ITS Unit Standard on Policies, Standards, and Procedures

Title

ITS Unit Standard on Policies, Standards, and Procedures

Introduction

Purpose

This document describes how UNC-Chapel Hill’s Information Technology Services (ITS) will create and manage IT Policies, Standards, and Procedures (Policy Documents) for the University. 

ITS Policy Documents govern IT topics for the University.  

Note: Policies offer a concise vision of how Constituents of the University will use IT to achieve the mission of the University. Policies also govern how IT staff will interact with the UNC-Chapel Hill community, set the big-picture view of IT priorities and goals, and may describe commitment to specific frameworks, ethics and values, or regulatory requirements. Standards and Procedures define minimum requirements and necessary actions required to implement Policies. 

Scope of Applicability

This document applies to all ITS employees. 

Standard

Authority

The Vice Chancellor for Information Technology and Chief Information Officer (CIO) is the only authorized policymaker (“Issuing Officer”) for IT Policies at UNC-Chapel Hill. Other individuals or committees, within ITS or external to ITS, may draft IT Policies, but to be an official ITS University or Unit Policy, that document must be authorized by the CIO unless an exception applies. (See "Exceptions" below.)  

ITS University or Unit Standards and Procedures are published as independent documents that supplement and expand on ITS Policies. ITS Standards and Procedures may be drafted in the same manner as ITS Policies but may be authorized by an Issuing Officer other than the CIO. Only responsible officials within ITS who are designated by the CIO may be Issuing Officers for ITS University or Unit Standards and Procedures. 

The CIO will communicate such delegation to the UNC-Chapel Hill Office of Ethics and Policy (OEPM) for ITS University Standards and Procedures, and will direct the ITS Policy Office staff for ITS Unit Standards and Procedures 

ITS staff will comply with the University of North Carolina at Chapel Hill Policy Framework for Policy Document creation and management.  

Format

Unless an exception applies, or as directed by OEPM, the UNC-Chapel Hill Policy Framework governs formatting requirements for all University Policy Documents, including ITS University Policy Documents. ITS also voluntarily follows the Policy Framework for ITS Unit Policy Documents hosted within the University’s policy repository. 

Version Control

Version management within the University policy repository will use mechanisms provided by the University policy repository. 

All ITS Policy Documents stored outside the University policy repository must include version numbers listed as the authorization date in ISO 8601 standard date (YYYYMMDD) format.  

Document Management

University Policy Documents will be maintained in the repository provided by OEPM. For records retention purposes, the "official" (original/record) version of any official ITS Policy Document is the most current active version in the University Policy Repository maintained by OEPM, or as directed by OEPM. 

Documents managed in the University’s policy repository will have dates and document history managed by the University’s policy repository. 

Record copies of ITS Policy Documents managed separately by ITS (certain Unit Policy Documents) will be maintained in electronic form by the ITS Policy Office in a secure archive.  

The ITS Policy Office may save point-in-time copies of documents in the University Policy Repository for reference and other business purposes such as audit facilitation. 

Document management within the University policy repository will follow the practices established by OEPM. 

Issuing Officers and Document Stakeholders

ITS University Policy Documents must follow review and approval processes described in the UNC-Chapel Hill Policy Framework, as well as internal policy review and approval processes managed by the ITS Policy Office. ITS Unit Policy Documents must follow review and approval processes managed by the ITS Policy Office. Such processes must be designed to efficiently offer opportunities for input by affected stakeholders. The IT community of the University is diverse and distributed. ITS policy documents must reflect the needs of units and the University as a whole and can do so only by engaging the community. 

Table 1. Policy Document Approval

References to People

Wherever possible, for resilience documents will provide roles rather than names, and departmental or shared numbers and emails or other contacts (service request through help.unc.edu for example) rather than direct numbers or emails (e.g. 919-962-HELP). Where a person must be specified, they must be specified by title absent a superseding requirement to do otherwise. 

Document Review

Review Interval

Document reviews must occur at a minimum once every three years or as directed by OEPM. More frequent review of specific documents will occur as needed to comply with regulatory requirements, best practices, at the discretion of OEPM or of the ITS Policy Office, or at the request of the document owner or the CIO. 

