Framework for IT policy development and management | VPIT CIO Office (2023)

Edition:november 2011
Approved by Executive Officer:september 2011
Latest revision:February 2021


  • Authorization scope
  • Fundamental
  • in principe
  • Roles and responsibilities
  • Administration and approval of IT policies
  • stakeholder involvement
  • IT policy structure and standards
  • Methods and publications
  • IT policy lifecycle process
  • Appendix 1: Definition of IT policy structure
  • Appendix 2: IT policy standards decision tree

Authorization scope

Responsibility for university-wide ICT policy lies with Information Assurance (IA). This includes:

  • Coordinating ICT policy and basic development, dissemination and education
  • Review and analyze existing policies for continued applicability and effectiveness.
  • Explain current policies relevant to specific issues, situations and events.

The IT policy framework spans all campuses, including UM-Dearborn, UM-Flint, and Michigan Medicine; policies and guidelines at departmental level are outside the scope. The starting point of the framework is that the policy, where necessary, applies to all members of the university community. University IT Policy applies to all users of U-M IT resources, including students, faculty, staff, and sponsor or guest users.


Information Technology Policy articulates the University's vision, strategy, and principles regarding the management and use of information and IT resources, while supporting key academic, research, and teaching missions. In addition, IT policies ensure compliance with applicable laws and regulations, improve operational efficiency, and manage institutional risk by specifying requirements and standards for the consistent management of IT resources across the university. This university-wide ICT policy framework states:

  • Structures and standards to be classified as IT policies, guidelines or standards
  • Process for initiating, reviewing, approving and terminating IT policies
  • Ongoing roles and responsibilities related to IT policy development and maintenance

in principe

IT policy structures and processes reflect the following principles:

  • Policy work should be initiated when new or revised policies are urgently needed. Triggers can be new technologies, new laws or regulations, or operational or compliance needs that are not well covered by existing policies or guidelines.
  • Policies and guidelines must be credible, workable, enforceable and sustainable. Impact analysis on IT systems and end users should be included in the policy planning and evaluation process.
  • Any unit may request consideration of new IT policies or changes to existing university-wide policies; this IT policy development and governance framework outlines the process to follow for such consideration.
  • IT policy development will take place through working groups convened to address specific topics. Each team will include the appropriate subject matter experts. The impact assessment will provide a central coordination function to ensure consistency and address policy dependencies.
  • The process of policy development will be transparent. Stakeholder input will be addressed and/or incorporated throughout the process. Preliminary/interim policies and guidance will be issued and distributed for feedback.
  • The policy development process will be flexible. In some cases, best practices should be published as a stopgap to provide immediate guidance on developing, reviewing, and approving policies. In other cases, a policy can be developed at a later date with detailed guidelines.
  • University-wide policy should be seen as a floor, not a ceiling. Unit-level policies, guidelines, standards, or procedures may be developed to supplement university-wide guidelines. They must meet the minimum standards set out in school-wide policies and related guidelines, but they can be more stringent.

Roles and responsibilities

The roles and responsibilities defined below represent the positions or groups of employees most directly involved in the development of IT policy.

Vice President en Chief Information Officer (VP-CIO):The Vice President and Chief Information Officer has overall responsibility for IT policies and policy development at the University of Michigan and approves new and revised standards and guidelines based on the advice of the Chief Information Security Officer.

(Video) TU RMF Roles and Responsibilities (Part 1)

Chief Information Security Officer (CISO):The CISO works with the Deputy Director of Privacy and IT Policy to ensure that the IT policy program is aligned with the goals and priorities of the Office of the CIO and the University of Michigan. The CISO also acts as a liaison between the IA staff who manage the IT policy function and the Vice President and CIO and IT Board.

Employees IT Policy and Compliance:The IT policy and compliance staff provides overall direction to the IT policy function, including responsibilities for identifying and prioritizing policy needs, ensuring appropriate campus involvement in policy development, and conducting research and benchmarking for emerging policy development.

