Skip to main content

IT Procedure on Developing Policy

Version 1.0.1

Purpose

This document is to outline the procedure used when developing an IT Policy.

Scope

Individuals looking to issue a policy that directly affects Fordham University’s protection of data and information.

Procedure Statement

 Initial Policy Development

  1. Director (or above) who wishes to develop a policy reaches out to the Director of IT Risk and Data Integrity to request the latest policy template.
  2. The requestor will define their policy draft and send it to the Director of IT Risk, and Data Integrity or will summarize what they are trying to accomplish and the Director of IT Risk and Data Integrity will have the Policy Analyst draft a policy.
  3. The Director of IT Risk and Data Integrity sends an initial draft to Policy Analyst for fine-tuning if someone else wrote the policy.
  4. The Director of IT Risk and Data Integrity sends the requestor a draft developed by the Policy Analyst to the requestor to confirm the policy has captured the essence of what is required by the policy.
  5. The Director of IT Risk and Data Integrity, working with the requestor, will identify areas impacted by the policy within IT.
  6. The Director of IT Risk and Data Integrity will call a meeting with the Directors of the impacted areas as well as with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy.
  7. Once all feedback is incorporated, the Director of IT Risk and Data Integrity will have the Policy Analyst issue the final draft. This final draft will include the author and review frequency.
  8. The Director of IT Risk and Data Integrity will send the draft to the AVP/CISO for approval.
  9. If the policy requires Legal Counsel approval, the Director of IT Risk and Data Integrity will send the draft to the Office of Legal Counsel for their approval.
  10. If the policy is not approved, the Director of IT Risk and Data Integrity will work with the requestor to resolve issues to gain approval.
  11. Once the policy is approved, the Director of IT Risk and Data Integrity will publish the policy to the IT Policy Library on the University’s website.

Policy Review

  1. One month before policy expiration, the Director of IT Risk and Data Integrity will send a notification via e-mail to the responsible person that the policy is to be reviewed.
  2. If the responsible person feels no changes are required, they will respond in writing that no modifications are needed and Director of IT Risk and Data Integrity will note that and no further action will be required.
  3. In the absence of the responsible person, the Director of IT Risk and Data Integrity will identify the appropriate person to review the policy.
  4. In the absence of the Director of IT Risk and Data Integrity, the AVP/CISO will identify the appropriate person to review the policy.
  5. If the policy required revision, it would need to follow the steps in the Policy Revision section defined below.

Policy Revision

  1. The responsible person who wishes to modify their policy reaches out to the Director of IT Risk and Data Integrity to request the latest version of their policy.
  2. The requestor will modify their policy and send it to the Director of IT Risk and Data Integrity or person will summarize what they are trying to accomplish and the Director of IT Risk and Data Integrity will have the Policy Analyst draft an update for review.
  3. The Director of IT Risk and Data Integrity would send the updated policy to Policy Analyst for fine-tuning if someone else wrote the policy.
  4. The Director of IT Risk and Data Integrity will send requestor back a draft developed by the Policy Analyst to the requestor to confirm the policy has captured the essence of what is being modified.
  5. The Director of IT Risk and Data Integrity, working with the requestor, will identify areas impacted by the policy within IT based upon the changes made.
  6. The Director of IT Risk and Data Integrity will call a meeting with the Directors of the impacted areas as well as with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy.
  7. Once all feedback is incorporated, the Director of IT Risk and Data Integrity will have the Policy Analyst issue the final draft. This final draft will include the author and review frequency.
  8. The Director of IT Risk and Data Integrity will send the draft to the AVP/CISO for approval.
  9. If the policy requires Legal Counsel approval, the Director of IT Risk and Data Integrity will send the draft to the Office of Legal Counsel for their approval.
  10. If the policy is not approved, the Director of IT Risk and Data Integrity will work with the requestor to resolve issues to gain approval.
  11. Once the updated policy is approved, the Director of IT Risk and Data Integrity will publish the policy to the IT Policy Library on the University’s website.

Service Level

Because of the nature of the development of policies as well as the coordination of impacted areas, it should be expected that Initial Policy Development and Policy Revision will take 30 business days from start to finish. Policy Review occurs one calendar month before policy expiration, and if a modification to policy is required, the beginning of the Policy Revision procedure begins at the time the Director of IT Risk and Data Integrity is notified of the fact that changes are to occur, not at the time the Policy Review procedure commenced.

Related Policies and Procedures

Policy on Developing IT Policies

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO (minor revision approved by Director, IT Risk, and Data Integrity)
Approval Date: August 29, 2016

Revision History

Version: Date: Description:
1.0 08/29/2016 Initial document
1.0.1 08/14/2019 Updated procedure statement