ITS Unit Standard on Policies, Standards, and Procedures

Title

ITS Unit Standard on Policies, Standards, and Procedures

Introduction

Purpose

This document provides approved guidance for writing and authorizing new University and Information Technology Services (ITS) Department Policies, Standards, and Procedures; for revising existing ITS Policies, Standards, and Procedures; and delineating approval authorities at all levels.

ITS authors policies and other governance documents covering IT and Privacy-related matters and the appropriate use of Information Technology at UNC-Chapel Hill (the University). Policies describe a concise vision of how Constituents of the University will use IT to achieve the mission of the University. Policies also govern how IT staff will interact with the UNC-Chapel Hill community, set the big-picture view of IT priorities and goals, and may describe commitment to specific frameworks or regulatory requirements. Standards and Procedures define minimum requirements and necessary actions required to implement Policies.

Policy structure showing boxes on the left "University Policy" above "University Standard" above "University Procedure" which reflect Strategy (policy) and tactics to make policies happen, all broadly applicable across the University.  Below that set are boxes with ITS Department Policy above ITS Dept Standard and ITS Dept Procedure, reflecting Strategy (policy) and Tactics (Std, procedure) but applying only to ITS.

Scope of Applicability

ITS staff who create, maintain, or contribute to UNC-Chapel Hill governance documents pertaining to Information Technology or Privacy-related matters.

Standard

Subject to applicable law, regulation and other University policies, particularly the University of North Carolina at Chapel Hill Policy Framework, governance documents produced by ITS staff will meet or exceed the following requirements:

Format

All new Policies, Standards, and Procedures (as defined by the University Policy Framework) promulgated by ITS will follow formatting guidelines provided by the UNC-Chapel Hill Office of Ethics Education and Policy Management (OEEPM). (See "Exceptions" below).

Contact the ITS Policy Office or ITS Policy Liaison for guidance.

All documents not stored in the University policy repository will include version numbers listed as the authorization date in ISO 8601 standard date (YYYYMMDD) format. Version management within the policy repository will use mechanisms provided by the system.

Document Management

For records retention purposes, the "official" (original/record) version of any official ITS policies, standards, and procedures will be the most current active version in the University Policy Repository maintained by OEEPM, or as directed by OEEPM.

Documents managed separately by ITS, not in the University repository, will be maintained in electronic form by the ITS Policy Office in a secure archive. An image of the most recent approved version, as well as the current published version must be maintained in the archive. Previous versions of documents moved to the University repository may also be maintained in keeping with the University Schedule for Records Retention and Disposition and as needed to provide historical context for future policy development.

Publication versions of signed documents will have the signature removed, but the authorizing official's title as well as signing date and revision history must remain.

Document management within the University policy repository must follow the practices established by OEEPM.

Policies

ITS is responsible for producing and maintaining most UNC-Chapel Hill University Policies with IT or Privacy implications. (See "Exceptions" below for discussion of Policies with IT or Privacy implications that are not produced and/or maintained by ITS.) Those Policies and any associated Standards and Procedures must follow the University Policy on Policies and other requirements defined at the University level.

Unless an exception applies, titles of new UNC-Chapel Hill IT/Privacy Policies developed under this Standard must distinguish University-wide documents from internal ITS or other Department Policies (or as directed by OEEPM).

The ITS Policy Office must maintain an ITS policy page to assist University users to find relevant ITS policies. Since publication implies that the Policies have been fully authorized, all Policies must be approved by the responsible University official prior to publication unless an exception applies, as described below.

With respect to Information Technology at the University, the only policymaker is the Vice Chancellor for Information Technology and Chief Information Officer (CIO). Policies may be drafted by others at ITS, by responsible committees, or by other methods, but to be an official IT Policy, a document must be authorized by the CIO unless an exception applies. (See "Exceptions" below.)

Standards and Procedures

Standards and Procedures are published as independent documents and authorized in the same manner as Policies, but may be authorized by a responsible official or issuing officer other than the CIO. Only responsible officials within ITS who are designated by the CIO may authorize IT governance Standards and Procedures. Currently, these designees are the Chief Information Security Officer (CISO) and the Chief Privacy Officer (CPO). Additional designations by the CIO may occur in writing without republication of this Standard. (Record of such additional delegations must be stored in either the University repository, or in the ITS policy archive.) Legacy documents may continue to list the Associate Vice Chancellor and Deputy Chief Information Officer (DCIO) as a responsible official until revised.

A University-wide Standard or Procedure may be drafted in any area of ITS, but must be authorized by the CIO or designee, and published with a link on the ITS policy page. Unless an exception applies (or as directed by OEEPM), titles of new UNC-Chapel Hill IT/Privacy Standards and Procedures developed under this Standard must distinguish University-wide documents from internal ITS or other Department Standards and Procedures. Titles for Standards and Procedures must include the terms "Standard" and/or "Procedure," as appropriate.