Review Minimum Components

Document review must, at a minimum, consist of the IT Policy Office providing an executive sponsor, key stakeholder, or primary subject matter expert (as determined by ITS Policy Office staff) with a request to read and comment on the document to identify any need for changes. The stakeholder may deem the ITS Policy Office review sufficient. Review must also comply with OEPM and Framework requirements. 

Document Changes

If Administrative/Ministerial changes are identified at any time, the ITS Policy Office staff may immediately make those changes per the UNC-Chapel Hill Policy Framework in compliance with OEPM practices, so long as the change does not alter the meaning or effect of the document.  

As permitted by the Framework, administrative/ministerial changes may be made without revision/re-issue to fix broken links, formatting, contact information, correct document history, punctuation errors, to fix transcription errors, or to bring documents into technical compliance with this Standard or with the Framework. As permitted by OEPM, changes to correct gaps or issues for equity or inclusion purposes (including readability, barrier language, jargon, negative statements, accessibility barriers, and template use) may be undertaken in any manner directed by OEPM. s,  

Such administrative/ministerial changes to ITS documents may be made and immediately published at any time without notification or re-approval by the Issuing Officer  

Ministerial change for documents maintained by the ITS Policy Office outside of the University Repository must be tracked in the office record. 

If the ITS Policy Office reviews an ITS Policy Document and determines that changes to the meaning or intent of that ITS Policy Document are needed, the ITS Policy Office will prioritize the ITS Policy Document appropriately for revision. 

Revision

The UNC-Chapel Hill Policy Framework describes requirements for “Revision.” Generally speaking, material change to a Policy Document that alters meaning, intent, or effect requires re-authorization by the issuing officer. This is considered "revision." When a document requires revision, the document must be prioritized appropriately on the ITS Policy Office roadmap. (This determination may be made at the direction of the Issuing Officer, OEPM, Office of University Counsel, may be based on the results of a formal review, or may be at the discretion of the ITS Policy Office to coordinate policy management efforts.) 

Revision of documents should occur in priority order and may reflect environmental factors, organizational need, impact of the revision, urgency of the revision, coordination with other policy activity at the University, risk to the University, or direction by the CIO or delegate. 

ITS Document revision must follow review and approval processes with the same scope of review as creation of new policies, standards, and procedures.

Document Retiring

As permitted by the UNC-Chapel Hill Policy Framework, when a Policy Document has outlived its utility, the Policy, Standard, or Procedure may be superseded or retired by a person with the same or higher authority as the one who authorized it. The CIO and other responsible officials must follow OEPM procedures for retirement of University Policy documents. Currently, retirement of Unit documents may occur by memo to the ITS Policy Office. Record copies of CIO memos are maintained in the CIO office. 

Document Index

The ITS Policy Office must maintain an official list of ITS Policy Documents. This list must contain at minimum the official document title, location of the published version, as well as (if known) last revised date (completion date of the last revision), last review date (completion date of the last formal review), and start date of the next required review of each ITS Policy Document. Dates of ministerial changes may but are not required to be included. With the implementation of the University policy repository, some or all of this record can also be obtained from the University policy repository system. If a discrepancy occurs, the ITS Policy Office should resolve the discrepancy in coordination with OEPM. The Policy Repository includes more types of logged dates, and those dates may use the terms “review” or “revised” differently than described here. 

Compliance

Failure to follow this Standard may result in publication of ambiguous or conflicting Policy Documents which could lead to network security breaches, failure to properly control sensitive information, and other significant IT incidents. 

ITS Policy Documents that do not conform to this Standard should be brought to the attention of the ITS Policy Office or OEPM for appropriate action. Documents purporting to be IT policies created in any other way should be brought to the attention of the ITS Policy Office or OEPM for appropriate action. 

Exceptions

UNC-Chapel Hill may be required by an outside authority to adopt specific IT Policy Documents as its own, and the requirement may determine format, content, and/or document classification. OEPM will make final determination of how to handle such situations. 

ITS Unit Policy Documents covering human resources and facilities are outside the scope of this Standard and may be maintained by the ITS Associate Vice Chancellor for Finance at the direction of the CIO. 

