It is difficult to estimate the costs of not writing thorough IT policy. Misuse of IT resources, whether through ignorance or malice, costs money, as do court cases that can result from abuse. Furthermore, a poor university accreditation report caused in part by poor policy documents will likely have an adverse impact on student enrollment.
There are two main reasons for having an IT provision policy document. First, it informs employees and students of what is available and how it should be used. Second, it helps prevent the integrity of the computer systems from being compromised. In the absence of appropriate policies, those responsible for IT resources will have to make ad hoc decisions as situations arise, possibly resulting in a change of rules whenever there is a change of staff. One can argue1 that policy is as important to IT infrastructure as hardware and software.
At the London campus of the American InterContinental University (AIU–London), attention focused on rewriting existing policies. This decision was the byproduct of a comment made by the Open University Validation Services, which, in the process of re-validating a degree program, recommended enhancing the IT facilities available to the program. Staff were also mindful of an impending accreditation by a second external body. As the Dean of IT, I was selected to be the policy writer at AIU–London, mainly due to my workload relative to senior staff of the IT Services department.
Types of Policies
Because a university has two distinct groups of users—employees and students—IT policies should include three sections: one for employees, one for students, and one that applies to both groups. This article covers matters relevant to the average university employee and the average student.
Policies can be classified as general or as relating to specific activities. Among general policies, the two groups of most interest to average users are those dealing with security and those that address ethics.
Security policies include
- acceptable use policies, which identify the legitimate users of computer and network resources and outline acceptable uses of the resources;
- monitoring policies, which describe how computer systems administrators (SAs) may monitor activity of individual computers, network traffic, e-mail, and Web browsing;
- privacy policies, which state explicitly what users can expect in the way of privacy; and
- remote access policy, which allows users to gain access from outside the university campus and explains how to prevent outsiders from gaining entry.
Ethics policies relevant to the general user include those that address copyright adherence and a network/computer user code of conduct. Copyright does not just apply to printed documents—copying software that is not free is an infringement, no matter how widespread the activity.
Policies relating to specific activities include those concerned with e-mail service, print service, backup and restore, software depot service, and service monitoring. A typical user will be interested in the privacy policy for e-mail service. For example, a university might decide to adopt a policy that all e-mail issued from or to a university computer or over a university network is not private. The print service policy lists the printers that various groups of users can access. Policies concerned with backup and restore, software depot service, and service monitoring are for SAs and not important to a typical user.
Will People Read It?
Policy documents are not terribly interesting to read, but they are a necessity. When finished, an IT policy should be easily accessible to users, and users should be encouraged to consult it as a reference when unclear about an issue. Each employee and student should sign a document saying that they have read and accept the policy before being given access to IT resources.
Would a short policy be better than a long one? A short policy is more likely to be read, but a long one would obviously be more comprehensive. There is nothing stopping a policy writer from constructing a lengthy policy and summarizing key parts. Providing examples of what a user can and cannot do will increase readability.
Policy should be reviewed periodically as facilities and planned usage change. Advances in IT technology result in continual change, and other changes arise from comments made by members of the university as well as by representatives of external bodies.
Who Is Involved?
The IT policy writer is normally a senior SA who can provide insight into strategic planning. The IT Services department will have determined the university’s long-term objectives by analyzing the strengths and weaknesses of the university and will have studied opportunities and threats in the academic environment, predicting trends and projecting the need for new facilities and services. Therefore, a representative of the IT Services department is often well suited to serve as the policy writer. The policy writer could be someone other than an SA, however, since there are several other stakeholders. The staffing and workload of the SAs at the time of writing the policy might be such that a non-SA writer would be preferable.
At the outset, the policy writer should trawl through paper and electronic documents the university has produced that are likely to contain policy statements. Specific documents to look for include portal handbooks, human resources policies, IT Services forms and procedures, literature detailing usage of PINs on photocopiers/printers, the student handbook, the employee handbook, and documents prepared for previous accreditations.
By identifying the authors of relevant documents, the policy writer will be in a position to form a working party. Likely participants include the IT Services manager, key SAs, the head of student affairs, the head of human resources, and staff from the legal department. The head of human resources needs to be involved in policies relating to employees. These include the acceptable use policy, the monitoring of resource usage by SAs, and employee privacy. Similar policies for students will require student-affairs staff. The legal department would be concerned with decisions regarding the prosecution of offenders and deciding how and when to contact the police.
