise assured
against unintended use.
All authoring and published documentations are located in the DMS
system. Obsolete documents that are retained in the DMS shall be
ignored as of the obsolescence date of the old document revision,
which usually coincides with the effectivity date of the new revision.
Published documents are accessible for all University staff and are
subject to internal and external audits.
4.3. Revision Control
All documents must be revision controlled either by a revision number or a
date.
4.3.1. Revision Number Controlled Documentation
When a document is distributed for review, it is considered as
Drafted.
It is necessary to log the date in the document’s Authoring History
log each time changes are incorporated and the document is
subsequently reviewed.
Once the document is approved and considered final, its Revision
number is incremented.
Document Revisions must be in N.M format where N is a positive
integer greater than 0 and M is a positive integer greater or equal
to 0 (e.g., 2.5). The first revision of a new document must be 1.0.
N must be incremented each time a significant modification is
made to the document. A significant modification is defined to be
a change where the overall document statement has been altered,
either through modification, removal, or enhancement. M must
be incremented each time any change is made to the document. If
N is incremented, M must be reset to 0.
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 9 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
Document revisions shall be tracked in Microsoft Word (if Word is
being used as the authoring tool) using Word’s Track Changes
capability using the following process:
Open the document to be modified
Accept all changes from the previous revision by:
o Select “Review | Track Changes | Accept or Reject
Changes”
o Select “Accept All” and answer “Yes” to accept all
changes, assuming of course that you agree with
the changes
Make sure changes to the current revision are tracked by:
o Select “Review I Track Changes I Highlight
Changes”
o Check “Track Changes While Editing”
Make changes to the document as appropriate.
To highlight areas where there are questions or comments
intended for the audience, use the highlighting tool. This is
available via the Highlight button.
4.3.2. Date Controlled Documentation
Template files and external documentation shall be controlled and
released based on a date. The date format shall be YYYYMMDD
(e.g., 20130802 for August 2nd 2013 or 20140630 for June 30th
2014).
The date of publication should be clearly indicated on the
documentation.
Most externally generated and miscellaneous documents should
use this method of revision control.
4.4. Effectivity Date
The following are effectivity date guidelines to follow:
Date on which a particular revision of a document goes into effect.
Effectivity date must occur after a document is released and after
allowing enough time for training or re-training to take place for the
users affected by the changes in the new revision.
The last approver of the change order must ensure that the affected
document has the appropriate effectivity date.
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 10 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
4.5. Authoring History Log
The following are authoring history log guidelines to follow:
A table included on the Revision page of each document containing a
description of modifications to approved documents.
The description will provide a detailed description of substantive
changes. Grammatical changes need only be noted but not detailed.
A document can be reissued and checked in under the same revision
level if the changes are administrative in nature and do not involve
process form, fit, or function changes.
Ten or fewer minor amendments may be made before the procedure
is revised. A minor amendment is defined as one that does not
materially affect the operation of the procedure (e.g., a typographical
error). These changes are checked into the attachments tab as
versions of the specific file.
If multiple authors are working on the same revision of the document,
then they should not be repeating the same revision number on
multiple rows. Instead, they should type their name, date and
comments by pressing SHIFT-ENTER to keep all entries related to the
same revision in the same cell of the Authoring History table.
The guidelines set forth in the Revision Control section must be
followed.
4.6. Pre-Submission Checklist
The following is a pre-submission checklist to follow:
Identify referenced documents such as procedures, policies,
templates, or other reference documentation.
Do not refer to other documents by revision number unless the use of
a specific revision of that document is specifically required. The
default is to refer the reader to the latest released revision. If the
reader finds that there is a pending revision against the document,
then the user is responsible to verify with the Document Owner about
when the next revision will be available and put into effect.
Identify those forms, reports, and other records that are the result of
key steps in the document.
Prepare and include a flowchart of all processes or procedures
including inputs and outputs, if desired.
Have the employees who perform any part of the document or who
are affected by it review it.
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 11 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
Publish the document and set its Status to Published.
Notify appropriate personnel of the approval and publication of
documents.
Search the DMS documents list and compare the document against
existing documents. If there are similar documents, a determination
must be made concerning whether both documents should be
combined. This will streamline the DMS and reduce work.
Review to ensure that the document meets the intent of the
guidelines as specified in this document.
Avoid the use of ambiguous or unclear terminology such as “if
appropriate”, “significant”, or “minor” in describing activity or
decision steps in the procedure. If such terms are used, they should
be defined.
Update the Authoring History log for revisions of approved
documents.
Update the Revision number in the page header, if applicable.
Ensure that the documents referenced and used or created as part of
this document are approved, controlled, and secured against
unauthorized entry or destruction.
