Procedure for Developing IT Security Procedures

Version 1.3

For Students, Faculty, Staff, Guests, Alumni

Purpose

This document is the procedure used when developing an IT Security procedure that compliments related IT Security policies at Fordham University.

Scope

This IT Security document and all policies referenced herein shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Statement

Initial Procedure Development 

  1. A director (or higher) who wishes to develop a procedure contacts the Senior Director of IT Security and Assurance (herein Director) to request a procedure.
  2. The requestor may create a procedure draft and send it to the Director or summarize what they are trying to accomplish.  
  3. The Director has an analyst draft a procedure for review.
  4. The Director shares an initial draft if provided, with the analyst for edits.
  5. The Director sends the requestor a draft developed by the analyst to confirm the drafted procedure captures the essence of what is required by the policy.
  6. The Director, working with the requestor, identifies areas impacted by the procedure within IT.
  7. The Director coordinates with the directors of the impacted areas and with the requestor to gather feedback on the proposed procedure and incorporate changes, provided the changes do not undermine the requirements of the procedure.
  8. Once all feedback (e.g., requestor, business partners, departments) is incorporated, the Director has the analyst issue the final draft. This final draft includes the author and review frequency.
  9. The analyst sends the draft to the AVP/CISO for review.
  10. The AVP/CISO shares the draft with the CIO for review prior to sharing with the S-Team for feedback. If there are edits, the analyst incorporates them and sends them back for review.
  11. If the procedure requires Legal Counsel approval, the Director sends the draft to the Office of Legal Counsel for their approval. If there are edits, the analyst incorporates them and sends them back for review.
  12. Once the updated procedure is approved: the analyst publishes the latest version of the procedure to the IT Security Policy Library on the University’s website.

Procedure Review 

  1. One month before the procedure expires, the analyst sends a notification via email informing the responsible parties that the procedure needs to be reviewed.
  2. If the responsible parties deem no changes are required, they will respond in writing that no changes are necessary, and the Director or analyst will note that no further action is required.
  3. The analyst notes the procedure was reviewed in the revision history section.  
  4. In the absence of a responsible party, the Director identifies the appropriate person to review the procedure.
  5. In the absence of the Director, the AVP/CISO identifies the appropriate person to review the procedure.
  6. If the procedure requires revision, it must follow the Procedure Revision section's steps below.

Procedure Revision 

  1. The responsible parties who wish to modify their procedure may contact the Director to request the latest version of their procedure.
  2. The requestor may modify their procedure and send it to the Director or summarize what they are trying to accomplish and have the analyst draft an update for review.
  3. The Director shares an updated draft with the analyst for edits if provided.
  4. The Director sends the requestor updates to confirm the procedure has captured the essence of what is being modified.
  5. The Director, working with the requestor, identifies areas impacted by the procedure within IT based on the changes made.
  6. The analyst calls a meeting with the directors of the impacted areas and with the requestor to gather feedback on the proposed procedure and incorporate changes, provided the changes do not undermine the requirements of the procedure.
  7. Once all feedback is incorporated, the Director has the analyst issue the final draft.
  8. Depending on the significance of changes made to the procedure, the draft is sent to the AVP/CISO for review or approval.
  9. If the revision to the procedure is not approved, the Director works with the requestor to resolve issues and gain approval.
  10. The AVP/CISO may share the draft with the CIO for review prior to sharing with the S-Team for feedback. If there are edits, the analyst incorporates them and sends them back for review.
  11. If the procedure requires Legal Counsel approval, the analyst sends the draft to the Office of Legal Counsel for their approval.
  12. Once the updated policy is approved, the analyst publishes the latest version of the procedure to the IT Security Policy Library on the University's website.

Service Level

Because of the nature of the development of procedures and the coordination of impacted areas, it should be expected that initial policy development and procedure revisions may take 30 business days from start to finish. The procedure review occurs one calendar month before procedure expiration. If a modification to a procedure is required, the procedure revision begins at the time the Director is notified of the fact that changes are to be made, not at the time the procedure review commenced.

Definitions

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency: Triennial
Responsible Person: Senior Director of IT Security and Assurance 
Approved By: CISO 
Approval Date: August 29, 2016

Revision History

Version: Date: Description:
1.0 08/29/2016 Initial document
1.1 08/30/2017 Updated procedure statement
1.0.2 05/23/2019 Updated scope
1.2 03/05/2021 Updated purpose and statement
1.3 03/20/2024 Updated purpose and statement

 

Need Help?


Walk-In Centers

McShane Center 266 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours