Skip to main content

IT Procedure on Developing Policy

Version 1.2

Purpose

This document is the procedure used when developing an IT Policy at Fordham University.  

Scope

This IT document, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked. 

Procedure Statement

Initial Policy Development 

  1. A director (or above) who wishes to develop a policy reaches out to the Director of IT Risk and Data Integrity (herein Director) to request a policy. 
  2. The requestor may create a policy draft and send it to the Director or summarize what they are trying to accomplish.  
  3. The Director has the Policy Analyst draft a policy for review. 
  4. The Director shares an initial draft, if provided, with Policy Analyst for edits. 
  5. The Director sends the requestor a draft developed by the Policy Analyst to confirm the drafted policy captures the essence of what is required by the policy. 
  6. The Director, working with the requestor, identifies areas impacted by the policy within IT. 
  7. The Director coordinates with the directors of the impacted areas and with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy. 
  8. Once all feedback (e.g., requestor, business partners, departments) is incorporated, the Director has the Policy Analyst issue the final draft. This final draft includes the author and review frequency. 
  9. The Policy Analyst sends the draft to the AVP/CISO for approval. 
  10. If the policy requires Legal Counsel approval, the Director sends the draft to the Office of Legal Counsel for their approval. 
  11. If the policy is not approved, the Director works with the requestor to resolve issues to gain approval. 
  12. When the policy is approved, the Policy Analyst publishes the policy to the IT Policy Library on the University’s website. 

Policy Review 

  1. One month before policy expiration, the Policy Analyst sends a notification via email to the responsible person that the policy needs to be reviewed. 
  2. If the responsible person feels no changes are required, they will respond in writing that no changes are necessary, and Director will note that no further action is required. 
  3. The Policy Analyst notes the policy was reviewed in the revision history section.  
  4. In the absence of a responsible person, the Director identifies the appropriate person to review the policy. 
  5. In the absence of the Director, the AVP/CISO identifies the appropriate person to review the policy. 
  6. If the policy requires revision, it will need to follow the Policy Revision section's steps below. 

Policy Revision 

  1. The responsible person who wishes to modify their policy reaches out to the Director to request the latest version of their policy. 
  2. The requestor may modify their policy and send it to the Director or summarize what they are trying to accomplish and have the Policy Analyst draft an update for review. 
  3. The Director shares an updated draft, if provided, with Policy Analyst for edits. 
  4. The Director sends the requestor draft of the Policy Analyst's updates to confirm the policy has captured the essence of what is being modified. 
  5. The Director, working with the requestor, identifies areas impacted by the policy within IT based upon the changes made. 
  6. The Director calls a meeting with the directors of the impacted areas and with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy. 
  7. Once all feedback is incorporated, the Director has the Policy Analyst issue the final draft.
  8. The Director sends the draft to the AVP/CISO for approval. 
  9. If the policy requires Legal Counsel approval, the Director sends the draft to the Office of Legal Counsel for their approval. 
  10. If the policy is not approved, the Director works with the requestor to resolve issues to gain approval. 
  11. Once the updated policy is approved, the Policy Analyst publishes the latest version of the policy to the IT Policy Library on the University’s website. 

Service Level

Because of the nature of the development of policies and the coordination of impacted areas, it should be expected that initial policy development and policy revisions may take 30 business days from start to finish. The policy review occurs one calendar month before policy expiration. If a modification to a policy is required, the start of the policy revision begins at the time the Director is notified of the fact that changes are to be made, not at the time the policy review commenced. 

Definitions

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services. 

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO (minor revision approved by Director, IT Risk, and Data Integrity)
Approval Date: August 29, 2016

Revision History

Version: Date: Description:
1.0 08/29/2016 Initial document
1.0.1 08/14/2019 Updated procedure statement
1.2 03/05/2021 Update purpose, scope, definitions, and procedure statement