Portfolio > 3c > 1. Policy Development
Search this site

3. An effective organizer with skills in:
(c) Interpreting laws, regulations, and policies

3c1 Process for identifying, developing, approving, and revising policies

Development Plan Portfolio Documentation
Identify areas for which policies and procedures need to be documented and set up mechanisms for developing, approving and revising those policies and procedures. Report the policies developed.  Review and reflect on the mechanisms set up for administering the policies, and their acceptance and effectiveness.
  1. Policy Areas
  2. Review and Reflect on Mechanisms

1. Policy areas

As there were many areas where policies had to be written and maintained, I developed an index page of useful links on the subject of computer policy.  I included links to drafts of developing Andrews policies on this page as well as the links to other policy pages, so that this was a useful resource for me and for the committees that assisted me in framing these policies and for the approval process.

One of the first major changes I initiated at Andrews was to add three new positions to the existing two supporting PCs.  In July, 1997, I wrote a memo to the campus outlining the change in staffing, and associated changes in hardware and software support policies.  To coincide with the announcement of these changes, the ITS Client Services Department produced a comprehensive document covering software support, hardware support, network support, and Computer Store policies.  It also included details of the standard hardware and software policies.

Another question that arises from time to time is what to do about problems that are reported out of normal work hours, and in particular, those occurring during Sabbath.  A question about 24x7 support was asked on the EDUCAUSE CIO list, and of the 12 institutions that responded, there were about five variations on the approach that was taken.  Andrews has not formalized any policy on this as yet, which sometimes means the out of hours support load is not shared around equitably.

In 1999, the area of hardware standards was revisited.  This was prompted in part by the desire to adopt a quality platform from a reputable vendor, and we had been having good success with the business line of machines from Dell.  We believed there were significant Total Cost of Ownership (TCO) issues stemming from this.  Another factor was the approach of Y2K.  As a result, we prepared a revised hardware standards document (March 1999), and with Dan Widner, Director of Client Services, gave presentations to the Deans' Council (9 March, 1999), Financial Management Committee (11 March, 1999), and President's Cabinet (15 March, 1999).  There was support in principle for what we were trying to accomplish, but I have to confess that my approach to proposing change was somewhat naïve, so we were unsuccessful in having our recommendations adopted.

Even before we had a officially adopted computer acceptable use policy, we had a formal account signup form that included a section on acceptable uses and inappropriate uses of computer accounts (see example).  The development of the official policy is covered fully in the next section.  See Computers and Networks Usage Policy for the current version of this policy.

Copyright matters are dealt with in Section D of the Computers and Networks Usage Policy under Software and Intellectual PropertyAppendix RR is a summary of "Software Use and the Law" prepared by the Software Publishers Association.  Appendix SS, also prepared by the Software Publishers Association, summarizes the Copyright Act and the concept of Fair Use.  Section A.5 of the policy covers the issue of privacy and confidentiality.

In early 2000, the MP3 compression format made its mark.  With compression  rates of 10:1 and higher, it became quite feasible for music collectors with Internet connections to share their favorite music over the Internet.  A program called Napster was developed to simplify the sharing process, and was so successful that within a short time, huge amounts of bandwidth were being consumed by students in the residential halls uploading and downloading music.  This was expressly prohibited in Section A.3.h of the Computers and Networks Usage Policy, as well as being in contravention of copyright law.

  1. Prohibited activities on campus computers and networks, some of which may constitute criminal activity, include but are not limited to the following:
    h. Excessive use of resources, such as network bandwidth or disk storage.

In February of 2000, I met with the Student Services Council to explain the issues surrounding MP3, Napster, and copyright law.  I was interviewed for an news article that was published online (also on local server), where I am quoted as saying:

"David Heise, Chief Information Officer for Andrews University, said, 'Having Napster on a computer violates Andrews' acceptable usage policy on at least three counts: it uses resources excessively, it is indiscriminate about violating copyright laws (a federal offence), and it offers off-campus service. We want our students to realize the ethical concerns that are unknowingly placed on them when they use Napster.'"

