Procedure for Developing IT Security Policies
Version 1.3
For Students, Faculty, Staff, Guests, Alumni
Purpose
This document is the procedure used when developing an IT Security Policy at Fordham University.
Scope
This IT Security document and all policies referenced herein shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Procedure Statement
Initial Policy Development
- A director (or higher) who wishes to develop a policy contacts the Senior Director of IT Security and Assurance (herein Director) to request a policy.
- The requestor may create a policy draft and send it to the Director or summarize what they are trying to accomplish.
- The Director has an analyst draft a policy for review.
- The Director shares an initial draft if provided, with the analyst for edits.
- The Director sends the requestor a draft developed by the analyst to confirm the drafted policy captures the essence of what is required by the policy.
- The Director, working with the requestor, identifies areas impacted by the policy within IT.
- The Director coordinates with the directors of the impacted areas and with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy.
- Once all feedback (e.g., requestor, business partners, departments) is incorporated, the Director has the analyst issue the final draft. This final draft includes the author and review frequency.
- The analyst sends the draft to the AVP/CISO for review.
- The AVP/CISO shares the draft with the CIO for review prior to sharing with the S-Team for feedback. If there are edits, the analyst incorporates them and sends them back for review.
- If the policy requires Legal Counsel approval, the Director sends the draft to the Office of Legal Counsel for their approval. If there are edits, the analyst incorporates them and sends them back for review.
- Once the updated policy is approved, the analyst publishes the latest version of the policy to the IT Security Policy Library on the University's website.
Policy Review
- One month before policy expiration, the analyst sends a notification via email informing the responsible parties that the policy needs to be reviewed.
- If the responsible parties deem no changes are required, they will respond in writing that no changes are necessary, and the Director or analyst will note that no further action is required.
- The analyst notes the policy was reviewed in the revision history section.
- In the absence of a responsible party, the Director identifies the appropriate person to review the policy.
- In the absence of the Director, the AVP/CISO identifies the appropriate person to review the policy.
- If the policy requires revision, it must follow the Policy Revision section's steps below.
Policy Revision
- The responsible parties who wish to modify their policy contacts the Director to request the latest version of their policy.
- The requestor may modify their policy and send it to the Director or summarize what they are trying to accomplish and have the analyst draft an update for review.
- The Director shares an updated draft with the analyst for edits if provided.
- The Director sends the requestor updates to confirm the policy has captured the essence of what is being modified.
- The Director, working with the requestor, identifies areas impacted by the policy within IT based on the changes made.
- The analyst calls a meeting with the directors of the impacted areas and with the requestor to gather feedback on the proposed policy and incorporate changes, provided the changes do not undermine the requirements of the policy.
- Once all feedback is incorporated, the Director has the analyst issue the final draft.
- Depending on the significance of changes made to the policy, the draft is sent to the AVP/CISO for review or approval.
- If the revision to the policy is not approved, the Director works with the requestor to resolve issues and gain approval.
- The AVP/CISO may share the draft with the CIO for review prior to sharing with the S-Team for feedback. If there are edits, the analyst incorporates them and sends them back for review.
- If the policy requires Legal Counsel approval, the analyst sends the draft to the Office of Legal Counsel for their approval.
- Once the updated policy is approved, the analyst publishes the latest version of the policy to the IT Security Policy Library on the University's website.
Service Level
Because of the nature of the development of policies and the coordination of impacted areas, it should be expected that initial policy development and policy revisions may take 30 business days from start to finish. The policy review occurs one calendar month before policy expiration. If a modification to a policy is required, the policy revision begins at the time the Director is notified of the fact that changes are to be made, not at the time the policy review commenced.
Definitions
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
Implementation Information
Review Frequency: | Triennial |
---|---|
Responsible Person: | Senior Director of IT Security and Assurance |
Approved By: | CISO |
Approval Date: | August 29, 2016 |
Revision History
Version | Date | Description |
---|---|---|
1.0 | 08/29/2016 | Initial document |
1.0.1 | 08/14/2019 | Updated procedure statement |
1.2 | 03/05/2021 | Update purpose, scope, definitions, and procedure statement |
1.3 | 03/20/2024 | Updated procedure statement |