EDUCAUSE Pre-Conference Seminar 05A, October 19, 2004
Amy Ginther , Coordinator of Policy Development and
Education, University of Maryland
Merri Beth Lavagnino, Deputy IT Policy Officer, Indiana
University
Jenny Mehmedovic , Coordinator of IT Policy & Planning,
University of Kansas

Check-In and Logistics
I. Introduction
II. The Policy Process
III. IT Policy Examples
IV. Conclusion
2

3

This term can be used to describe:
The strategic direction or operating philosophy of an organization
Legislative and regulatory developments, also known as “public policy”
Operational statements or directions, also known as “institutional policy”
4

Statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue.
 Concise statement of what the policy is intended to accomplish, not how to accomplish it
 One or two sentence description of general organizational intent
 General enough to provide flexibility
5

Indiana University will provide access to appropriate central and campus computing resources…to all members of the University community whose work requires it.
Excerpt from “General Policies: Access” section of
Computer Users’ Privileges and Responsibilities,
Fall
1999
6

The “how” is accomplished through:
 Procedures
 Guidelines
 Checklists
 Standards
Resist the temptation to put the “how” into the policy statement!!
7

Detailed statements (often supporting a policy) describing how to accomplish a task or reach a goal
Actions are generally mandatory
More explanatory text included
8

Requests for access to central campus computing and networking resources should be directed to the regional Chief
Information Officer or their delegate on the campus where the required service is located.
Excerpt from “Procedure Reference” section of Policy on Eligibility to Use Indiana University Information
Technology Resources, March 26, 2002
9

Information about how to accomplish a task or reach a goal
Provided as suggestions – not mandatory, but a good idea
May contain an element of “best practices”
 Alternate actions might work, but these have been found to work the best
More explanatory text included
10

Authentication is the process of ensuring that the person supplying an identity is the person to whom the supplied identity has been assigned.
There are industry-standard methods for authenticating the identity of users.
Generally, it is accepted that the forms of authentication come in three types -something the user knows (e.g., a password ), something the user carries (e.g., an
ID card), or something about the user (e.g., a fingerprint). A combination of at least two of these is necessary to adequately ensure appropriate access to the most sensitive/confidential information, while a simple password may be adequate for less sensitive (e.g., non-restricted) materials.
Six (6) standard levels of authentication for access to services are currently recognized, and selection of the appropriate method will be commensurate with the type of access and the sensitivity of the data involved. The Data Steward for the data area involved will, with input from others, make the decision about the level and type of authentication that will be deployed:
1)
Network Address/Physical Location. May be used where it is only important to restrict access to data or a particular service to persons using a specific or any Indiana
University networked device. "Proxy"-type services may be deployed where it is necessary to provide this access to IU users who are not physically attached to an IU network segment. However, some additional form of authentication is necessary to ensure that the person accessing this proxy mechanism is indeed a member of the IU community and as such authorized to access the network address-protected services.
Excerpt from “Appropriate Access” section of
Guidelines for Handling Electronic Institutional and Personal Information, Indiana University, October 26, 2000
11

One or more statements dictating how to accomplish a task
 Considered as commands
Apply to an immediate circumstance and mandatory in that situation
Simple language, no explanatory text
Sequence important
12

1)
2)
3)
4)
Immediately inform senior administrators present in the office of any request by a law enforcement agency.
All efforts will be made by the staff to ensure that, to the extent possible, communications with the law enforcement officer are made in a conference room or other area removed from any students or visitors who may be present.
If the request of the law enforcement agency is not submitted in writing, staff should make a written record of all information requested.
Senior administrators will notify University Counsel ((812) 855-
9739 or (317) 274-7460 on the IUPUI campus) of the law enforcement agency’s visit and request. The University Counsel will advise the administrator(s) regarding the appropriate response to the request.
Excerpt from “
Protocol for Police or FBI Requests for Information
,”
Indiana University
13

Statements dictating the state of affairs or action in a particular circumstance
A rule established by a recognized authority, with no deviation allowed
14

