Procedure for Developing IT Security Policies

Version 1.3

For Students, Faculty, Staff, Guests, Alumni

Purpose

This document is the procedure used when developing an IT Security Policy at Fordham University.

Scope

This IT Security document and all policies referenced herein shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Statement

Initial Policy Development

A director (or higher) who wishes to develop a policy contacts the Senior Director of IT Security and Assurance (herein Director) to request a policy.
The requestor may create a policy draft and send it to the Director or summarize what they are trying to accomplish.
The Director has an analyst draft a policy for review.
The Director shares an initial draft if provided, with the analyst for edits.
The Director sends the requestor a draft developed by the analyst to confirm the drafted policy captures the essence of what is required by the policy.
The Director, working with the requestor, identifies areas impacted by the policy within IT.
The Director coordinates with the directors of the impacted areas and with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy.
Once all feedback (e.g., requestor, business partners, departments) is incorporated, the Director has the analyst issue the final draft. This final draft includes the author and review frequency.
The analyst sends the draft to the AVP/CISO for review.
The AVP/CISO shares the draft with the CIO for review prior to sharing with the S-Team for feedback. If there are edits, the analyst incorporates them and sends them back for review.
If the policy requires Legal Counsel approval, the Director sends the draft to the Office of Legal Counsel for their approval. If there are edits, the analyst incorporates them and sends them back for review.
Once the updated policy is approved, the analyst publishes the latest version of the policy to the IT Security Policy Library on the University's website.

Policy Review

One month before policy expiration, the analyst sends a notification via email informing the responsible parties that the policy needs to be reviewed.
If the responsible parties deem no changes are required, they will respond in writing that no changes are necessary, and the Director or analyst will note that no further action is required.
The analyst notes the policy was reviewed in the revision history section.
In the absence of a responsible party, the Director identifies the appropriate person to review the policy.
In the absence of the Director, the AVP/CISO identifies the appropriate person to review the policy.
If the policy requires revision, it must follow the Policy Revision section's steps below.

Policy Revision

The responsible parties who wish to modify their policy contacts the Director to request the latest version of their policy.
The requestor may modify their policy and send it to the Director or summarize what they are trying to accomplish and have the analyst draft an update for review.
The Director shares an updated draft with the analyst for edits if provided.
The Director sends the requestor updates to confirm the policy has captured the essence of what is being modified.
The Director, working with the requestor, identifies areas impacted by the policy within IT based on the changes made.
The analyst calls a meeting with the directors of the impacted areas and with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy.
Once all feedback is incorporated, the Director has the analyst issue the final draft.
Depending on the significance of changes made to the policy, the draft is sent to the AVP/CISO for review or approval.
If the revision to the policy is not approved, the Director works with the requestor to resolve issues and gain approval.
The AVP/CISO may share the draft with the CIO for review prior to sharing with the S-Team for feedback. If there are edits, the analyst incorporates them and sends them back for review.
If the policy requires Legal Counsel approval, the analyst sends the draft to the Office of Legal Counsel for their approval.
Once the updated policy is approved, the analyst publishes the latest version of the policy to the IT Security Policy Library on the University's website.

Service Level

Because of the nature of the development of policies and the coordination of impacted areas, it should be expected that initial policy development and policy revisions may take 30 business days from start to finish. The policy review occurs one calendar month before policy expiration. If a modification to a policy is required, the policy revision begins at the time the Director is notified of the fact that changes are to be made, not at the time the policy review commenced.

Definitions

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency:	Triennial
Responsible Person:	Senior Director of IT Security and Assurance
Approved By:	CISO
Approval Date:	August 29, 2016

Revision History

Version	Date	Description
1.0	08/29/2016	Initial document
1.0.1	08/14/2019	Updated procedure statement
1.2	03/05/2021	Update purpose, scope, definitions, and procedure statement
1.3	03/20/2024	Updated procedure statement