Email was another area warranting special attention.  There were issues about requiring students to have an official email address for university correspondence, account name formation, account activation, password policies, privacy, archiving and retention, and many others.  I drafted a document as a discussion point for developing a comprehensive email policy.

The committees that had the most to do with approving the Computers and Networks Usage Policy were the Academic Computing Committee and the Administrative Computing Committee.  The Web Committee did a lot of work framing and getting approval for the Web Policy.  This was started by Mailen Kootsey in early 1997 as a draft document covering personal web pages.  The Web Committee approved a formal web policy document (Andrews University web server; local copy)

Writing policies to cover the area of computer hardware and software standards is always a tricky proposition.  Each individual often believes they are a special case, and especially in an academic environment, the notion of enforcing software standards is very foreign and hard to swallow.  Fried (1995)[1] has some very wise counsel on the subject, and makes a good case for what he calls "self enforcing standards".  See my slide on this from the course I taught on IT Management using his book "Managing Information Technology in Turbulent Times".   (This was slide 11 from the session on chapter 2 of the book.)

In December, 2000, I conducted a brief email survey using the the EDUCAUSE CIO list to solicit responses from other CIOs in higher education.  Colleen Keller, Information Specialist for EDUCAUSE, requested permission to post a link to the survey on the EDUCAUSE Information Resources page ( http://www.educause.edu/asp/doclib/ and http://www.educause.edu/asp/doclib/subject_docs.asp?Term_ID=375), which I was glad to give.  See EDUCAUSE Request to post office software study.

I read many of the policies that are made available online by other colleges and universities, and borrowed ideas from some of them.  After most of the policy writing reported here had been completed, I obtained other resource material, which should hopefully prove useful during revision cycles that are still in the future.

2. Review and Reflect on Mechanisms

Committee Discussion and Approvals
Internet access while traveling
PC Theft Control
Data Standards
PC support pricing options
Computer Account Terminations
Scope of computing committees
Computers and Networks
Web Filtering
Dialup Modems

2.1 Introduction

One of the mechanisms for developing policies was to do benchmarking and research on the web to see what other similar institutions had put in place.  I built a page of links I found useful in this regard.  Other resources included White Papers that were downloadable from some commercial sites.  For example, see Employee E-mail and Internet Risks: Policy Guidelines and Investigations by Mark Schreiber from the Labor & Employment Law Department of Palmer & Dodge LLP, Boston.  I also purchased a computer policies guide from COMPUPOL Inc called Employee Computer Policies Made Easy.  In September, 2000, I attended a one-day seminar run by Padgett Thompson Seminar called The Basics of Writing Policies and Procedures (see my certificate).

However, while these approaches may lead to policies that are in line with best practice, they do little to address the issues of acceptance and effectiveness and their ongoing usefulness and value.  To do this, it is necessary to involve the constituents, those who will be affected by the policies that are put into effect.  This is most readily done through the use of discussion groups, the committee process, and presentations in forums such as the Deans' Council, the University Senate, and meetings of the General Faculty.

2.2 Committee Discussion and Approvals

Note: I have ready access to the minutes of the Administrative Computing Committee since mid-1996 since they have been kept on the web,  So the examples I am using to document this part of my portfolio come from that committee, although some topics were discussed extensively in other committees as well.

Note: The links to committee minutes go directly to the relevant item, which will be preceded by the characters [*] in red with a gray shaded background.

1. Internet access while traveling

At a committee meeting in October, 1996, various options were proposed to give faculty and staff access to their email and the Internet while traveling.  Policies were eventually written to cover the use of an 800 number for business purposes. After we trialled this for a period, we made it available to all faculty and staff.  The Telecommunications Department analyzed the costs of offering the service and decided that they did not warrant the effort of processing the charges back to the user departments.  So this service has been well accepted and is much appreciated.