A DES key consists of 64 binary digits ("0"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, may be used for error detection. The 8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each
8-bit byte1. A TDEA key consists of three DES keys, which is also referred to as a key bundle. Authorized users of encrypted computer data must have the key that was used to encipher the data in order to decrypt it. The encryption algorithms specified in this standard are commonly known among those using the standard. The cryptographic security of the data depends on the security provided for the key used to encipher and decipher the data.
Excerpt from “Explanation” section of Data Encryption Standard (DES),
15
National Institute of Standards and Technology , 1999 October 25

Procedures, guidelines, checklists, and standards all must implement, reflect, and support the applicable policy or policies
The entire set of statements is sometimes considered to be the “Policy.” They are often located together, even as sections in the same document.
16

As a result of internal influences:
 Correction of misbehavior (reactive)
 Organizational change (reactive)
 Assessment of significant liabilities or problems
(proactive)
As a result of external influences:
 Legislative
 Regulatory
 Public policy
17

We can refer to this as the “scope”:
Institution
Campus
Department/School/Unit
Or…
Users of a service
Or…
Subset of population by status
18

Likely differs by the scope of the policy as outlined in the previous slide
Likely differs also by size of the scope
 Large scope = dedicated policy office
 Medium scope = dedicated policy person
 Small scope = committee
19

Institution may have organized it for you
(generally only for institution-wide policies)

Look for a “Policy on Policies”
At minimum:
 Establish authority
 Create a common and consistent format
 Set up an online home for all your policies
20

21

22

Pre-development:


Identify issues
Conduct analysis
Development:



Draft language
Get approvals
Determine distribution/education
Maintenance:


Solicit evaluation & review
Plan measurement & compliance
23

5)
6)
7)
1)
2)
3)
4)
Setting the stage for policy development
Writing the policy
Approving the policy
Distributing the policy
Educating the community about the policy
Enforcing the policy
Reviewing the policy at regular intervals
24

Setting the
Stage
Consistency with
University values and mission
Identification and involvement of stakeholders
Informed participants
Assess costbenefit
Writing Approving Distributing Educating Enforcing
Preventing reinvention of the wheel
Discussion and consensus building
Wide review and input
Allow for user feedback
Accessible from one online location
Allow for text and other searches
Use a common format
Approval from senior administrative levels
Send email to official distribution lists
Agree on common definitions & terms
Include contacts to answer questions
New and existing users
Create policy enforcement office
Hold a policy day
Have traveling road shows
Assess liability/ feasibility
Respond to complaints
Signed user agreements
Require policies to be read before services granted
Reviewing
Identify an owner for each policy
Develop a plan for active maintenance
Archive, date, and notify constituencies of major changes
25

1) Setting the Stage
26

1) Setting the Stage
The higher education environment tends to be more open than corporate or government environments
 Reality of student residential environments
 Academic values
Policy measures must protect and not impede the expression of these values
Balance need for policies with important aspects of higher education environment
27

1) Setting the Stage
Community: shared decision making; outreach to connected communities (access to affiliates or other patrons)
Autonomy: academic and intellectual freedom; distributed computing
Privacy: “the right to open inquiry without having the subject of one’s interest examined or scrutinized by others” (American Library
Association, 2002)
Fairness: due process
From Oblinger, Computer and Network Security in Higher Education , 2003. Mark
Luker and Rodney Petersen, editors. http://www.educause.edu/asp/doclib/abstract.asp?ID=PUB7008
28

1) Setting the Stage
EDUCAUSE/Internet2 six principles to guide policy development:
Civility and Community
Academic and Intellectual Freedom
Privacy and Confidentiality
Equity, Diversity and Access
Fairness and Process
Ethics, Integrity and Responsibility
29

1) Setting the Stage
Are you here because you have been assigned to do IT policies by some authority?
Or, are you still trying to figure out how to establish authority for creation and maintenance of IT policies?
30

1) Setting the Stage
What are the IT issues affecting your organization that appear to need to be addressed through policy?
Ensure there aren’t already policies at your institution covering these issues
31