Governance Document Approval

University governance documents promulgated by ITS must follow review and approval processes determined by the OEEPM, as well as internal policy review and approval processes managed by the ITS Policy Office. ITS Department internal governance documents must follow review and approval processes managed by the ITS Policy Office. Such processes must be designed to efficiently offer opportunities for input by representatives of affected user groups.

Type of Document Who Approves May apply to Template
University IT/Privacy Policy CIO All UNC-Chapel Hill constituents or designated groups of constituents including some outside of ITS University template provided by OEEPM
Administrative Policy (IT-related)

NOTE: Revision of University Policy Process in 2017 removed this category. All former Administrative policies are considered University Policy.
N/A All UNC-Chapel Hill constituents or designated groups of constituents including some outside of ITS N/A
University IT/Privacy Standards and Procedures CIO or official designee (CISO, CPO or other) All UNC-Chapel Hill constituents or designated groups University template provided by OEEPM
ITS Dept. Policy CIO ITS Staff Department template provided by OEEPM
ITS Dept. Standards and Procedures CIO or official designee (CISO, CPO or other) ITS Staff Department template provided by OEEPM

Table 1. Governance Document Approval

Cross-document Connections

To support durable document connections (prevent dead links) when referring to related documents, documents should whenever possible use either links to the official repository where the related document resides or textual description of document location. This allows for updates of individual documents without requiring an update to every related document. Policy writers and editors must refer to documents by their main title (or significant terms in the title), not to version numbers. References to general Policy pages or to the Repository are permitted. Policy writers and editors should use their best judgment. When broken links or change in linked-document location do occur, updates to broken links in published documents do not require reauthorization by the responsible official. Documents within the University repository may cross-link directly.

References to People

Wherever possible, documents will provide roles rather than names, and departmental or shared numbers and emails rather than direct numbers or emails (e.g. 919-962-HELP). If contact information becomes incorrect, updates to contact information in published documents are considered ministerial change and do not require reauthorization or notation in document history. (Note: documents in the University repository will have history notations performed by the system.)

Document Review

Official policy, standard, and procedure documents maintained by the ITS Policy Office must be reviewed regularly to ensure the continuing suitability, adequacy, and effectiveness of each document. Documentation of review schedules will be maintained by the ITS Policy Office (review documentation in the OEEPM policy repository system is sufficient for documents contained in the repository).

Reviews must occur at a minimum once every three years. More frequent review of specific documents should occur as needed to comply with regulatory requirements, best practices, at the discretion of OEEPM or the ITS Policy Office, or at the request of the document owner.

Document review must, at a minimum, consist of the IT Policy Office providing an executive sponsor, key stakeholder, or primary subject matter expert (as determined by ITS Policy Office staff) with a request to read and comment on the document to identify any need for changes. Office review by the ITS Policy Office staff may be deemed sufficient by the stakeholder.

If a document review results in a determination that changes are needed, the document will be prioritized appropriately for revision (or administrative/ministerial change) and undergo any required revision process as time and resources allow.

Document Changes

Documents managed in the University Repository will have dates and document history managed by the system. The dates reflected on those documents are as follows:

"Origination" is the date the document was first approved and should not change unless an error is identified. "Effective" is the date the latest version of the document first took effect. "Last Approved" reflects the last time the document completed any approval workflow process, (this does not mean that the responsible officer approved the document as of that date). "Revised" means that ANY change to the document took place. A document can complete an approval workflow with no change, and so the "Last Approved" date might be different than the "Revised" date. "Next Review" is the next date that the system has the document scheduled for review. Reviews may take place sooner than the next review date.

Revision

Material change to a document that alters meaning, intent, or effect of the policy, standard, or procedure requires re-authorization by the responsible officer. This is considered "revision." Document revision requires re-approval by the appropriate document authority for the revised document to be in effect. For documents in the University Repository, "Revision" means following a workflow that includes the responsible officer. For documents maintained separately, a manual revision process must include the responsible officer.

When the ITS Policy Office determines a document requires material change which would require reauthorization, the document must be prioritized for revision. (This determination may be made at the direction of the document signing authority, OEEPM, Office of University Counsel, may be based on the results of a formal review, or may be at the discretion of the ITS Policy Office to coordinate policy management efforts.)

Revision of documents should occur in priority order reflecting environmental factors, organizational need, and coordination with other policy activity at the University, risk to the University, or direction by the CIO or delegate.

Document revision must follow review and approval processes with the same scope of review as creation of new policies, standards, and procedures. Document history must be updated according to OEEPM requirements to reflect new revision dates and details. Storage of documents must follow the same requirements as new documents.

The University Repository system will manage dates for documents it contains. Dates prior to the repository migration to the extent they are known, and for documents managed separately, will be maintained in a record by the ITS Policy Office.

