Skip to main content

IT Procedure on Developing Procedures

Version 1.2


This document is the procedure used when developing an IT Procedure that compliments related policies at Fordham University.


This IT document, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Statement

Initial Procedure Development 

  1. A director (or above) who wishes to develop a procedure reaches out to the Director of IT Risk and Data Integrity (herein Director) to request a procedure. 
  2. The requestor may create a procedure draft and send it to the Director or summarize what they are trying to accomplish.  
  3. The Director has the Policy Analyst draft a procedure for review. 
  4. The Director shares an initial draft, if provided, with Policy Analyst for edits. 
  5. The Director sends the requestor a draft developed by the Policy Analyst to confirm the drafted procedure captures the essence of what is required by the procedure. 
  6. The Director, working with the requestor, identifies areas impacted by the procedure within IT. 
  7. The Director coordinates with the directors of the impacted areas and with the requestor to gather feedback on the proposed procedure and incorporate changes, provided the changes do not undermine the requirements of the procedure. 
  8. Once all feedback (e.g., requestor, business partners, departments) is incorporated, the Director has the Policy Analyst issue the final draft. This final draft includes the author and review frequency. 
  9. The Policy Analyst sends the draft to the AVP/CISO for approval. 
  10. If the procedure is not approved, the Director works with the requestor to resolve issues to gain approval. 
  11. When the procedure is approved, the Policy Analyst publishes the procedure to the IT Policy Library on the University’s website. 

Procedure Review 

  1. One month before procedure expiration, the Policy Analyst sends a notification via email to the responsible person that the procedure needs to be reviewed. 
  2. If the responsible person feels no changes are required, they will respond in writing that no changes are necessary, and Director will note that no further action is required. 
  3. The Policy Analyst notes the procedure was reviewed in the revision history section.  
  4. In the absence of a responsible person, the Director identifies the appropriate person to review the procedure. 
  5. In the Director's absence, the AVP/CISO identifies the appropriate person to review the procedure. 
  6. If the procedure requires revision, it will need to follow the Procedure Revision section's steps below. 

Procedure Revision 

  1. The responsible person who wishes to modify their procedure reaches out to the Director to request the latest version of their procedure. 
  2. The requestor may modify their procedure and send it to the Director or summarize what they are trying to accomplish and have the Policy Analyst draft an update for review. 
  3. The Director shares an updated draft, if provided, with Policy Analyst for edits. 
  4. The Director sends the requestor draft of the Policy Analyst's updates to confirm the procedure has captured the essence of what is being modified. 
  5. The Director, working with the requestor, identifies areas impacted by the procedure within IT based upon the changes made. 
  6. The Director calls a meeting with the directors of the impacted areas and with the requestor to gather feedback on the proposed procedure and incorporate changes, provided the changes do not undermine the requirements of the procedure. 
  7. Once all feedback is incorporated, the Director has the Policy Analyst issue the final draft.  
  8. The Director sends the draft to the AVP/CISO for approval. 
  9. If the procedure is not approved, the Director works with the requestor to resolve issues to gain approval. 
  10. Once the updated procedure is approved, the Policy Analyst publishes the latest version of the procedure to the IT Policy Library on the University’s website. 

Service Level

Because of the nature of the development of policies and the coordination of impacted areas, it should be expected that initial procedure development and procedure revisions may take 30 business days from start to finish. The procedure review occurs one calendar month before procedure expiration. If a modification to a procedure is required, the start of the procedure revision begins at the time the Director is notified of the fact that changes are to be made, not at the time the procedure review commenced.


IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Director, IT Risk and Data Integrity
Approved By: CISO (minor revision approved by Director, IT Risk, and Data Integrity)
Approval Date: August 29, 2016

Revision History

Version: Date: Description:
1.0 08/29/2016 Initial document
1.1 08/30/2017 Updated procedure statement
1.0.2 05/23/2019 Updated scope
1.2 03/05/2021 Updated purpose and statement