1) Setting the Stage
32

1) Setting the Stage
Usually it is a different team for each policy, because it depends on the issue being addressed in the policy
Remember some important stakeholders may be better reviewers than writers

33

1) Setting the Stage
Begin discussions with an understanding of underlying legal foundations and related policies
34

1) Setting the Stage
How to achieve?
 Develop understanding of core values and mission by meeting with upper administrators
 Outline various scenarios that might arise and then discuss what values are around those scenarios
35

1) Setting the Stage
Analyze need for policy in light of benefits, costs, liabilities
Must not cost more (in any terms) than the problem or situation addressed
36

1) Setting the Stage
37

1) Setting the Stage
38

2) Writing the Policy
Is anyone else out there?

Using others’ work to fit your environment
 Ask and ye shall receive!
 Just give credit
 Asking questions of colleagues at other institutions
39

2) Writing the Policy
Are you writing a University-wide or departmental policy?
Highlight gaps in non-IT policy language
Insert IT needs into existing University policy
Add a paragraph, rather than write an entirely new policy
40

2) Writing the Policy
Start discussions with a blank page to avoid getting caught up in semantics
Build consensus on issues not words
THEN, draft policy language
41

2) Writing the Policy
Agree on common definitions and terms related to the policy topic
Document these for a section of the policy
42

2) Writing the Policy
Check for a common format used for other policies at your institution
Check EDUCAUSE Policy Library for samples of other formats
Establish a format to be used for all your IT policies
43

2) Writing the Policy
The University of Kansas
Information Services Policy and Procedures Template
Policy Name:
Policy Purpose:
Scope:
Responsible Office:
Approval: Provost and Executive Vice Chancellor
Approved: date
Effective:
Review Cycle:
General Policy Provisions
Responsibilities of Information Services
Responsibilities of University Departments
Consequences/Sanctions
44

2) Writing the Policy
Subject
Source (what office produced it)
Policy Number
Date Issued
Rationale
Policy
Applicability
Definitions
Procedure Reference
Responsible Organization
45

2) Writing the Policy
Use simple, exact text
 Remember everyone needs to be able to understand what it says
 Not florid and fancy

Does “should” mean they have to?
 If technical terms must be used, define them
Check to see if your campus has a Style
Manual
46

2) Writing the Policy
47

3) Approving the Policy
Solicit comment for drafts throughout the writing process from:
 the approving officers
 senior administrative levels
 the identified stakeholders
Solicit and allow for user feedback

Consider a “Request for Comment” period
48

3) Approving the Policy
Secure approvals for final version from all stakeholders and approving bodies
49

3) Approving the Policy
50

4) Distributing the Policy
Create a policy website
 Ease of access
 Web-based directories
 Allow for searches
Codify policies in an easy to understand format
Ensure any central policy web site at your institution has a link to your IT policy site
Include contact information for asking questions
51

4) Distributing the Policy
Establish a regular communication channel for announcing new and revised policies
 E-mail distribution lists
 Institutional publications
 Faculty
 Staff
 Students
 IT publications, online user support documents
 Direct mailings
52

4) Distributing the Policy
53

5) Educating the Community
Try to get on Orientation agendas for new faculty, staff, and students
 Speaker
 Handouts
 Video
 Signed user agreements
Use your IT influence!

“I agree” statements to click through when obtaining accounts, registering to the network, etc.
Direct mailing
54

5) Educating the Community
Educational postcards, posters, etc.
Have a traveling road show!
 Policy person attend departmental and faculty meetings to talk about policies
Hold policy brown bags
Sponsor a “Policies Day”
55

5) Educating the Community
56

6) Enforcing the Policy
Are there liability concerns in creating unenforceable policies?
 Standard of care/negligence
Do you have adequate staff to support enforcement?
Is information distributed to educate users on consequences of non-compliance?
57

