Information Technology Governance Policy
From Appalachian State University Policy Manual
- 1 Introduction
- 2 Scope
- 3 Definitions
- 4 Policy and Procedure Statements
- 5 Additional References
- 6 Authority
- 7 Contact Information
- 8 Original Effective Date
- 9 Revision Dates
The needs of the University Information Resources continually evolve as new challenges, opportunities, and technologies emerge. The purpose of this policy is to define an Appalachian State University (“Appalachian”) Information Technology (“IT”) Governance program that ensures IT solutions are strategically aligned with institutional goals to minimize risk to the University.
This policy applies to all Appalachian faculty, staff, students, vendors and visitors who access Institutional Data. This policy is not meant to address the release of Institutional Data under public records laws or other legal requirements, such as in response to subpoenas or court orders.
3.1 Information Resources
- All devices, services, networks and other resources and technology related to the transaction of University business, regardless of form or location, that are owned, provided, or administered by or through the University, or used to electronically store, process, or transmit information.
3.2 Institutional Data
- All data, regardless of physical form or characteristic, made or received in connection with the transaction of University business that is in the possession or control of the University.
3.3 Information Technology (IT)
- The hardware and software resources owned, leased, or used by the University and its partners to store, process or transmit University information. Information Technology is a subset of the University’s Information Resources.
3.4 Enterprise IT Services and Applications
- Information Technology solutions that support functions critical to the University’s mission. Enterprise IT Services and Applications are generally accessed by more than one University department; are supported by central, distribution and functional IT units; and are described in Appalachian’s IT Service Catalog.
3.5 Information Technology (IT) Governance
- The policies, standards, structures, processes, and guidance established to ensure that the University’s Information Resources supports the mission, goals, objectives, and regulatory requirements as established by UNC System policies, federal and state law and regulation, and University policies.
3.6 Information Technology (IT) Standards
- Documented principles that establish requirements and processes that provide a reliable basis for shared expectations on how the University will comply with Information Technology related University policies, as well as federal and state laws and regulations.
3.7 Information Technology (IT) Guidelines
- Documented guidelines for recommended best practices to streamline processes, reduce risk, and adhere to Information Technology Governance. IT Guidelines are recommended best practices approved by the Chief Information Officer and are not mandatory.
3.8 Information Technology (IT) Projects
- Temporary endeavors to introduce new Appalachian IT Services, as well as implement significant changes to existing Appalachian IT Services.
4 Policy and Procedure Statements
4.1 Information Technology Governance Program
4.1.1 IT Governance Program
The Chancellor vests the Chief Information Officer with the authority and responsibility to oversee and implement Appalachian’s IT Governance Program (the “Program”). The purpose of the Program is to develop consistent planning, prioritizing, funding, evaluating, and auditing of Information Resources and Information Technology.
The Program shall consist of Appalachian’s Department of Information Technology Services (ITS) and decentralized Information Technology units and staff throughout the University.
The goals and objectives of the Program are to:
- adhere to the requirements of this policy;
- assist the University with meeting the requirements of federal and state law, UNC System policy, and University policies;
- identify and manage risks and threats to Information Resources;
- innovate and adopt new processes, services, and systems to fulfill the University’s mission and protect Institutional Data and systems; and
- collaboratively review any IT audit findings and develop remediation plans.
4.1.2 Policies, Standards, and Guidelines
The Chief Information Officer is required to establish IT policies and procedures to meet the goals and objectives of the IT Governance Program. The sources of authority to meet these objectives include:
- Information Technology Policies, as identified in the Appalachian Policy Manual;
- IT Standards; and
- IT Guidelines.
Impacted campus entities, including, at minimum, the IT Implementation Group and the IT Board of Directors will review proposed policies and standards.
The Chief Information Officer, in conjunction with the IT Executive Council, IT Board of Directors, and IT Implementation Group, will develop reports of IT Projects, share relevant information to campus through outreach and website publications, and solicit campus feedback as needed. IT Standards and IT Guidelines will be posted on a website managed by ITS.
4.1.3 Annual Governance Improvement Plan
IT Governance will follow an implementation cycle that supports increasing maturity in IT Governance through annual governance improvement plans. The Chief Information Officer will work with IT Governance Groups and the campus community to: (1) annually assess progress on the University’s IT Governance implementation, and (2) develop IT Governance recommendations and annual action plans to improve IT Governance and University risks.