2. PC Theft Control

1996 was a bad year for losing PCs through theft.  By October 1996, losses for the calendar year had totaled $56,000.  Recommendations were prepared in the Administrative Computing Committee, and were approved there and in the other necessary venues.  The following committee meeting minutes document the approval and implementation of a policy to install locking kits on all PCs above a certain configuration.

The costs for the initial rollout were covered out of Risk Management funds, and were included in the purchase price for new systems.  This approach led to very good acceptance of the policy, since the need was clearly demonstrated, and departments suffering this kind of loss had to fund the entire replacement from their own budget.

3. Data Standards

There were a variety of policy decisions that had to be made in the area of data standards.  Some of these are referred to in the committee minutes listed below.  One thing that we found a rather surprising had to do with data ownership.   Prior to the Banner enterprise software, all changes to name and address records were done in a single office, known as the NIDA office (Name, ID, and Address).  There was a strong sense of protectiveness about the data, and data quality problems were kept to a minimum.  With the coming of Banner, there was a complete change of paradigm.  Name and address maintenance went from being totally centralized to very decentralized, with records able to be changed at the residence hall reception desks, in the housing office, in the library, and at other locations.  The surprising thing that happened along with this was the abdication of responsibility for data quality.  No one claimed ownership of the data, and no one wanted to act as the guardian for quality data entry.  The Data Quality QIT (Quality Improvement Team) came up with some preliminary recommendations, but the team got bogged down on divergent needs, and their work was overshadowed by the emergence of Web Registration as a strategically important IT project.
  29-Jan-1997 Include email address under the definition of Directory Information.
  15-Apr-1998 Data entry standards and data quality, setting up a Quality Improvement Team.
  13-May-1998 Report on revisions to Data Entry Standards Manual.
  03-Aug-1999 Data Quality QIT (Quality Improvement Team set up.
  05-Oct-1999 Facilitator for Data Quality QIT named.

4. PC support pricing options

Andrews University uses a charge-back model for funding part of the costs of supporting personal computers on campus.  TIme spent on service calls is billed to the department where the work is being done.  This is in contrast to most other institutions where PC support is usually budgeted as an overhead cost.  This distinction became very important during my first year at Andrews, since the greatest need demanding the most urgent attention was to improve PC support.  The university was attempting to support up to 1,000 PCs with just two technicians.  I made a request for four new positions to be created, and was granted three, which had a profound impact of the quality and timeliness of PC support.  However, the challenge was that in the new budget that was approved, we were charge with raising an additional $166,000 in recovered costs.

We prepared several scenarios as to how we might accomplish this, and presented them in a number of venues.  The minutes of February 26, 1997 Administrative Computing Committee give a brief summary of the final proposal, and the reaction to it.

5. Computer Account Terminations

I am always amazed at how institutions seem to have very little problem making up pays for new employees, and ceasing payments when an employee leaves.  And yet it seems to be a perpetual problem auditing the current computer accounts to find out which ones are no longer current.  When an employee leaves, we stop paying them wages, but so often, we leave their access to our computer systems wide open.  The minutes of the June 30, 1997 Administrative Computing Committee document one of the many attempts to get control of this situation.

6. Scope of computing committees

It was the responsibility of most standing committees at the University to review their charter annually.  The AU Committee manual had this brief statement under the Administrative Computing Committee:

"The Administrative Computing Committee reports to the President. It also serves to advise the University's Chief Information Officer and the President's Cabinet. Its minutes are subject to the scrutiny and review of the Andrews University Senate. This committee meets at the call of the chair at least once per quarter."

In preparation for the November 23, 1998 meeting of the Administrative Computing Committee, I located some sample charter statements as a starting point for creating our own charter document.  The ideas presented at the committee seemed to be well accepted by the committee, and one of my staff members and I were charged with preparing a draft for the next meeting.