Administrative/Ministerial Changes

As permitted by the University Policy on Policies, administrative/ministerial changes to fix broken links, formatting, contact information, correct document history, correction of grammar or punctuation errors, to fix transcription errors, or to bring documents into technical compliance with this Standard or with the University Policy on Policies will not be considered revisions. Such administrative/ministerial changes to ITS documents may be made and immediately published by the ITS Policy Office staff and OEEPM staff, at any time without notification or re-approval by the issuing officer or responsible official. The revised publication version must be stored in the electronic file for that document in such a way that it is clear that the document has been altered from the most recently-authorized version. While the University Respository will not distinguish "Revised" or other dates for ministerial changes from true revision, the difference is that the workflow for a revision would include the responsible officer, workflow for a ministerial change would not. Changes may be made by administrative override by OEEPM or by a minimal approval workflow by the ITS Policy Office. The change log should reflect the type of change made to assist with this distinction.

Ministerial change for documents maintained by the ITS Policy Office outside of the University Repository must be tracked in the office record.

Document Decommissioning

As permitted by the Policy on Policies, when a Policy, Standard, or Procedure has outlived its utility, the Policy, Standard, or Procedure may be superseded or decommissioned by a person with the same or higher authority as the one who authorized it. The CIO and other responsible officials must follow OEEPM procedures for decommissioning of University Policy documents as outlined in the UNC-Chapel Hill Procedure for Policy Management and UNC-Chapel Hill Standard on Policy. Decommissioning of Unit documents may occur by memo to the ITS Policy Office.

Document Index

The ITS Policy Office must maintain a master list of IT and Privacy Policies, Standards, and Procedures promulgated by ITS. This list must contain at minimum the official document title, location of the published version, as well as (if known) last revised date, last review date, and next required review date of each document deemed to be an official Policy/Standard/Procedure maintained by ITS. With the implementation of the University repository, some or all of this list may be generated by the repository system. If a discrepancy occurs, it should be resolved in coordination with OEEPM and reference to existing documentation.

Compliance

Failure to follow this Standard may result in publication of ambiguous or conflicting governance documents which could lead to network security breaches, failure to properly control sensitive information, and other significant incidents.

Governance documents apparently not conforming to this Standard should be brought to the attention of the ITS Policy Office or OEEPM for appropriate action.

Exceptions

UNC-Chapel Hill may be required by an outside authority to adopt specific governance documents as its own, and the requirement may determine format, content, and/or document classification. If approved by the correct authority, including OEEPM, such documents must be considered official Policy/Standard/Procedure regardless of format or process used for approval.

If authorized by the CIO with the intention of creating Policy, a document in any format, with any title will be considered ITS Unit Policy. If authorized by the CIO or their designee, a document in any format, with any title may be considered ITS Unit Standard or Procedure. The circumstances of such variances will be documented appropriately by ITS Policy staff (a memo to the file by Policy staff is sufficient). This documentation is required only once for each document, not for each revision. The variance information will be stored in the appropriate electronic file for the document.

Governance documents promulgated prior to the original authorization date of this Standard (5/12/2015) needing updates to bring them to this Standard will be addressed on a case-by-case basis. Until the documents are brought into compliance, or are decommissioned, existing documents are considered "grandfathered" for authority purposes and should be followed as if authorized according to this Standard.

Administrative/ministerial changes may be made to these "grandfathered" documents as-needed, and they remain covered by this exception. Revisions to these documents may also occur without bringing the document into full compliance if otherwise properly approved. Review of such documents must occur on the required schedule, but may consist solely of a Policy Office evaluation and confirmation by a stakeholder identified by the ITS Policy Office.

Processes in development (e.g. the ITS Change Management process) which are not yet incorporated in Policy, Standard, or Procedure, may be given the effect of ITS Unit Policy if that is the intent of the CIO. The ITS Policy Office must include such processes on the Master List.

ITS unit policies, standards, and procedures covering human resources and facilities may be maintained by the ITS Associate Vice Chancellor for Finance at the direction of the CIO and are outside the scope of this Standard.

Some Institutional Privacy Office (IPO) policies, standards, and procedures may be maintained separately by the IPO, and if so, fall outside the scope of this Standard.

The University repository system currently uses the terms "Last Approved" to mean the last completion of any workflow, and "Last Revised" to indicate the date a document has changed. Ministerial/Administrative/Document-fix changes, Review, and Revision must be noted in the document change log in order to distinguish which process was completed. Revision requires approval by the issuing officer/responsible official, while review processes and ministerial changes may be "approved" (workflow steps or administrative override completed) by OEEPM or ITS Policy Office staff, or other CIO designees.

Other exceptions to this Standard may be made by the CIO in keeping with the University Policy Framework. The OEEPM may also authorize exceptions to this Standard.

