 | Board of Visitors minutes June 9, 2006 |  |
ATTACHMENT A
IT POLICIES
University Information Technology Project Management Policy
Contact Office: Office of Information Technologies
Oversight Executive: Vice President & CIO
Applies to: University Academic Division, Medical Center, and College at Wise
Reason for Policy: The University is committed to continuously improving the delivery of information technology (IT) solutions within budget, on schedule, within scope and in such a way as to best contribute to accomplishing the University’s strategic mission. This policy furthers that goal by establishing the common and consistent application of project management best practices in the management of IT projects. A uniform project management framework promotes consistency and better control of IT projects, thereby reducing risks and increasing project successes.
Definitions:
- IT Project – a project having as its primary purpose the creation of a unique information technology product or service. Research projects, research initiatives, and instructional programs are not included in the scope of this policy.
- PMI - Project Management Institute
- Project - a temporary endeavor undertaken to create a unique product, service or result (PMBOK, 2000 edition).
- Project Management - the application of knowledge, skills, tools and techniques to mitigate risk, control budget, and manage scope of tasks.
Policy Statement: Information technology projects are managed in accordance with best practices promoted by the nationally recognized Project Management Institute (PMI), appropriately tailored to the specific circumstances of the University. For example, project managers possess professional credentials and/or an appropriate level of project management training or experience. Projects that engage leading IT consulting or software development firms to assist with project management may apply additional best practices provided by these firms.
Methods used for project auditing, such as Independent Verification and Validation (IV&V), are aligned with industry best practices, consultant expert guidelines, and known industry accepted standards such as Institute of Electrical and Electronics Engineers (IEEE) Standard 1012-2004 for Software Verification and Validation, International Standards Organization (ISO) 9000-2000 series, and Software Engineering Institute Capability Maturity Model (SEI-CMM). These
Exclusions: The scope of this policy does not extend to research projects, research initiatives, or instructional programs.
An overview of the University’s IT Project Management Framework, along with procedures, templates, and tools are posted at: <links to be added>
- Academic Division’s IT website
- The Medical Center’s IT website
- The College at Wise’s IT website
Procedures: N/A
Related Information:
Institute of Electrical and Electronics Engineers (IEEE) Standard 1012-2004 for Software Verification and Validation– Software Verification and Validation (V&V) processes determine whether the development products of a given activity conform to the requirements of that activity and whether the software satisfies its intended use and user needs. Software V&V processes includes analysis, evaluation, review, inspection, assessment, and testing of software products.
International Organization for Standardization (ISO) – Quality Management Principals (ISO 9000:2000) – ISO 9001:2000 specifies requirements for a quality management system for any organization that needs to demonstrate its ability to consistently provide products that meet customer and applicable regulatory requirements and aims to enhance customer satisfaction.
Project Management Institute – The world’s leading not-for-profit professional association in the area of project management. http://www.pmi.org/
Project Management Institute. October 2004. A Guide to the Project Management Body of Knowledge (PMBOK Guide) - Third Edition.
Software Engineering Institute - Capability Maturity Model Integration (SEI-CMMI) – The CMM outlines the methods to obtain software process maturity. Several levels of maturity can be reached as an organization’s software project management evolves from that of chaotic non-repeatable performances to repeatable mature disciplined software processes. The model focuses on key attributes of each improved maturity level and provides guidance on the best practices used to achieve each level. The goal is to reach an efficient and disciplined approach to software management.
Background: The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations, on condition that
University Information Technology Security Program Policy
Contact Office: Office of Information Technologies
Oversight Executive: Vice President & CIO
Applies to: University Academic Division, Medical Center, and College at Wise
Reason for Policy: The University has a highly complex and resource rich information technology environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Safeguarding the institution’s computing assets in the face of growing security threats is a significant challenge requiring a strong, persistent, and coordinated program that leverages widely accepted, effective security practices appropriate for the higher education environment. This policy states the codes of practice with which the University aligns its information technology security program.
Definitions: N/A
Policy Statement: The University’s information technology security program is based upon best practices recommended in the “Code of Practice for Information Security Management” published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 17799), appropriately tailored to the specific circumstances of the University. The program also incorporates security requirements of applicable regulations, such as the Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act, and Health Insurance Portability and Accountability Act. Professional organizations, such as the national EDUCAUSE Association and the Virginia Alliance for Secure Computing and Networking, serve as resources for additional effective security practices.
The ISO/IEC 17799 Code of Practice and other sources noted above are used to guide development and ongoing enhancement of additional information technology security policies as needed. All policies governing information technology security can be found in the University’s policy directory and at:
- The Academic Division’s IT policy website
See, for example:- - Ethics in Computer Usage Policy
- - Responsibilities for Computing Devices Connected to the Network Policy
- - IT Risk Management Policy
- - Electronic Data Removal Policy
- - Administrative Data Access Policy
- The Medical Center’s IT policy website
- The College at Wise’s IT policy website <link to be added>
Procedures: N/A
Related Information: “Code of Practice for Information Security Management” (ISO/IEC 17799) – This international standard defines guidelines and general principles for the effective management of information security within an organization. It is a risk-based framework widely used to guide establishment of security standards and management practices.
