Thursday, November 29, 2007

FINAL REPORT AND APPENDICES

Thanks for your interest in the work of the University of Oregon IT Policy Task Force, 2006-2007.

The IT Policy Task Force final report and appendices are now available for download at the following site: http://www.uoregon.edu/~bonamici/itpolicy/
Access is restricted to the UO network while the documents are under review.

Please forward any questions or comments to:

Andrew Bonamici (bonamici@uoregon.edu), Task Force Co-Chair
Jon Miyake (miyake@uoregon.edu), Task Force Co-Chair
Don Harris (cio@uoregon.edu), Vice Provost for Information Services & CIO

Thursday, March 29, 2007

Policy Reviews by category

As part of the IT Policy Task Force charge, we have reviewed
1) standard categories of IT-related policy and procedure as identifed by EDUCAUSE and other organizations, and

2) the UO’s policy framework to determine where IT-related issues are currently addressed and identify existing potential gaps.

We now have several analyses of policy categories available for comment:

- Policy Review: Academic Freedom
- Policy Review: Intellectual Property
- Policy Review: Privacy
- Policy Review: Accessibility
- Policy Review: User Accounts
- Policy Review: E-Mail
- Policy Review: Records Management
- Policy Review: Web Policies
- Policy Review: Netblock & Domain Names
- Policy Review: Standards, Op.(hosts), & Disaster Recovery

Please look these over and forward any comments to the task force, c/o bonamici@uoregon.edu. Additional reviews will be linked from the home page of this site as completed, so watch this space. Thanks in advance for your interest and participation in this important process.

Tuesday, March 13, 2007

IT Policy Task Force update for March 12, 2007

Here is the most recent update from the IT Policy Task Force (March 12, 2007).

Sunday, December 17, 2006

Task Force Progress Report

Please take a look at the IT Policy Task Force Progress Report (pdf). If you have any questions, please contact any member of the committee.

Saturday, December 09, 2006

Minutes for meeting of December 8, 2006

IT Policy Task Force

Meeting of 08 December 2006
9 – 10 am, Computing Center rm 185

in attendance: James Bailey, Andrew Bonamici, Jon Miyake, Noreen Hogan, Erin O’Meara, Joe St Sauver

Absent: Randy Geller/Melinda Grier, Cleven Mmari, Josh Ward

1. Review minutes from prior meetings (November 17 & December 1)

2. What’s happening/announcements:

3. We reviewed a draft status report for Don & other Task Forces (due mid-December) PROVIDE FEEDBACK BY WEDNESDAY DEC 13, 5 PM

4. Reviews by category (still to do)
  • Intellectual Property
  • Academic Freedom
  • Web Guidelines
  • User Accounts
  • General: Andrew will ask Melinda & Randy for overview. Is there a master flowchart for policy development, community review, adoption, & revision? For example, what policies require Senate approval or legal review before adoption (e.g., if complaints about the policy can be reviewed by Feds, UO legal review is required)?

5. We started but did not complete review of the web guidelines category.

6. Next week’s meeting is cancelled. Holidays begin after that, so our next meeting will be in January. We may need to change meeting time for next month.

Minutes for meetings of November 17 & December 1


IT
Policy Task Force
Meeting of 17 November 2006

9 -10 am, Computing Center rm 185

in attendance: Jon Miyake, Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St Sauver, Josh Ward

Absent (RSVPd): Andrew Bonamici, Randy Geller/Melinda Grier

Task Force members reviewed policy category writeboards for:
  • Data security
  • Records Management
  • Standards

November 24, 2006: no meeting due to Thanksgiving holiday


IT Policy Task Force
Meeting of December 1 2006
9 – 10 am, Computing Center rm 185

in attendance:Andrew Bonamici, Jon Miyake, Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St Sauver, Josh Ward

Absent (RSVPd): Randy Geller/Melinda Grier, Noreen Hogan

What’s happening/announcements: Jon distributed the OUS security policy draft. This is not for distribution beyond the IT Policy & Data Security Task Forces at this time.

Reviewed policy category writeboard for:
  • Accessibility
Reviews by category (still to do)
  • Intellectual Property
  • Academic Freedom
  • Web Guidelines
  • General: what is policy development, community review, & adoption flowchart? What are criteria for particular types of policies? (e.g., if complaints can be reviewed by Feds, should have legel review)

Next week (December 8): work on draft Update for Don & other Task Forces

Sunday, December 03, 2006

Minutes for meeting of 10 November, 2006

IT Policy Task Force

Meeting of 10 November 2006

9 -10 am, Computing Center rm 185
in attendance:Andrew Bonamici, Jon Miyake, Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St. Sauver, Josh Ward

absent (all RSVPd): James Bailey, Randy Geller/Melinda Grier

1. Approved minutes from last meeting

2. Discussed template inventory process & problems experienced to date. What do the categories mean, & what are the associated questions? Looking at the e-mail category, for example, a wide range of questions & issues emerged:

- spam/phishing—incoming &/or outgoing?
- blocking/unblocking
- spam filtered by default or not?
- attachments/defanging
- where should your email be? dept or uoregon?
- forwarding off-campus (FERPA, sensitive info, etc.)
- sending sensitive info (SSNs etc.) via email
- public record inplications/FOIA/civil discovery (articulate with records retention)
- access by supervisors/managers; terminated employees; mixed student-employee use
- size of attachments
- practice of using generic accounts (departmental accounts used by multiple people)
- mailing lists
- other communication tools—IM, IRC, Jabber, forums,

-records retention issues -- deletion of mail (per records manual); appropriate capture elements for retention—header, footer, addresees, etc.; creator is responsible for retention; need to include definition of public record & interpret (with legal) in future policy. What policies do we need to have in place (at least on the record) to respond to a records audit? Erin will share the State Archives e-mail manual and the e-mail policy template recently developed for CAS. At the state state level, OUS has delegated authority to pull out from under DAS. Erin is focusing on Oregon Revised Statutes that are OUS-specific; we will need to compare DAS IRMD vs OUS policies.

NEXT STEP: Create a writeboard (secure wiki) for each category & add a list of questions like these. Task force members will do this for the categories they are assigned, then the group will add to the list & we will discuss meeting-by-meeting. Please include your initials next to comments you are adding to someone else’s writeboard.

3. How to organize UO policy scan
a. search UO web
b. look through Randy’s draft & other in-process documents
c.look for best practice examples from other schools; EDUCAUSE, etc.
d. look for issues and concerns that aren’t currently addressed by central policies (academic freedom is a good example). HIPPAA — Health Ctr, Counseling Ctr, EC Cares, ASUO insurance; Athletic Training, others??
e. survey schools/colleges/units if necessary for policies that we might have missed

General discussion: once we have policy statements, what mechanisms will be in place to communicate, train, & impose the policy on the entire campus? What consequences will be in place for policy violations?

Plans for future meetings (Fridays at 9 am)

Friday, November 10, 2006

Minutes for Meeting of 27 October 2006

Information Technology Policy Task Force

Meeting of 27 October 2006
9 -10 am, Computing Center rm 185
in attendance:Andrew Bonamici, Jon Miyake, Melinda Grier,
Noreen Hogan, Cleven Mmari, Erin O’Meara, Joe St. Sauver

absent: James Bailey, Randy Geller, Josh Ward

1. Introductions

2. Review Charge & Anticipated Scope of Work
discussion:
a. How will we determine what is “policy” and what is “procedure?” We looked at the BAO policy evaluation guidelines as a potential filter. Also, the Oct 2005 “Computer Use Policy” draft delineates between policy (pages 1 – 5) and “General Guidance” (p 6 – 10), with the intent that the policy sections will undergo relatively little change over time, while the procedural guidelines need to stay flexible in order to accommodate new tachnlogies, new organizational structures, etc.

b. Suggested additions to the “Policy Resources” area:
e-commerce policy (Jon)
OUS security policy [forthcoming?] (Jon)
OUS e-mail policy [forthcoming] (Erin)

3. Communications Plan:
Q: should we use Basecamp for secure TF work, with output posted to public site on uoregon.edu?
A:The committee agreed that this is an acceptable system for communication. [n.b. If task force members have questions about logging in or using the basecamp system, contact Andrew]

4. Review Randy’s “Computer Use Policy” draft:
Andrew gave some background from Randy on the origins of this document. Several years ago, the campus had some litigation in IT-related areas that were apparently not covered by existing policy. This prompted legal affairs to start drafting a more comprehensive policy framework.
Q: This document extends beyond “computer use” per se to encompass web policies, privacy, records policies, etc. Should it be re-named to serve as a starting point overall “IT Policy”?
A: Yes, we can do this.

Q: to what extent does the draft address Task Force charges 1 – 3?
A. we didn’t discuss this specifically

Q: if the TF identifies gaps that are not already addressed in this draft, should they be folded into this policy or should separate policies be developed?
A: let’s assess this case-by-case. One missing element is a policy for IT support of quasi/non-UO entities (Bookstore, UO Foundation, nonprofits, etc.). Also, do we need a section about authorized users who are not part of the UO community (for example, library patrons who are either onsite or accessing library resources over the network)? This is different than a guest account per se.

Q: are there ways of reorganizing elements of the draft for optimal presentation to the community? (see UMN example)
A: We agreed that the document is very long. For the public, each section should be presented separately, since most users will be looking for information on one topic at a time.

Other feedback on the draft:
a. There may be current standard checklists for some categories, so we should identify high-quality examples from other institutions and compare against these to be sure we aren’t missing anything.
b. There is some language in the draft (for example, supervisor access to accounts in the privacy section) that will be of great concern to campus stakeholders and will need to be carefully surrounded with procedural checks and balances.

5. Other agenda items?
Jon is finalizing the itpolicy@lists.uoregon.edu listserv. This will be an unmoderated closed list. Question: do we want the list archive to be public, and linked from our public page?

Sharing the work: Andrew will draft a worksheet to help provide a consistent basis for inventory and review of existing policies. This can include the BAO policy evaluation guidelines to help determine if the item should be treated as a policy or as a procedural guideline.

6. Next Meeting Schedule:
Friday mornings seem best for today’s attendees. We will follow up with e-mail.