6) Enforcing the Policy
Typical way to enforce is to respond to complaints
Create a policy enforcement office, if possible, or at least identify one person who will coordinate
Establish relationships with disciplinary authorities (Dean of Students for students; Human
Resources for staff; Dean of Faculties for faculty)
Establish relationships with Legal Counsel, auditing, University police, local prosecutors
Publicize procedures for reporting, especially within IT support units
58

6) Enforcing the Policy
Focus on gathering evidence:


If there is no evidence, there is nothing to pursue
If technology is not the root problem, pass it off…
Determine which types of infractions:
 can receive a warning from your office
 are sent to disciplinary official
 require law enforcement involvement
Ensure records are kept confidential
59

6) Enforcing the Policy
60

7) Reviewing the Policy
Assign an owner for each policy, or assign one person to maintain them all
Develop a timeline for regular review
Encourage feedback

Don’t forget IT support personnel
Archive changes, date new releases
Measure outcomes by monitoring or testing
61

7) Reviewing the Policy
62

63

64

EDUCAUSE Policy Library Demo http://www.educause.edu/resources
University of Kansas
 h ttp://www.vpinfo.ku.edu/Policy_Library/
University of Minnesota
 http://www.fpd.finop.umn.edu/
65

66

67

Identify your peers at other institutions
Attend EDUCAUSE/Cornell Institute for
Computer, Policy and Law
Join ACUPA, ICPL listservs
Ask many questions!
Benefit from others’ expertise!
68

Amy Ginther : aginther at umd.edu
, (301) 405-2619
Merri Beth Lavagnino : mbl at iu.edu
, (317) 274-3739
Jenny Mehmedovic : jmehmedo at ku.edu
, (785) 864-4999
© Copyright 2004 Amy Ginther, Merri Beth Lavagnino, Jenny
Mehmedovic. Permission to make and distribute verbatim copies is granted for non-profit, educational purposes provided this copyright and permission notice is preserved on all copies.
69

EDUCAUSE Pre-Conference Seminar 05P, October 19, 2004
Amy Ginther , Coordinator of Policy Development and Education,
University of Maryland
Merri Beth Lavagnino, Deputy IT Policy Officer, Indiana
University
Jenny Mehmedovic , Coordinator of IT Policy & Planning,
University of Kansas

Check-In and Logistics
I. Introduction
II. Review of Sample IT Policies
III. Review of Policy Tools
IV. Policy Writing Exercise
V. Conclusion
71

72

Lead all through one example of planning for and drafting a policy

We’ll make up a lot of assumptions in order to do this!

Participants will plan for and draft at least one local policy
 You may do as many as you have time for
 You will have feedback from others on at least one of them
73

74

Review
Identify what issue each of us will start work on today
75

76

Policy Process Planning Template
Policy Writing Template
Your institution’s
Style Guide, or your choice of commercial style guide (such as
Chicago Manual of Style , APA ,
Strunk’s
, etc.)
Samples of the type of policy you are writing, from other institutions
77

Is this a University-wide or a departmental policy?
Who needs to approve the policy?
Who are the stakeholders?
What are some scenarios needing a resolution that could use this policy?
What are the values of the institution in relation to these scenarios? (institutional culture)
What are the risks of not having a policy about this?
Is it an IT policy or somebody else’s policy that’s just related to IT?
Is there a difference between student, faculty, staff for this policy?
78

More leading questions in your packet
Be imaginative at this stage – you won’t know all the answers but you can make something up which can be tweaked later. The key is to START!
Don’t get caught up on one section or issue. If you find you’ve spent more than ten minutes on something without a result, mark it for feedback and move on.
79

80

81

82

83

84

Amy Ginther : aginther at umd.edu
, (301) 405-2619
Merri Beth Lavagnino : mbl at iu.edu
, (317) 274-3739
Jenny Mehmedovic : jmehmedo at ku.edu
, (785) 864-4999
© Copyright 2004 Amy Ginther, Merri Beth Lavagnino, Jenny
Mehmedovic. Permission to make and distribute verbatim copies is granted for non-profit, educational purposes provided this copyright and permission notice is preserved on all copies.
85