4.1.4 Annual Review
The Chancellor and the Chancellor’s Cabinet shall be responsible for annually reviewing the IT Governance Program, action plans to improve IT Governance, as well as reviewing and providing guidance concerning risks identified by the Chief Information Officer.
4.2 IT Governance Groups
4.2.1 IT Governance Groups are responsible for providing recommendations and assisting with IT Governance as identified below. The IT Governance Groups consist of:
- IT Executive Council;
- IT Governance Board of Directors;
- IT Implementation Group; and
- Technical Advisory Groups.
4.2.2 IT Executive Council
This IT Executive Council (“Council”) serves to discuss IT issues, resources, and challenges. The Chancellor appoints members of the Council. The Council is responsible for:
- Recommending changes to IT policies and standards;
- Providing oversight of the IT Governance program and reviewing exceptions that are inconsistent with IT Governance principles and standards;
- Reviewing IT Standards identified by the Chief Information Officer;
- Approving a prioritization model for identifying an order of importance for evaluating IT Projects based on institutional needs;
- Making strategic project decisions regarding funding, risk and business process changes; and
- Reviewing reports of IT Projects.
4.2.3 IT Governance Board of Directors
The IT Governance Board of Directors (“Board of Directors”) is comprised of directors of central and distributed IT units, representation from the Faculty-Senate, and divisional directors and associate vice chancellors with specific IT resource needs. In consultation with the IT Executive Council, the Chief Information Officer appoints members to the Board of Directors. The Board of Directors are responsible for:
- Reporting and recommending IT projects;
- Reviewing the IT Service Catalog and designating IT services and applications as Enterprise IT Services and Applications;
- Recommending the introduction, improvement and retirement of Enterprise IT Services and Applications based on value, costs and supportability;
- Reviewing and advising on IT policy and standards, including IT policy and standard exemptions;
- Approving operational changes with limited campus impact, as identified by the Chief Information Officer;
- Approving the designation of University committees, councils and advisory groups as Technical Advisory Groups; and
- Functioning as the governance liaison to their respective areas or division.
4.2.4 IT Implementation Group
The IT Implementation Group is comprised of managers and IT staff within central, distributed and key functional areas. In consultation with the Appalachian IT leadership, the Chief Information Officer appoints members to the IT Implementation Group which is responsible for:
- Recommending IT Standards, guidelines, IT projects, and changes to our Enterprise IT Services and Applications to ensure the effective and efficient use of Information Resources;
- Reviewing proposed technology changes, IT projects, and IT policies, standards and guidelines for impact, feasibility, and resource needs; and
- Developing implementation plans for IT Projects and IT changes.
4.2.5 Technical Advisory Groups
Existing University committees, councils and working groups may be designated as a Technical Advisory Group by the IT Governance Board of Directors. These groups with a Technical Advisory Group designation are typically self-organized, ITS directed, or University assigned technology groups created to assist the University with incorporating Information Resources across campus, or meeting legal or regulatory requirements. The Chief Information Officer, or delegate, may provide information on IT Projects and initiatives to Technical Advisory Groups to coordinate IT Governance to fulfill the University’s mission. Technical Advisory Groups shall be responsible for requesting IT Projects to meet institutional needs.
4.3 Policy Implementation and Compliance
The Chancellor has delegated authority and oversight for the administration and implementation of this policy to the Chief Information Officer. The Chief Information Officer shall be responsible for:
- the development, management, and enforcement of University policies and standards to assist the Appalachian community with complying with this policy;
- seeking recommendations from IT Governance Groups and the Chief Information Security Officer, identified in Appalachian Policy 903 – Information Security Policy; and
- conducting the periodic review, revisions, and updates of policies, standards and guidelines to identify risks, and develop action plans to improve IT Governance and the effective operation of the Program.
5 Additional References
- Appalachian Policy 902 - Data Governance Policy
- Appalachian Policy 903 - Information Security Policy
- Appalachian Policy 905 - Identity and Access Management Policy
- Appalachian Policy 906 - Acceptable Use Policy
- UNC Policy Manual 1400.1 - Information Technology Governance
- IT Policy, Standards and Guidelines Website
7 Contact Information
- The Office of the Chief Information Officer - (828)262-6278
8 Original Effective Date
- January 29, 2019
9 Revision Dates
- December 10, 2020