To request a variance to these requirements, contact the policy representative in the ITS Policy Office.

Definitions

Authorized Policy, Standard, or Procedure: Any Policy, Standard or Procedure reviewed and authorized by the responsible university official or issuing officer.

Unit Policy: Internal policy applicable to members of a UNC-Chapel Hill department (or other organization) but not applicable to the wider University community. See Also "Policy"

Governance Documents: Collective name for administrative control documents, including, but not limited to, Policies, Procedures and Standards. Help files and training documents are not Governance Documents. Internal small-group technical and business processes are not Governance Documents for purposes of this Standard. Service Level Agreements (SLA), Memoranda of Understanding (MOU) and related documents which may govern activities between parties are not within the scope of this Standard. This Standard describes only UNC-Chapel Hill IT governance documents in the form of UNC-Chapel Hill or ITS Department Policies, Standards and Procedures.

Guideline: Non-mandatory organizational goal-statement, recommended standard, best-practice procedure, or other document that defines recommended but not required practices. Guidelines are identifiable by use of "should" rather than "must" language. Guidelines are outside the scope of this standard.

Mission: An organizational purpose statement. Policies are enacted in support of organizational mission.

Policy: The set of basic principles formulated to direct and limit actions in pursuit of long-term goals. Policies provide the guidance required to create and enforce Standards, and Procedures required to enact policy. Adherence to policy is mandatory. See Also "University Policy" and "Department Policy". As used in this Standard, "Policy" refers to UNC-Chapel Hill University or Department policy enacted by the Vice Chancellor for Information Technology and CIO.

Procedure: An established protocol or official way of doing something. A series of actions or processes conducted in a certain order or manner. A sequence of actions designated as a Procedure is the required methodology for accomplishing a task. Deviation from a required Procedure may create unnecessary risk for the University. Governance Procedures define mandatory actions. This Standard applies to governance Procedures applicable to individuals affiliated with UNC-Chapel Hill, not to other technical or business "procedures" or processes.

Standard: Written definition, limit or rule, approved and monitored for compliance as a minimum acceptable benchmark. As used in this document, "Standard" refers to governance documents supporting UNC-Chapel Hill Policy. Technical standards and other non-governance "standards" used in Information Technology are outside the scope of this document.

University Policy: UNC-Chapel Hill policy governed by the University UNC-Chapel Hill Policy on Policies. University Policy may apply to all Constituents of the University or to specific groups.

UNC-Chapel Hill Administrative Policy: A former category of Policy under a previous University Policy on Policy Development, Approval, and Publication. Policies created in this category remain in force, but when updated must be categorized as University Policy.

UNC-Chapel Constituent: UNC-Chapel Hill faculty, staff, students, retirees, and other affiliates, contractors, distance learners, visiting scholars, and others who use or access UNC-Chapel Hill resources.

Related Requirements

Policies, Standards, and Procedures

UNC-Chapel Hill Policy Framework

UNC-Chapel Hill Standard on Policies

UNC-Chapel Hill Procedure for Policy Management

Contact Information

Subject Contact Telephone Online/Email
Interpretation of standard ITS Policy Office 919-962-HELP its_policy@unc.edu
Reporting non-compliant documents ITS Policy Office 919-962-HELP its_policy@unc.edu

Document History

  • Effective Date and title of Approver:
    1. Origination/Effective Date: May 12, 2015
    2. Approver: Vice Chancellor for Information Technology and Chief Information Officer
  • Revision and Review Dates, Change notes, title of Reviewer or Approver:
    1. Previous Revised Date: November 28, 2017
      1. Revised by: Chief Information Officer
      2. Substantive Revisions:
        1. Clarified processes for review, revision, and ministerial/administrative changes.
        2. Brought document into current template format.
        3. Altered requirements for record copy storage to remove requirement for paper documents. Change also anticipates shift from unit storage to OEEPM storage of official documents.
        4. Clarifications
    2. Previous Revised Date: March 14, 2017
      1. Revised by: Vice Chancellor for Information Technology and Chief Information Officer
      2. Substantive Revisions:
        1. Altered to comply with revised University Policy on Policy Development, Approval, and Publication;
        2. Renamed from "ITS Governance Document Standard;"
        3. Clarifications

Details

Article ID: 131254
Created
Thu 4/8/21 9:04 PM
Modified
Wed 7/14/21 3:13 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/15/2020 10:51 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
12/15/2020 10:51 AM
Last Revised
Date on which the most recent changes to this document were approved.
11/01/2019 3:11 PM
Origination
Date on which the original version of this document was first made official.
05/12/2015 12:00 AM
Policy Contact
Person who handles document management. Best person to contact for information about this policy. In many cases this is not the Issuing Officer. It may be the Policy Liaison, or another staff member.
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services