IT Policy Review Process at Brown University

Reliability and availability of the communications infrastructure are vital to the success of Brown's academic mission. The IT policies that are put into place are done so in the interests of the entire community - to communicate to end users the kinds of actions that can adversely impact the ability of other users to perform University functions in support of Brown's academic mission.

To ensure that Brown's IT policies are reasonable for students, faculty and staff, the following review process has been put into place:

1. A notice will be posted (on a web site for policies "currently under review") and sent to CIS Directors which communicates that a policy is going to be generated or updated, and the general reasons why the action is necessary. Subject Matter Experts (SMEs) will also determine how often the policy should be reviewed (based on changes in the environment), and a placeholder will be added to the calendar. A schedule for the policy will be posted on the draft policy web site. The Computing Advisory Board (CAB) and Internal Audit will be informed of the posting and individual members may choose to participate in the review process. The CAB may also suggest SMEs or add groups to the review list depending on the topic of the policy.

   Note: As draft documents are routed, requests for comments will be due by a particular date, and if no input is received by that date, concurrence will be assumed.

2. A draft policy will be generated based on an assessment of risk to Brown. Input will be gathered from Brown's peer organizations and other sources as required. A methodology for tracking changes is necessary as the policy is routed through various groups.
3. Subject Matter Experts will be gathered for meetings to discuss the draft, assess its impact, and make modifications as necessary.
4. The draft document will be forwarded to appropriate analysts at Gartner, Inc., a leading provider of research and analysis on the global IT industry. The analysts will compare the document to industry standards for completeness and currency, then present their recommendations to the IT policy review team for any further modifications to the document.
5. The draft document will be routed by e-mail through the CIS Directors, who are expected to engage their staffs as necessary.
6. Draft policy will be reviewed by the Vice President of Computing and Information Services (CIS) before release to University representatives. The VP will refer review to Cabinet membership or to Brown's Executive Committee as necessary.
7. The Office of the General Counsel and the Internal Audit Office will review the policy for legal issues prior to its release to non-CIS entities.
8. Faculty members of the CAB will review the policy on behalf of the Faculty Executive Committee (FEC). Should it warrant further scrutiny, the policy issues will be forwarded to the FEC for input.
9. Revised draft will be routed simultaneously through the following groups:
   • Departmental Computing Coordinators (DCCs)*
   • System Administrators*
   • Staff Advisory Committee (SAC)
   • Administrative Leadership group
   • Undergraduate Council of Students (UCS)
   • Graduate Student Council
   • Medical Student Senate

   *Notes: Only DCCs and SysAdmins who are officially recognized by their departments (and who are registered as such in the CIS database) will be included in the early review.

10. A copy of the "final" draft document will be posted for comment on the draft policy web site and final comments will be reviewed.
11. The policy document will go to the Computing Advisory Board (CAB) for final review and signoff.
12. The policy is published - announced via Morning Mail.
13. Policies are reviewed on a regular basis to maintain their relevance and accuracy. [ policy review cycle ]

Last Revised: April 4, 2005