IT Policy Task Force

FINAL REPORT AND APPENDICES

2007-11-29T21:44:00.001-08:00

Thanks for your interest in the work of the University of Oregon IT Policy Task Force, 2006-2007.

The IT Policy Task Force final report and appendices are now available for download at the following site: http://www.uoregon.edu/~bonamici/itpolicy/
Access is restricted to the UO network while the documents are under review.

Please forward any questions or comments to:

Andrew Bonamici (bonamici@uoregon.edu), Task Force Co-Chair
Jon Miyake (miyake@uoregon.edu), Task Force Co-Chair
Don Harris (cio@uoregon.edu), Vice Provost for Information Services & CIO

Policy Reviews by category

2007-03-29T22:07:00.000-07:00

As part of the IT Policy Task Force charge, we have reviewed
1) standard categories of IT-related policy and procedure as identifed by EDUCAUSE and other organizations, and

2) the UO’s policy framework to determine where IT-related issues are currently addressed and identify existing potential gaps.

We now have several analyses of policy categories available for comment:

- Policy Review: Academic Freedom
- Policy Review: Intellectual Property
- Policy Review: Privacy
- Policy Review: Accessibility
- Policy Review: User Accounts
- Policy Review: E-Mail
- Policy Review: Records Management
- Policy Review: Web Policies
- Policy Review: Netblock & Domain Names
- Policy Review: Standards, Op.(hosts), & Disaster Recovery

Please look these over and forward any comments to the task force, c/o bonamici@uoregon.edu. Additional reviews will be linked from the home page of this site as completed, so watch this space. Thanks in advance for your interest and participation in this important process.

IT Policy Task Force update for March 12, 2007

2007-03-13T17:44:00.000-07:00

Here is the most recent update from the IT Policy Task Force (March 12, 2007).

Task Force Progress Report

2006-12-17T13:31:00.000-08:00

Please take a look at the IT Policy Task Force Progress Report (pdf). If you have any questions, please contact any member of the committee.

Minutes for meeting of December 8, 2006

2006-12-09T17:53:00.000-08:00

IT Policy Task Force

Meeting of 08 December 2006
9 – 10 am, Computing Center rm 185

in attendance: James Bailey, Andrew Bonamici, Jon Miyake, Noreen Hogan, Erin O’Meara, Joe St Sauver

Absent: Randy Geller/Melinda Grier, Cleven Mmari, Josh Ward

1. Review minutes from prior meetings (November 17 & December 1)

2. What’s happening/announcements:

Cornell webcast: Tuesday noon - 2:00; Studio A (or view online via link on the UCPL website.

3. We reviewed a draft status report for Don & other Task Forces (due mid-December) PROVIDE FEEDBACK BY WEDNESDAY DEC 13, 5 PM

4. Reviews by category (still to do)

Intellectual Property
Academic Freedom
Web Guidelines
User Accounts
General: Andrew will ask Melinda & Randy for overview. Is there a master flowchart for policy development, community review, adoption, & revision? For example, what policies require Senate approval or legal review before adoption (e.g., if complaints about the policy can be reviewed by Feds, UO legal review is required)?

5. We started but did not complete review of the web guidelines category.

6. Next week’s meeting is cancelled. Holidays begin after that, so our next meeting will be in January. We may need to change meeting time for next month.

Minutes for meetings of November 17 & December 1

2006-12-09T17:50:00.000-08:00

IT Policy Task Force
Meeting of 17 November 2006

9 -10 am, Computing Center rm 185

in attendance: Jon Miyake, Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St Sauver, Josh Ward

Absent (RSVPd): Andrew Bonamici, Randy Geller/Melinda Grier

Task Force members reviewed policy category writeboards for:

Data security
Records Management
Standards

November 24, 2006: no meeting due to Thanksgiving holiday

IT Policy Task Force
Meeting of December 1 2006
9 – 10 am, Computing Center rm 185

in attendance:Andrew Bonamici, Jon Miyake, Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St Sauver, Josh Ward

Absent (RSVPd): Randy Geller/Melinda Grier, Noreen Hogan

What’s happening/announcements: Jon distributed the OUS security policy draft. This is not for distribution beyond the IT Policy & Data Security Task Forces at this time.