In the April 4, 2000 meeting of the Administrative Computing Committee, the Charter, Membership, and Attendance appeared on the agenda again.  This was prompted by a waning of interest in and attendance at the committee's meetings.  It is my suspicion that interest had been high during the implementation of Banner, when stakeholders wanted to be sure their interests were well represented.  Once the implementation of Banner was mostly complete, we began to have attendance problems, and this prompted another attempt at redefining the scope of the committee.  However, as the April 4 minutes show, interest was hard to muster.

I presented a draft charter document at the February 13, 2001 meeting of the Administrative Computing Committee.  In this draft, I proposed a new name for the committee, a Charge or Mission, Role and Responsibilities, and Membership guidelines, each preceded by some other examples.  There was little discussion during the meeting, as members were going to read it and bring their ideas to future meetings.  However, this continues to be unfinished business.

7. Security

No computer policy is complete without a comprehensive treatment of security.  At the October 22, 1997 meeting of the Administrative Computing Committee, Dr. Dan Bidwell, our resident security guru, gave a report outlining six types of Internet access in support for the creation of our first firewall.  Actions were taken by the committee to implement some of Dan's recommendations immediately, while giving further study to some of the others.

On April 6, 1999, the committee discussed a new Institutional Data Access Policy governing closure of inactive Banner accounts.  This item could also be placed under Section 5. Computer Account Terminations, but the security threat is so significant that I put here under Security.  The policy was discussed and revised on May 4, 1999, and was approved after a final review on June 1, 1999.

8. Computers and Networks

The Development and Presentation of Computer Acceptable Use Policy is discussed in full in Part 2 of this competency.

9. Web Filtering

One of the policies that generated more widespread discussion and debate than any other was the Web Filtering policy.  This was initiated by the President's Cabinet and reported to the Administrative Computing Committee on October 22, 1998.  Web filtering had been in place for a relatively short period of time in the elementary school and in the academy for the obvious reasons of guarding young minds from the too readily available web pornography.  More recently, the residence halls had also be routed through the web filter.  In this case, the reasoning was driven more by the need to obtain better management of Internet bandwidth.  It was found that up to 80% of our Internet bandwidth was being used for pornography to the dorms.

Then the President's Cabinet voted to implement web filtering incrementally across campus.  Web filtering on faculty and staff computers would be optional, and an instruction sheet was handed out that explained how to configure the browser to apply and to remove web filtering.  Even though web filtering was voluntary, some of the faculty created an incredible fuss because they thought their academic freedom was being tampered with.  This was debated in the General Faculty meetings, and occupied several months of discussion time at the University Senate.  However, once the dust settled, most people were pleased to have protection from inadvertently following a link in their research and ending up on porn site.

10. Dialup Modems

Dialup modems are very near and dear to students living in the university apartments and in the community, and not surprisingly, modems are frequently the subject of discussion.  The issues are - they are too often busy, they are too slow, I can't stay connected for long enough, etc.

In the mid-90s, we had 16 28.8Kbps and 32 33.3Kbps modems, and it is true that these were too slow, and there were not enough of them.  We debated long and hard the question of whether we should even be in the business of providing general dialup Internet access, or whether we should merely direct people to a local ISP (Internet Service Provider).  Eventually, it was argued that since on campus students had 10Mbps network connections in their rooms, off campus students (who pay the same technology fee) should not have to pay extra for their own dialup connections.

So an new bank of 60 56Kbps modems was purchased and installed.  This greatly relieved the situation, temporarily.  After doing some research, it was discovered that a handful of users were abusing their connect time privileges, so it became necessary to develop some fair use policies for the modems.  A policy was developed by the Academic Computing Committee, and on June 6, 2000, the Administrative Computing Committee reviewed and support the the policy.

[1] Fried, Louis. (1995). Managing Information Technology in Turbulent Times. John Wiley & Sons. ISBN: 0-471-04742-2
Return to 3(c) Interpreting laws, regulations, and policies

Created: Sunday, February 20, 2000 05:34 PM 
Last Modified: Monday, September 28, 2009 5:34 PM