Portfolio > 3c > 2. Acceptable Use Policy
Search this site

3. An effective organizer with skills in:
(c) Interpreting laws, regulations, and policies

3c2 Development and presentation of Computer Acceptable Use Policy

Development Plan Portfolio Documentation
Present the Computers & Networks Policy document to campus.  Describe training, promotion, presentation, and implementation. The Computers and Networks Usage Policy document: appropriate usage policies, pornography laws and policies, web block, privacy and copyright, as incorporated into the Andrews University Working Policy.

  1. Framing, Gaining Approval & Acceptance, and Implementing
  2. The Policy Revision Process

1. Framing, Gaining Approval & Acceptance, and Implementing

At the time work began on an "acceptable usage policy" for Andrews, Mailen Kootsey was the University Chief Information Officer (CIO).  He first proposed a draft of the policy on July 2, 1997, and called it "Information Technology and Security".  At this point in time, I was just completing my first year as the Director of Information Technology Services (ITS), whose name we had only just changed from the Andrews University Computing Center (AUCC) along with some new hiring and structural changes.  ITS personnel reviewed Mailen's draft and gave him lots of useful feedback as he worked on the wording.

On 13-May-1998, Mailen introduced the latest draft to the Administrative Computing Committee, for which he was the Chair and I was the Secretary.  The policy was referred to as the "Web and Email Policy" at this stage.  The committee worked through the entire policy document and gave extensive feedback.  Mailen incorporated their suggestions into a second draft dated May 27, 1998. This draft was called the "Email, Web, and Network Policy".

It was shortly after this that Mailen left Andrews University and I was asked to be the CIO.  I made notes on Mailen's draft as I took over the process of bringing the policy to the stage of final approval and acceptance.  This process took approximately six months (but it did not end there - the policy underwent onging reviews and revisions).  I presented my first draft on June 30, 1998, and by this time, I was calling it the "Computers and Networks Usage Policy", the name it is still known by.  In this revision, I worked mainly on the layout and formatting, and some of the wording.  I did not do anything substantive with the content.  I kept the drafts and a page of web links to computer policy resources on the web, and pointed this out at the 23-Nov-1998 meeting of the Administrative Computing Committee.  The draft I presented for discussion at this meeting was dated November 17,1998.

I subsequently presented this draft at the first General Faculty meeting for the Winter Quarter on January 19, 1999 using PowerPoint to cover the salient points of the policy.  I handed out copies of the latest draft at the meeting (dated November 17, 1998).  These had been formatted in the style of the University Working Policy.  The institution's growing dependence on IT, and the need to ensure fair and secure use of expensive resources was clearly understood by the group, and there was good support for adopting the policy.

Once the policy was made official, issues continued to be raised that either were not covered in the policy, or needed policy interpretation to know how the policy applied.  These occasions often led to minor revisions, and from time to time, collections of revisions were voted through the Computing Committees and endorsed by the President's Cabinet.  However, some items generated a lot of personal feeling and debate, such as the requirement that approval be obtained before buying administrative software.

Because of the turnover in the student population, and even in staff and to a lesser extent, faculty, training is not something that can be done once and then left alone.  As a result, the default promotion and training method seems to be by exposure - when someone violates one of the provisions of the policy, we point this out to them, and in the main, people are very willing to comply.  Except for some of the serious and deliberate attempted security breaches, we usually apply the provisions of the policy only for second or subsequent offences.

2. The Policy Revision Process

01-Aug-2000 Report to Administrative Computing Committee about possible policy changes relating to the need to maintain user accounts on both UNIX and Windows servers.
17-Apr-2001

Suggested revisions to the policy:

A.3.a Unauthorized access to or use of other users' accounts, system software, university data, or other computer systems.

A.3.f Attempts to evade or bypass system administration policies, such as resource quotas, firewall and web filter settings.

B.7 The operating systems and configurations of such servers must be maintained in a way that minimizes the risk of security breaches. From time to time, University network administrators will make arrangements with departmental server hackers. Should a security risk be discovered, for which there is a tested solution, the department will be required to apply the approved solution, and a date will be set for a retest. If appropriate action is not taken in a timely manner, the Chief Information Officer will notify the department through the appropriate Vice president that the server will be removed from the University network.