Reviewed policy category writeboard for:

Accessibility

Reviews by category (still to do)

Intellectual Property
Academic Freedom
Web Guidelines
General: what is policy development, community review, & adoption flowchart? What are criteria for particular types of policies? (e.g., if complaints can be reviewed by Feds, should have legel review)

Next week (December 8): work on draft Update for Don & other Task Forces

Minutes for meeting of 10 November, 2006

2006-12-03T18:19:00.000-08:00

IT Policy Task Force

Meeting of 10 November 2006

9 -10 am, Computing Center rm 185
in attendance:Andrew Bonamici, Jon Miyake, Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St. Sauver, Josh Ward

absent (all RSVPd): James Bailey, Randy Geller/Melinda Grier

1. Approved minutes from last meeting

2. Discussed template inventory process & problems experienced to date. What do the categories mean, & what are the associated questions? Looking at the e-mail category, for example, a wide range of questions & issues emerged:

- spam/phishing—incoming &/or outgoing?
- blocking/unblocking
- spam filtered by default or not?
- attachments/defanging
- where should your email be? dept or uoregon?
- forwarding off-campus (FERPA, sensitive info, etc.)
- sending sensitive info (SSNs etc.) via email
- public record inplications/FOIA/civil discovery (articulate with records retention)
- access by supervisors/managers; terminated employees; mixed student-employee use
- size of attachments
- practice of using generic accounts (departmental accounts used by multiple people)
- mailing lists
- other communication tools—IM, IRC, Jabber, forums,

-records retention issues -- deletion of mail (per records manual); appropriate capture elements for retention—header, footer, addresees, etc.; creator is responsible for retention; need to include definition of public record & interpret (with legal) in future policy. What policies do we need to have in place (at least on the record) to respond to a records audit? Erin will share the State Archives e-mail manual and the e-mail policy template recently developed for CAS. At the state state level, OUS has delegated authority to pull out from under DAS. Erin is focusing on Oregon Revised Statutes that are OUS-specific; we will need to compare DAS IRMD vs OUS policies.

NEXT STEP: Create a writeboard (secure wiki) for each category & add a list of questions like these. Task force members will do this for the categories they are assigned, then the group will add to the list & we will discuss meeting-by-meeting. Please include your initials next to comments you are adding to someone else’s writeboard.

3. How to organize UO policy scan
a. search UO web
b. look through Randy’s draft & other in-process documents
c.look for best practice examples from other schools; EDUCAUSE, etc.
d. look for issues and concerns that aren’t currently addressed by central policies (academic freedom is a good example). HIPPAA — Health Ctr, Counseling Ctr, EC Cares, ASUO insurance; Athletic Training, others??
e. survey schools/colleges/units if necessary for policies that we might have missed

General discussion: once we have policy statements, what mechanisms will be in place to communicate, train, & impose the policy on the entire campus? What consequences will be in place for policy violations?

Plans for future meetings (Fridays at 9 am)

Minutes for Meeting of 27 October 2006

2006-11-10T17:13:00.000-08:00

Information Technology Policy Task Force

Meeting of 27 October 2006
9 -10 am, Computing Center rm 185
in attendance:Andrew Bonamici, Jon Miyake, Melinda Grier,
Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St. Sauver

absent: James Bailey, Randy Geller, Josh Ward

1. Introductions

2. Review Charge & Anticipated Scope of Work
discussion:
a. How will we determine what is “policy” and what is “procedure?” We looked at the BAO policy evaluation guidelines as a potential filter. Also, the Oct 2005 “Computer Use Policy” draft delineates between policy (pages 1 – 5) and “General Guidance” (p 6 – 10), with the intent that the policy sections will undergo relatively little change over time, while the procedural guidelines need to stay flexible in order to accommodate new tachnlogies, new organizational structures, etc.

b. Suggested additions to the “Policy Resources” area:
e-commerce policy (Jon)
OUS security policy [forthcoming?] (Jon)
OUS e-mail policy [forthcoming] (Erin)

3. Communications Plan:
Q: should we use Basecamp for secure TF work, with output posted to public site on uoregon.edu?
A:The committee agreed that this is an acceptable system for communication. [n.b. If task force members have questions about logging in or using the basecamp system, contact Andrew]

4. Review Randy’s “Computer Use Policy” draft:
Andrew gave some background from Randy on the origins of this document. Several years ago, the campus had some litigation in IT-related areas that were apparently not covered by existing policy. This prompted legal affairs to start drafting a more comprehensive policy framework.
Q: This document extends beyond “computer use” per se to encompass web policies, privacy, records policies, etc. Should it be re-named to serve as a starting point overall “IT Policy”?
A: Yes, we can do this.

