Skip to main content

Procedure on Developing IT Procedures

Version 1.0.2

Purpose

This document outlines the procedure used when developing an IT Procedure.

Scope

This IT document, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Statement

 Initial Procedure Development

  1. Director (or above) who wishes to develop a procedure reaches out to the Director of IT Risk and Data Integrity to request the latest procedure template.
  2. The requestor will define their procedure draft and send it to the Director of IT Risk and Data Integrity. The requestor will summarize what they are trying to accomplish, and the Director of IT Risk and Data Integrity will have the Policy Analyst draft a procedure for review.
  3. The Director of IT Risk and Data Integrity would send an initial draft to Policy Analyst for fine-tuning if someone else wrote the procedure.
  4. The Director of IT Risk and Data Integrity will send the requestor a draft developed by the Policy Analyst.
  5. The requestor should confirm if the draft captured the essence of what is required by the procedure and the referencing policy.
  6. The Director of IT Risk and Data Integrity, working with the requestor, will identify areas impacted by the procedure within IT.
  7. The Director of IT Risk and Data Integrity will call a meeting with the Directors of the impacted areas and the requestor to gather feedback on the proposed procedure and incorporate changes (provided the changes do not undermine the requirements of the procedure and the referencing policy).
  8. Once all feedback is incorporated, the Director of IT Risk and Data Integrity will have the Policy Analyst issue the final draft. This final draft will include the author and review frequency.
  9. The Director of IT Risk and Data Integrity will send the draft to the AVP/CISO for approval.
  10. If the procedure requires Legal Counsel approval, the Director of IT Risk and Data Integrity will send the draft to the Office of Legal Counsel for their approval.
  11. If the procedure is not approved, the Director of IT Risk and Data Integrity will work with the requestor to resolve issues to gain approval.
  12. Once the procedure is approved, the Director of IT Risk and Data Integrity will publish the procedure to the IT Policy Library on the University’s website.

Procedure Review

  1. One month before referring policy’s expiration, the Director of IT Risk and Data Integrity will send a notification via e-mail to the responsible person that the policy and supporting procedures are to be reviewed.
  2. If the responsible person feels no changes are required, they will respond in writing that no modifications are necessary and Director of IT Risk and Data Integrity will note that and no further action is required.
  3. In the absence of the responsible person, the Director of IT Risk and Data Integrity will identify the appropriate person to review the procedure.
  4. In the absence of the Director of IT Risk and Data Integrity, the AVP/CISO will identify the appropriate person to review the procedure.
  5. If the procedure required revision, it will need to follow the steps in the Procedure Revision section defined below.

Procedure Revision

  1. The responsible person who wishes to modify their procedure reaches out to the Director of IT Risk and Data Integrity to request the latest version of their procedure.
  2. The requestor will modify their procedure and send it to the Director of IT Risk and Data Integrity or person will summarize what they are trying to accomplish and the Director of IT Risk and Data Integrity will have the Policy Analyst draft an update for review.
  3. The Director of IT Risk and Data Integrity would send updated procedure to Policy Analyst for fine-tuning if someone else wrote the procedure.
  4. The Director of IT Risk and Data Integrity will send requestor back a draft developed by the Policy Analyst to the requestor to confirm the procedure has captured the essence of what is required by the procedure and the referencing policy.
  5. The Director of IT Risk and Data Integrity, working with the requestor, will identify areas impacted by the procedure within IT based upon the changes made.
  6. The Director of IT Risk and Data Integrity will call a meeting with the Directors of the impacted areas as well as with the requestor to gather feedback on the proposed procedure and incorporate changes, provided the changes do not undermine the requirements of the procedure and the referencing policy.
  7. Once all feedback is incorporated, the Director of IT Risk and Data Integrity will have the Policy Analyst issue the final draft. This final draft will include the author and review frequency.
  8. If the Director of IT Risk and Data Integrity determines that the changes to the procedure are minor and do not impact the referring policy, the Director of IT Risk and Data Integrity will approve the changes, and no further approvals will be necessary.
  9. If the changes to the procedure are significant, impact the supporting policy, or the responsible person for the procedure is the Director of IT Risk and Data Integrity, the Director of IT Risk and Data Integrity will send the draft to the AVP/CISO for approval.
  10. If the procedure requires Legal Counsel approval, the Director of IT Risk and Data Integrity will send the draft to the Office of Legal Counsel for their approval.
  11. If the procedure is not approved, the Director of IT Risk and Data Integrity will work with the requestor to resolve issues to gain approval.
  12. Once the updated policy is approved, the Director of IT Risk and Data Integrity will update the procedure on the IT Policy Library on the University’s website.

Service Level

Since, the nature of the development of procedures and the coordination of impacted areas, it should be expected that Initial Procedure Development and Procedure Revision will take 30 business days from start to finish. Procedure Review occurs one calendar month before procedure expiration, and if a modification to a procedure is required, the beginning of the Procedure Revision procedure begins at the time the Director of IT Risk and Data Integrity is notified of the fact that changes are to occur, not at the time the Procedure Review procedure commenced. Initial Procedure Development or Procedure Revision may run in conjunction with the corresponding policy modifications.

Definitions

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

IT Policy on Policies

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO (minor revision approved by Director, IT Risk, and Data Integrity)
Approval Date: August 29, 2016

Revision History

Version: Date: Description:
1.0 08/29/2016 Initial document
1.1 08/30/2017 Updated policy statement
1.0.2 05/23/2019 Updated scope

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.