Other exceptions to this Standard may be made by the CIO in keeping with the UNC-Chapel Hill Policy Framework Policy Framework. OEPM may also authorize exceptions to this Standard. 

To request an exception to these requirements, contact  the ITS Policy Office. 

Definitions

Authorized Policy, Standard, or Procedure: Any Policy, Standard or Procedure reviewed and authorized by the responsible university official or issuing officer. 

Unit Policy: Internal policy applicable to members of a UNC-Chapel Hill department (or other organization) but not applicable to the wider University community. See Also "Policy" 

Policy Documents: Collective name for administrative control documents, including,  Policies, Procedures, and Standards. Help files and training documents are not Policy Documents. Internal small-group technical and business processes are not Policy Documents for purposes of this Standard. Service Level Agreements (SLA), Memoranda of Understanding (MOU) and related documents which may govern activities between parties are not Policy Documents. This Standard describes only UNC-Chapel Hill IT Policy Documents in the form of UNC-Chapel Hill University or ITS Unit Policies, Standards and Procedures. 

Guideline: Non-mandatory organizational goal-statement, recommended standard, best-practice procedure, or other document that defines recommended but not required practices. Guidelines are identifiable by use of "should" rather than "must" language. Guidelines are outside the scope of this standard. 

Mission: An organizational purpose statement. Policies are enacted in support of organizational mission. 

Policy: The set of basic principles formulated to direct and limit actions in pursuit of long-term goals. Policies provide the guidance required to create and enforce Standards, and Procedures required to enact policy. Adherence to policy is mandatory. See Also "University Policy" and "Department Policy". As used in this Standard, "Policy" refers to UNC-Chapel Hill University or Department policy enacted by the Vice Chancellor for Information Technology and CIO. 

Procedure: An established protocol or official way of doing something. A series of actions or processes conducted in a certain order or manner. A sequence of actions designated as a Procedure is the required methodology for accomplishing a task. Deviation from a required Procedure may create unnecessary risk for the University. Governance Procedures define mandatory actions. This Standard applies to governance Procedures applicable to individuals affiliated with UNC-Chapel Hill, not to other technical or business "procedures" or processes. Procedures as defined here are “Policy Documents.” 

Standard: Written definition, limit or rule, approved and monitored for compliance as a minimum acceptable benchmark. As used in this document, "Standard" refers to governance documents supporting UNC-Chapel Hill Policy. Technical standards and other non-governance "standards" used in Information Technology are outside the scope of this document. Standards as defined here are “Policy Documents.” 

University Policy: UNC-Chapel Hill policy governed by the University UNC-Chapel Hill Policy Framework. University Policy may apply to all Constituents of the University or to specific groups. 

UNC-Chapel Constituent: UNC-Chapel Hill faculty, staff, students, retirees, and other affiliates, contractors, distance learners, visiting scholars, and others who use or access UNC-Chapel Hill resources. 

Related Requirements

Policies, Standards, and Procedures

• UNC-Chapel Hill Policy Framework 
• UNC-Chapel Hill Procedure for Policy Management

Contact Information

Document History

• Effective Date and title of Approver:
  1. Origination/Effective Date: May 12, 2015
  2. Approver: Vice Chancellor for Information Technology and Chief Information Officer
• Revision and Review Dates, Change notes, title of Reviewer or Approver:
  1. Previous Revised Date: November 28, 2017
     1. Revised by: Chief Information Officer
     2. Substantive Revisions:
        1. Clarified processes for review, revision, and ministerial/administrative changes.
        2. Brought document into current template format.
        3. Altered requirements for record copy storage to remove requirement for paper documents. Change also anticipates shift from unit storage to OEEPM storage of official documents.
        4. Clarifications
  2. Previous Revised Date: March 14, 2017
     1. Revised by: Vice Chancellor for Information Technology and Chief Information Officer
     2. Substantive Revisions:
        1. Altered to comply with revised University Policy on Policy Development, Approval, and Publication;
        2. Renamed from "ITS Governance Document Standard;"
        3. Clarifications
  3. See University Policy Repository for additional document history.