Plan Ahead
In deciding whether to write a new IT provision policy or substantially revise an existing one, the team must estimate and justify the investment of resources that will be required. Among the possible justifications might be a directive—imposed by management, a government body, or some other external organization—requiring a new or revised policy. Impetus for policy writing could come from an impending accreditation, audit, or validation exercise. Writing the policy might provide opportunities to improve how IT resources are used and to give users confidence in the professionalism of the IT Services department. Finally, a new or revised policy can overcome existing problems that prevent the IT department from achieving its goals.
One problem the policy writer might have is scope creep, where the scope keeps getting bigger and bigger. Before policy writing can begin, the scope of the policy must be defined. Those involved in the project should work to fix the scope at an early phase and write a scope statement with which all involved agree.
Background reading can shed important light on system and network administration policies.2 An overall policy can be subdivided into smaller, more manageable components. If there is no consensus of opinion in what should constitute the policy, then some technique could be used to get each member of the working party to weight the importance of proposals. The results of the whole working party can then be aggregated and the items scoring above a certain threshold value included as policy. This and later working party output should be put in writing and communicated to everyone involved to document agreed-upon decisions.
The policy working group can use one of two general methods for determining the structure and breakdown of the policy. Using the bottom-up approach, members of the working party identify as many specific component policies as possible and then group them into higher-level items. Alternatively, the top-down approach starts with the largest items of policy, breaking them into their subordinate items. At AIU–London, we opted for a predominantly bottom-up approach, mainly because the policy was being rewritten and, therefore, many of the various component policies already existed.
Processes for Policy-Writing Projects
In an effort to legitimize a policy-writing project, some form of communication should be written by senior management that recognizes and endorses the project. Such a document, distributed to members of the campus community, can serve to initiate the project—that is, commit the university at least to begin working on policy formulation.
IT policies are weighty documents, and, although the policy writer is responsible for managing the project, the various sections of the document need to be split up and delegated to others. This is particularly important where others have specialist knowledge. For example, only trained human resources staff should handle human resources issues.
The working party can hold intensive workshops to define and design the overall policy document. The policy writer would typically chair these workshops and be responsible for integration of the work. Draft policies can be submitted to academic heads of departments and senior management for review and input.
Policy can be generated under any of several kinds of processes. The working party could draft the whole policy, meet to discuss it, make revisions, meet again, refine again, and so on and so forth. Alternatively, the working party could draft a part of the policy, meet and refine that portion until complete, draft another part, meet and refine that section, and continue in this manner until the whole is complete. With this latter procedure, the working party must decide how to subdivide the policy into parts. This could be done according to the structure of the policy document or based on who is responsible for each section.
An analogous approach to writing policy involves using a similar university’s policy document as a starting point. The policy writer should conduct something akin to a literature search of IT policies. The work could begin at the host institution and expand outwards by considering the following:
- Other campuses—including online campuses—of the same university
- Universities with which the institution has close links
- Universities similar in some sense, such as size
- Other universities in the same country
- Universities in other countries
Whatever method is chosen to direct policy writing, those involved should avail themselves of any and all resources that might shed useful light on the task at hand (see the sidebar "Consulting Other Resources").
Tips and Suggestions
Before writing a policy document, the community must have an awareness of its importance, and an important factor in ensuring success of the exercise is securing support from senior management. The manager of the project, therefore, should be a senior SA or other senior stakeholder.
Another key success factor in creating or revising IT policy is assembling an appropriate group of individuals to serve on the working party. Drawing on expertise from various groups on campus ensures thorough and accurate policies. It also creates a sense of inclusion in the process and ownership of the result.
Computer facilities are in a constant state of flux. Several changes at AIU–London took place recently. For example, the student portal facilities have been considerably enhanced. As a result, campus policies will have to be revisited in the near future.
An effective policy can be invaluable to the smooth and efficient functioning of a university IT Services department, serving not only general users of university resources but also accreditation bodies and outside organizations. Understanding and following a careful and deliberate process for writing IT policy is sure to be well worth the effort.