The Deputy Director for Privacy and IT Policy provides day-to-day support to the policy development function, of course sits on policy development working groups, and plans and conducts policy education and awareness efforts. In particular, this includes managing the annual review and analysis of existing policies, standards and guidelines to ensure continued applicability and effectiveness; interpreting current policies in response to unit/department inquiries or specific events.

Administration and approval of IT policies

The IT governance structure established in 2010 sets campus-wide priorities for IT services, resources and facilities.

The IT policy function is hosted by the Office of the Vice President and Chief Information Officer, with Information Assurance responsible for policy development, coordination, training and maintenance.

The following identifies the different levels of governance control, approval and review for policies, standards and guidelines (originally established by the IT Policy Development Working Group):

(Video) Data Governance Explained in 5 Minutes

  1. Chief Information Security Officer:Initial review of policies, guidelines and standards.
  2. Vice-President en Chief Information Officer:First-level administrative review of IT policies; final approval of guidelines and standards prior to adoption and distribution to campus; VP-CIO is the Sponsoring Executive responsible for submitting proposed and revised SPGs to the IT Executive Committee for final approval.
  3. Committee on Information Technology:Secondary governance review of IT policies: new or substantially revised policy requirementsCommittee on Information Technologyagree.
  4. Information Technology Executive Committee:Final level governance review of IT policy; policy recommended for adoption as new or revised standard practice guidelines require approvalIT Executive Committee.

stakeholder involvement

Campus stakeholders will be involved in the IT policy development process, both individually and collectively, to ensure that all appropriate perspectives are considered and, to the extent possible, incorporated into the final versions of new or revised policies, standards and guidelines. The IA maintains a list of potential stakeholders who will be involved in different phases of the IT Strategy Lifecycle process.

During the planning and initiation phase of a particular policy, standard or guideline, specific individuals and groups are identified. Membership of the policy development working group will vary depending on the main content of the policy being developed. The Head of IT Policy and Compliance will serve ex officio and provide staff support to all working groups. In general, any faculty member may submit comments on draft and interim policies, standards, and guidelines on the IT Policy website. Specific stakeholders may be identified and solicited for comment and review of draft documents, while other stakeholders may only need to be notified by categories.

Students, student groups, and student governments will have the opportunity to provide comments and feedback on draft policies, standards, and guidelines that relate to changes to the Student Code of Conduct or that may affect student availability or access to IT resources.

IT policy structure and standards

Categories school-wide guidance (seeAttachment 1For more information about these categories):

  • University IT PolicyFormulate the university's values, principles, strategies and positions on a wide variety of IT topics. They are intended to guide the behavior and decision-making of organizations and individuals. They are concise, high level and technology independent. University IT policy is mandatory. All new or substantially revised policies, once approved by the IT Executive Committee, will be submitted to University Audit for inclusion in the online standard practice guide.
    example:Information Security Policy (SPG 601.27)
  • Academic IT-normenDesignation complies with university IT policy, other university policies, and applicable laws and regulations. Standards can contain technical specifications. Standards are mandatory.
    example:Third-Party Vendor Security and Compliance (DS-20)
  • University IT GuideProvides guidance and best practices related to specific IT topics. They may guide, explain or guide IT policies, other university policies or applicable laws and regulations. University IT guidelines are not mandatory.
    example:Electronic Discovery at University of Michigan (DM-08)
  • his programDocument the "how" to perform a specific IT job or use an IT service. These procedures may be localized to reflect specific unit practices or requirements.

Methods and publications

The IT policy framework will create processes and structures that are consistent with the University's standard practice guidelines, in particular the University policy development procedures on the SPG website, as they apply to information and information technology policies. The SPG website maintains a section within the Category Policies that contains all of the current information technology policies. All anticipated new IT policies, as well as existing IT policies that are formally reviewed, will be posted in thePolicy under scrutinyThe policies, standards and guidelines under review and final adoption will be widely disseminated using a variety of communication methods and tools.

While there is a need for a flexible policy/guidance structure to keep pace with technological innovation, the simplification of the process will be balanced against concerns about legal risk and assurance of collaboration with stakeholders. Ultimately, the policy framework will result in a process that ensures proper scoping, joint development and structured review and approval.