Q: to what extent does the draft address Task Force charges 1 – 3?
A. we didn’t discuss this specifically

Q: if the TF identifies gaps that are not already addressed in this draft, should they be folded into this policy or should separate policies be developed?
A: let’s assess this case-by-case. One missing element is a policy for IT support of quasi/non-UO entities (Bookstore, UO Foundation, nonprofits, etc.). Also, do we need a section about authorized users who are not part of the UO community (for example, library patrons who are either onsite or accessing library resources over the network)? This is different than a guest account per se.

Q: are there ways of reorganizing elements of the draft for optimal presentation to the community? (see UMN example)
A: We agreed that the document is very long. For the public, each section should be presented separately, since most users will be looking for information on one topic at a time.

Other feedback on the draft:
a. There may be current standard checklists for some categories, so we should identify high-quality examples from other institutions and compare against these to be sure we aren’t missing anything.
b. There is some language in the draft (for example, supervisor access to accounts in the privacy section) that will be of great concern to campus stakeholders and will need to be carefully surrounded with procedural checks and balances.

5. Other agenda items?
Jon is finalizing the itpolicy@lists.uoregon.edu listserv. This will be an unmoderated closed list. Question: do we want the list archive to be public, and linked from our public page?

Sharing the work: Andrew will draft a worksheet to help provide a consistent basis for inventory and review of existing policies. This can include the BAO policy evaluation guidelines to help determine if the item should be treated as a policy or as a procedural guideline.

6. Next Meeting Schedule:
Friday mornings seem best for today’s attendees. We will follow up with e-mail.

EDUCAUSE Resources & Readings

2006-10-20T09:32:00.000-07:00

from EDUCAUSE Campus Policy Initiatives:
"Creating effective campus IT policies requires collaboration with a wide range of stakeholders beyond the computer center: Attorneys, librarians, faculty, research directors, judicial-affairs administrators, student-life specialists, and others. The EDUCAUSE/Cornell Institute for Computer Policy and Law is the principal EDUCAUSE initiative facilitating this activity."

Institutional Policies:

James Madison University

University of Iowa

UC Santa Cruz

University of Minnesota

READINGS & PRESENTATIONS

Rodney J. Petersen. A Framework for IT Policy Development
EDUCAUSE Review , vol. 39, no. 2 (March/April 2004): 54–55.

Patrick Spellacy, University of Minnesota. Policy Development Theory and Practice: An Emphasis on IT (view/download PowerPoint or html)

Jenny Mehmedovic and Marilu Goodyear, University of Kansas.
University and IT Policies: Match or Mismatch? (PowerPoint)

Please suggest other resources via "comments" below, or send e-mail to Andrew.

Policy categories & major topics

2006-10-19T17:41:00.000-07:00

Potential major categories or topics of IT policy framework
(initial list 28 sept 2006 from Jon & Andrew)

Academic Freedom (ref. faculty handbook; libraries)

Intellectual Property: tech transfer; student conduct; acceptable use

Acceptable Use (current policy probably needs to be updated)

User Accounts (allocated quota, bumping quota, extension when terminated/graduated, how early are they set up, etc.)

Standards: Operational (hosts, servers, platforms, etc.); disaster recovery & risk mgmt

Email: spam/phishing

Data Security: (John Kemp/OUS); disaster recovery & risk mgmt; incident reporting

Privacy: update with general counsel; also: FERPA issues, HIPAA, proxy logs, cookies

Records Management & Retention (this is established -- challenge is communication & education

Accessibility (compliance with section 508)

Web Policy and Guidelines: see for example, Web Service models & Policies from other institutions

General (policy development process; policy feedback; consequences/penalties for violations; appeal processes)

See also Joe's running list of higher ed security (& other) IT policies, guidelines, & best practices.

Charge and Membership

2006-10-19T16:02:00.000-07:00

Task Force Charge:

1) Review standard categories of IT-related policy and procedure as identifed by EDUCAUSE and other organizations.

2) Review the UO’s policy framework to determine where IT-related issues are currently addressed and identify existing potential gaps.

3) Recommend highest priorities for new &/or revised policies

4) Identify likely stakeholders to lead the development process for high-priority policies

Task force membership:
James Bailey, Disability Services

Andrew Bonamici, UO Libraries (co-chair)
Randy Geller, Legal Services (ad hoc participation)
Melinda Grier, General Counsel (ad hoc participation)
Noreen Hogan, Information Services
Jon Miyake, Information Services (co-chair)
Cleven Mmari, Student Affairs
Erin O’Meara, UO Libraries
Josh Ward, Information Services
Joe St. Sauver, Information Services (consultant)