The EDUCAUSE CIO list service recently featured a question that asked, “What is a good policy?” Excellent responses ensued; I offer my version not as a CIO but as the lieutenant of one, and as more of a story informed by experience than a handbook on policy. The story is so long -- going on ten years now, that I, like Dickens, will tell it as a serial. Here is my first installment: Framework.
The requester keenly asked about a policy “framework” in her initial question to the community. She is already right on the money! We are at a stage in IT Policy development where we no longer need to simply react to one demand or another but should be thinking about the matter comprehensively. IT policy may be the latecomer to institutional policy, but it is in essence no different than the body of policies that exist for other administrative areas such as human resources or finance. In fact, for institutions that can now draw on the experience of others, those institutions have an advantage to create a holistic body of policies that inter-relate and meet institutional need comprehensively instead of what has become at some schools a laundry list or a hodge-podge accretion of policies.
With this approach, a CIO will get the benefit of a vision, alignment with a strategic plan of the institution, and the opportunity to present the concept to senior leadership for review and overall approval. This approach offers myriad opportunities. Forethought instead of action will always result in a better product. Policy “packaging” can be thought through carefully, especially because it is always a product of institutional culture and traditions. Finally, the CIO will save the lieutenant much consternation on the proverbial road as the project goes forward.
Packaging of policies is important at the outset. For example, way back in the 1990’s, the University of California produced one of the first policies on the disclosure of electronic information. It was a comprehensive document in keeping with the cohesive nature of the university system. When I began at Cornell I did not sense the appetite for comprehensive documents. It seemed as if elaborate policies were more than the community could bear. Consequently, I broke up the policy provisions into “bite-sized” chunks, and for a while that approach was successful. Specific to security policies, for example, when the technical requirements of the new privacy laws came into play, GLBA and HIPPA, we were able to establish a reporting incidents policy almost immediately in order to meet compliance. A more basic technical requirements policy for devices connected to the network (patching and the like) came shortly thereafter, almost entirely of which has now been subsumed in an information security policy. A revision of the framework will pull policy provisions together into a more coherent document. Know your community before you construct the “shape” of your policies. One size does not fit all.
The failure to inform senior leadership of a framework of policies can also create unnecessary pushback for the CIO and whomever he or she sends out into the field. About five or so policies into the development of the framework we created at Cornell, I recognized well the look of “oh no, here she comes again,” from senior management and middle level players when I darkened their door with a new policy in the immediate aftermath of having completed the last one … or two or three. Having not been adequately apprised of the framework concept going forward, they understandably experienced IT policy development as a burden even as it was meeting essential administrative needs. If the substance alone were not difficult enough to socialize, the added resistance made it a slog rather than a glide to the finish line for each new policy. And let’s face it: failure to let them know at the outset violated the first rule of reporting structures: don’t surprise your boss! It also deprived IT of the opinion and wisdom that they had in management overall, if not in policy development in their areas. Go win-win and bring senior leadership on board in real time!
Next Installment: Policy on Policies