(Video) What is IT Governance? | IT Governance | Invensis Learning

IT policy lifecycle process

The IT policy lifecycle process is based on policy development processes published by various universities and guidelines published by the Association of College and University Policy Administrators (ACUPA). It applies to university-level guidelines, including policies, standards, and guidelines. Standards and guidelines require fewer approvals than policies submitted for approval to be added to the SPG directory.

  1. Identify, plan and initiate
    1. Identify the urgent need for new or updated policies/guidance. Drivers can be new legal requirements, technological developments, operational needs and identification of current problems or gaps. Requests can come from any unit, central office or IA.
    2. Determine whether needs should be met through policies, guidelines, or standards (seeAppendix 2: IT policy standards decision tree)
    3. Identify sponsors, stakeholders, workgroup members and their associated roles
    4. Develop a high-level implementation impact analysis
    5. Obtain approval to develop a design policy (or guideline, standard).
    6. Prioritize policy work
  2. Development, review and approval
    1. Preliminary draft of policy (guidelines, standards)
    2. Distributed to a small group of stakeholders for initial review and input
    3. Include initial feedback
    4. Distributed to other stakeholders for review and input
    5. Publish the final draft on the IT policy website for general feedback
    6. Review and process feedback as appropriate
    7. Submit for approval to the appropriate governing body
    8. Recognized
  3. unroll
    1. Publish and publish guidelines (policy standards, guidelines)
    2. conduct educational activities
    3. Initiate implementation activities (some new policies may require efforts to develop/update standards and guidelines)
    4. Identify ongoing assessment cycles.
  4. Compliance, assessment and maintenance
    1. Monitor compliance and effectiveness of implemented guidelines
    2. Review and implement revisions every review cycle (last revision and review date must be listed on each policy). IA, the policyholder will usually be responsible for the bulk of the policy review.
  5. pension policy
    1. Policies, standards and/or guidelines may be identified as obsolete or no longer required as part of the maintenance and review process. They retire through the same process that approved them.

Appendix 1: Definition of IT policy structure

categoriesGoalapplicabilityApproval rightcommunication methodfrequency of changeAdditional features and considerations
University IT Policy
  • Wide application across the university
  • Formulate the university's values, principles, strategies and positions
  • Guiding institutional decision-making, guiding individual behavior
  • Support and strengthen the university's mission
  • Clarify requirements and exceptions
  • explain and help comply with laws and regulations
  • Assistance in managing institutional risk
  • Help improve operational efficiency
  • University-wide, all campuses
  • Generally applicable to all users of university resources (students may have separate policies/codes of conduct)
One or more university executives (Provost, Executive Vice President/CFO, EVPMA, Vice President, and Chief Information Officer)
  • Officially released as SPG
  • Web version posted on the IT Policy website
Revision every 5 years
  • obliged
  • independent of specific technology
  • short, concise, clear
  • Must be credible, implementable and executable
  • Consequences for non-compliance are usually given
  • Responsibilities need to be clarified
  • Include definitions of terms (consistent across policies)
  • Template (link pending)
Academic IT-normen
  • Can guide, explain or specify requirements for implementing IT policies or policies
  • For compliance or risk mitigation
  • Can interpret laws and regulations (for example, acceptable coding methods can be specified for HIPAA compliance)
  • Ability to specify rules for using specific IT services
All campuses school-wide (for a specific subject)IT process owner for a specific subject or IT service providerWeb version posted on the IT Policy websiteRevision every 2 years
  • obliged
  • may depend on specific technology
  • clear and concrete
University IT Guide
  • Provides guidance and best practices related to specific IT topics
  • Can guide, explain or guide IT policies or policies
University-wide, all campusesIT process owner for a specific topicWeb version posted on the IT Policy websiteannual assessment
  • Optional alternatives can be offered
  • may depend on specific technology
  • Usually refer to the parent policy
  • Template (link pending)
University IT Program
  • Detailed step-by-step instructions
  • Policies or guidelines can be implemented
as indicatedApplicable IT Service Providersplace on the correct siteRevision every 2 yearsMust comply with IT policies and applicable standards
Campus IT policy, standards or guidelinesWhen there are unique campus-level requirements, as described above. For example, UMHS has a detailed set of campus-level policies to meet HIPAA requirements.Campus Wide (Health System, Flint, Dearborn)Applicable campus authorityplace on the correct site
  • Outside the scope of the IT policy project
  • Only necessary if exceptional circumstances at the campus level require special treatment
  • In accordance with university policy, but could be stricter
IT policies, standards or guidelines at the organizational levelAs mentioned above, when there are unique cell level requirementswhole unitApplicable campus authorityplace on the correct siteRevision every 2 years
  • Outside the scope of the IT policy project
  • Must comply with IT policies and applicable standards, but may be more stringent
  • Required only if unique campus-level circumstances require special conditions