4.7. Document Approvals
The following are document approvals guidelines to follow:
Electronic signatures indicate review, understanding, and approval of
a document.
No e-mail approvals outside of DMS are acceptable as only electronic
approvals through the DMS are. Except, if the e-mail message is
saved from Outlook as an MSG file and then attached to the DMS
document as an attachment.
Paper-based signatures are accepted on a temporary basis after which
the signature document shall be scanned and attached to an
electronic approval in the DMS.
The owner of document shall not be sole approver of its revision.
4.8. Transfer Authority and Escalation
When a member of the team is out of the office and unable to check the DMS
regularly, that person is required to transfer his or her authority to another
user. The employee’s manager shall determine to whom the authority is
transferred.
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 12 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
The DMS also implements the escalation feature that escalates inaction to
another DMS user, typically the Manager of the person.
4.9. Control and Approval by Document Type
There are several types of documents in the DMS listed in the Doc Type drop
down. They are:
Form: Document that has blank spaces for the insertion of specified
information. A form shall be approved by the manager of the person
who developed the form.
Job Definition: Document containing job descriptions and definitions
for a particular department. A job definition document must be
approved by the Manager in charge of that department. Initial Job
Definitions must be assigned the HR Workflow and shall be forwarded
at the end to the HR department.
Manual: Reference or instruction document. A guide or manual shall
be approved by the manager of the person who developed the
guide/manual.
Organization Chart: Document outlining the organizational structure
of a particular department or organization. An organization chart
must be approved by the Department Manager and a member of the
executive staff.
Plan: Outline of actions to be taken over a period of time to execute
on a mission. A plan must be approved by the Manager of the person
who created it.
Policy: Guiding principle
accomplishment.
Procedure: Established way of performing an activity. A procedure
document shall be approved by the manager of the people who
perform the procedure.
Process: Set of interrelated work activities that are characterized by a
set of specific inputs and value-added tasks that produce a set of
specific outputs. A process can be contained within a functional
organization, or it can span several functional organizations. A process
is repeatable and measurable; corrective action is used to correct
process problems and improve process performance. A process
document shall be approved by the Manager of persons who are
Process Users or Internal Process Suppliers.
or plan for an
activity and its
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 13 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
Project: Set of work breakdown structure items and the resources
assigned to execute them. A project shall be approved by all managers
who have resources assigned to the project as well as the Program
Manager managing the project. Project documents should refer
exclusively to the project’s Code Name.
Report: Document presenting a data set to the reader. A report shall
be approved by the person who prepared it.
Specification:
specifications.
Service Level Agreement (SLA): Document outlining an agreement
about services to be provided to end users.
Statement Of Work (SOW): Document outlining scope and
deliverables to be provided to end users.
Template: Document to be used as a framework for the creation of
other documents. Templates shall be approved by a DMS
Administrator.
Document
featuring
technical
or
business
5. Compliance with this Policy
The Chief IT Quality and Compliance Officer is responsible for ensuring
compliance with and enforcing this policy.
All IT staff must adhere to this policy when authoring information
technology documents.
6. Violation of this Policy
All users are advised that, in addition to being a violation of University rules, certain
computer misconduct is prohibited under Lebanese laws and is therefore, subject to
criminal penalties. Such misconduct includes gaining unauthorized access to
controlled documents by breaking through a security measure, falsely obtaining
electronic services or data, destroying of electronically processed, stored, or intransit data, and using the Internet or an information technology device to threaten
or blackmail another to act or not.
Any violation of this policy or applicable Lebanese laws will be subject to
investigation and/or disciplinary action, up to and including termination of
employment, termination of enrollment, and referral to the appropriate law
enforcement authorities in the appropriate cases. Questions concerning any aspect
of this policy should be directed to the Chief IT Quality and Compliance Officer at the
Office of Information Technology. The Office of Information Technology reserves the
right to take appropriate action at any time to maintain and protect the
confidentiality and integrity of the University’s documents.
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 14 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
American University of Beirut
Doc ID: AUB-IT-000001
Page 15 of 15
Title: IT Document Control Policy
Revision: 1.1
Owner: Joseph Hage
7. Authoring History
Revision
1.0
1.1
Date
(DD-MM-YYYY)
07-06-2012
20-10-2012
Author
Joe Hage
Joe Hage
10-12-2012
07-03-2013
Joe Hage
Joe Hage
Reason for Changes
Initial version
Edits based on clarifications requested by Andre Nahas,
PPRC Chairperson
Final changes based on requests for change from PPRC
Implemented new template with minor edits
Copyright © 1866-2013, American University of Beirut. All Rights Reserved. This information is for internal use only, proprietary and confidential.