Suggested area for policy addition:
Require approval for installing administrative software on University owned computers.  This was to address a situation where a department had bought expensive software that largely duplicated software already purchased and installed in another department.

01-May-2001

This meeting considered my first draft of the clause to control the purchase of administrative software.  I placed this in Section A. General Guidelines and inserted it as Item c. Point 1., which was Section 1:762:11 of the Working Policy.  I proposed the following:

A.1.c. Any software intended for supporting administrative functions within the University must be approved by the Chief Information Officer prior to purchase.

To avoid possible duplication data or network incompatibility, and to maximize opportunities for on campus assistance, departments should consult with ITS prior to purchasing any computer software.

While it was felt the phrase "supporting administrative functions" could need some explanation or interpretation, this amendment was voted through the Administrative Computing Committee.  This draft of the policy included the revisions that had been proposed at the April 17 meeting.

02-May-2001

On the very next day (May 2, 2001) the amended policy was presented to the Academic Computing Committee for their approval.  There was good support for most of the revisions, but there were major objections to the phrasing of the clause concerning approval for software purchases (Section 1:762:11).  It was felt that the wording was too strong when it said "must be approved" by the CIO.

This committee proposed the following  much softer wording:

A.1.c. To avoid network incompatibility or possible duplication of data, and to maximize opportunities for on campus assistance, departments should consult with ITS prior to acquiring any computer software.

Check clause c in Section A.1 (1:762:11) for the revised wording proposed by the Academic Computing Committee.

19-Jun-2001 At this meeting of the Administrative Computing, I reported that the Academic Computing Committee had rejected the word they had proposed, and had suggested alternative wording.  This committee rejected that alternative wording, and to resolve the impasse, I was asked to take both wordings to the President for help in working out compromise wording.
31-Aug-2001

This is a draft memo that was written in response to a severe overload on the email server.  Research had revealed that the server was heavily overburdened in processing requests to check for new mail for people with inordinately large Inboxes.  A simple fix was proposed whereby old mail filed in Inboxes would be archived by year into other folders.

04-Sep-2001

On September 4, 2001, the Administrative Computing Committee met again and one of the items on the agenda was the Software Permissions Statement that was being worked on for the Computers and Networks Usage Policy.  This committee voted in favor of keeping the "must be approved" wording, but added some further text describe the rationale.

A.1.c. ITS sets policies for the installation and maintenance of standard and non-standard software packages on University-owned computers. These policies are described on the ITS-Client Services web site (http://www.andrews.edu/ITS/CS).

To avoid duplication of data and/or systems, to ensure data and network compatibility, and to maximize opportunities for technical support, all software that uses or interfaces to institutional data must be approved by the Director of Administrative Systems in ITS prior to purchase or development. The term "institutional data" includes data held at the departmental level as well as data on the central server. Departments where a violation of this policy is found will be asked to convert to an approved system.

For all other computer software, departments should consult with the Director of Client Services in ITS prior to purchase in order to ensure compatibility with our environment, and the availability of on-campus support.

The proposed policy changes were summarized in a document that was presented to the committee.

04-Sep-2001 At the same meeting of the Administrative Computing Committee (September 4, 2001), the issue of the overloaded email server was raised in order to get support for make the proposed changes to the large Inboxes.
07-May-2002

At this meeting, two further revisions to the Computers and Networks Usage Policy were proposed.

One dealt with a new policy permitting ITS to apply filters to incoming email in order to block SPAM - unsolicited commercial or inappropriate email.  Email from known commercial SPAM sites would simply be blocked, while a scoring system would be used for other potentially SPAM email, and messages scoring more than a certain threshold would be flagged with {SPAM?} in the SUbject line, but would still be delivered.

The second item proposed an Appeal Process that would apply not only to decisions about SPAM, but to any decision made on the basis of the Computers and Networks Usage Policy.  The two policy amendments were presented in a summary document, and both amendments were approved.

13-Jun- 2002 This is the Computers and Networks Policy as approved by the Computing Committees and endorsed by the President's Cabinet. I have made notes in red suggesting areas where further revisions should be considered as we move closer to single logons, and to cover the SPAM filtering and new Inbox email policies.


Return to 3(c) Interpreting laws, regulations, and policies

Created: Sunday, February 20, 2000 05:36 PM 
Last Modified: Sunday, July 4, 2004 5:08 PM