Appendix 2: IT policy standards decision tree

The IT Policy Decision Matrix and Decision Tree Flowchart serve as a planning guide and process reminder for policy development workgroups. Both are based on the flow described below.

IT Policy Decision Matrix (Appendix 3)
IT Policy Decision Flowchart (Appendix 4)

During this periodplanning and initiationDuring the steps in the IT policy lifecycle process, the need for new or updated guidance can be caused by several issues, such as:

  • Laws, regulations or best practices that require new or updated guidance
  • Implement IT services or new technologies that require new or updated policies
  • Risk assessments, audits and/or reviews of existing policies/guidelines that reveal inconsistencies or gaps
  • Operational issues that require clarification of the university's position

The planning process consists of going through a series of questions to determine whether guidance is urgently needed and, if so, what type of guidance (policy, standard, guidance) should be created. The questions and recommendations on the relevant decisions are as follows.

  1. What are the consequences/risks of not having a written guide on the subject?If you answered yes to any of the above questions, written instruction may be required.
    1. Is there a legal obligation to provide written instructions?
    2. Are there operational issues that require clear direction?
    3. Are there new technologies, such as cloud computing, that require campus-wide education?
    4. Will documenting (and implementing) these guidelines reduce the risk?
  2. What are the consequences/risks of having a documented guide on the subject?If guidance is needed, but cannot be implemented university-wide within a reasonable period of time, it is best to start with guidelines (rather than policies). If conflicts or inconsistencies exist between the proposed guidelines and existing policies or legislation, further analysis is required, with appropriate stakeholder involvement, to determine how to address them. Existing policies may be obsolete or obsolete; therefore, it may be necessary to update or discontinue existing policies.
    1. Is the directive enforceable?
    2. Does the guidance represent the strategy we want units to plan, even though it may not be able to implement it at the moment?
    3. Is there an existing policy (SPG) addressing this topic?
    4. Does the proposed guidance (express or implied) contradict current university policies, statutes, or other laws/regulations?
  3. Should the guidance be mandatory? Does it depend on technology?If guidelines are mandatory, enforceable, applicable university-wide, and technology agnostic, they should be listed as policies. If it's mandatory, enforceable, and university-wide, but specific to a particular technology, it should be declared a standard. Another option is to make a combination of brief, high-level policy statements and detailed technology-related standards.
    1. Is there a federal or state law that requires the university to comply?
    2. Does the university have a contractual obligation to comply with this provision?
    3. Are there other reasons why this should be mandatory?
    4. Will guidance change as new technologies are implemented? Which part of the guideline is based on technology and which part can be stated as general policy?
  4. Can you summarize the essence of this guide in one page?
    Short, high-level policy statements are usually documented as policies. More detailed documentation can be provided as standard, guideline or procedure. If guidelines cannot be summarized succinctly and no overarching policy exists, it may need to be expressed as a combination of policy and guidelines or standard.
  5. How often are policies and related guidelines reviewed to keep them current and applicable?
    Policy review periods and related guidelines vary by policy type. University Policies (SPGs) should be reviewed at least every five years to ensure that policies meet legal and regulatory obligations, best practices, and keep pace with technological change.
  6. Are policy exceptions or exceptions allowed?
    Waivers of policies and related guidelines are generally not allowed. If an exemption is required, the requesting party must follow the policy exemption process. This process is maintained and coordinated by the IA IT Policy Leader.
  7. What determines whether a policy is university-wide or unit-level?These questions do not determine the category (policy, guideline, standard), but the scope.
    1. Should the guidelines apply university-wide to all users of university information sources?
    2. Should the guideline apply to all IT providers on the entire campus?
  8. Is the guidance specific to information technology? What other campus areas are involved and who should be involved in policy making and decision making?
    Sometimes the implementation of IT services can lead to the need for policies that span multiple areas (HR, students, others), with or without IT decisions. It is important to review the situation with the appropriate stakeholders and determine who should be the primary owner of the policy. For example, in some cases, personnel or communications agency policies must be implemented and supported by IT standards or guidelines (such as preferred name policies, web privacy policies, or web accessibility policies).



This document outlines the decision points for determining whether a policy, standard or guidance is required.

(Video) How to Draft Information Security Strategy for an Organization: Step by Step


  • If you answered YES to any of the questions below, continue answering the questions to determine what kind of written instruction you need.
  • Is there a legal obligation to provide written instructions?
  • Are there operational matters that require clear direction or policy?
  • Are there new technologies, such as cloud computing, that require campus-wide education?
  • Will documenting (and implementing) these guidelines reduce the risk?
standardin case ofif not
  1. Can it be implemented university-wide?
continued #2To createguide
  1. Does it comply with current policy or law?
Continue to #3Conduct further analysis with appropriate stakeholder involvement to determine how to act
  1. Does it apply to the entire university?
Continue to #4Go to #9
  1. Can it stand for more than 1 year without review?
Continue to #5Go to #9
  1. Are there only a few exceptions?
continued #6Go to #9
  1. Is it independent of a specific technology?
continued #7To createstandard
** of **
build at a high levelpolicyand detailed technical dependenciesstandard
  1. Is there an overarching policy?Neeexist?
continued #8use an umbrellapolicy
** In **
make detailedstandard,guide, ofplan
  1. Can it be summarized in about one page?
To createpolicy
*** In ***
detailedstandard,guide, ofplan, If necessary
build at a high levelpolicy
** In **
The combinationstandardone/ofguide
  1. Is it mandatory?
To createstandardTo createguide


Download PDF


What is the framework for developing a policy? ›

A policy framework defines the principles, scope, and lifecycle for all of an institution's policies and procedures. Rather than harping on the finer details of how each policy should be drafted and reviewed, your framework directs the overall planning and development of institutional policy management.

What are the IT policies and procedures and guidelines? ›

IT policies and procedures establish guidelines for the use of information technology within an organization. In other words, it outlines what everyone is expected to do while using company assets. With the help of strong policies and procedures, you can incorporate actions that are consistent, effective and efficient.

What is an example of an IT policy? ›

Categories of IT policies

Examples include an incident response policy or an access control policy. Information management policies, like a record retention and destruction policy. Data governance policy like a master data policy, data classification policy or framework or data sharing policy.

What are the contents of IT policy? ›

The IT policy of a company defines the rules, regulations, and guidelines for the proper usage, security, and maintenance of the company's technological assets including the computers, mobile devices, servers, internet, applications, etc.


1. Artie Debidien – CIO at KPN – Digital Innovation
2. Webinar: Building a Security Program, 1 of 5: It All Starts with Governance
3. Sven Egyedy – CIO & CTO of Federal Foreign Office of Germany – Serving the citizens and democracy
4. Introduction to Policy Analysis
(Professor Leckrone)
5. The Strategic Plan in ICT - Mr Greg Farr, CIO Department of Defence
6. A Plan Is Not a Strategy
(Harvard Business Review)


Top Articles
Latest Posts
Article information

Author: Eusebia Nader

Last Updated: 09/05/2023

Views: 6050

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.