EDUCAUSE Association – EDUCAUSE is a nonprofit association dedicated to the advancement of higher education through the effective use of information technology. Members include representatives from institutions of higher education, higher education technology companies, and other related organizations.
International Organization for Standards (ISO) – The world’s largest developer of standards, the organization is made up of representatives from governmental and private sector standard bodies, e.g. the American National Standards Institute.
International Electrotechnical Commission (IEC) – The IEC is a global organization that develops and published standards addressing electrical, electronic and related technologies. Membership comes from government, the private sector, consumer groups, professional associations, and others.
Virginia Alliance for Secure Computing and Networking (VA SCAN) – VA SCAN was formed to help strengthen information technology security programs within Virginia. The Alliance was organized and is operated by security practitioners and researchers from several Virginia higher education institutions, including the University of Virginia.
Background: The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations, on condition that certain commitments to the Commonwealth are met. The University of Virginia’s Management Agreement with the Commonwealth provides full delegated responsibility for management of the institution’s information technology security activities. This delegation includes the authority to conduct these activities in accordance with industry best practices appropriately tailored for the specific circumstances of the University, in lieu of following Commonwealth-determined specifications. This policy documents the industry best practices with which the University will align its security activities.
University Information Technology Infrastructure, Architecture, and Ongoing Operations Policy
Contact Office: Office of Information Technologies
Oversight Executive: Vice President & CIO
Applies to: University Academic Division, Medical Center, and College at Wise
Reason for Policy: It is critically important that the University of Virginia’s information technology (IT) infrastructure, architecture, and ongoing operations support the mission of the institution. To help ensure this need is met, decisions affecting these areas must reflect standards, guidelines, and practices found to be effective in the higher education environment. This policy establishes the nationally recognized codes of practice with which the University aligns its IT infrastructure, architecture, and ongoing operations.
Definitions: N/A
Policy Statement: The University maintains a list of specific standards and guidelines that should influence decisions affecting key components of its IT infrastructure, architecture, and operations. These standards and guidelines align with industry best practices, appropriately tailored for the specific circumstances of the University, as described by EDUCAUSE, Internet2, and others within higher education, as well as those from healthcare and selected technology industries. It is not the intent of this guidance to in any way inhibit research or other institutional endeavors that by their nature may require the use of cutting-edge technology not yet appropriate for normal use. The guidance is descriptive rather than prescriptive to achieve flexibility where needed. The ultimate goal is to create logical relationships between information technology resources and the mission of the university and its units.
This policy applies to all university information technology, whether owned and operated by the university, or used for university business through contractual arrangements.
An overview of the framework for infrastructure, architecture, and ongoing operations, along with the standards and guidelines are posted at: <links to be added>
- Academic Division’s IT website
- The Medical Center’s IT website
- The College at Wise’s IT website
When decisions are made regarding IT infrastructure, architecture, and ongoing operations, the decision maker should consult this information for guidance.
Procedures: N/A
Related Information: The following is a sampling of higher education sources for IT best practices and evolving trends:
The Campus Cyberinfrastructure Working Group of Net@EDU helps educational institutions develop institutional strategies and plan their resource deployment in this emerging and evolving technological landscape and helps their users harness and optimize the power and capabilities of new integrated IT tools and systems for educational and research applications in higher education.
EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. http://educause.edu
Health Level Seven is an international standards-setting organization operating in the healthcare arena, specifically in the area of clinical and administrative data.
Internet2 develops and deploys advanced network applications and technologies for research and higher education, accelerating the creation of tomorrow's Internet.
The National LambdaRail develops and deploys a fiber optic network infrastructure for the purpose of advancing research, clinical, and educational goals.
The Postsecondary Electronic Standards Council is a non-profit association of colleges and universities; professional and commercial organizations; data, software and service providers; and state and federal government agencies.
Background: The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations, on condition that certain commitments to the Commonwealth are met. The University of Virginia’s Management Agreement with the Commonwealth provides full delegated responsibility for management of the institution’s information technology infrastructure, architecture, and ongoing operations. This delegation includes the authority to conduct these activities in accordance with industry best practices appropriately tailored for the specific circumstances of the University, in lieu of following Commonwealth-determined specifications. This policy documents the industry best practices with which the University will align its infrastructure, architecture, and ongoing operations.
University Information Technology Accessibility Policy
Contact Office: Office of Information Technologies
Oversight Executive: Vice President & CIO
Applies to:University Academic Division, Medical Center, and College at Wise
Reason for Policy: This policy is established to support the University of Virginia community in promoting equal access opportunity to information technology by the application of accessibility standards, guidelines, training, tools and methods consistent with higher education and their medical centers. The aim is to provide this opportunity in a setting that fosters independence and meets the guidelines of the Americans with Disability Act (ADA) and the Rehabilitation Act of 1973. This policy sets forth accessibility standards and guidelines that reflect best practices for achieving the accessibility of information technology for use by persons with disabilities.
Definitions:
Accessibility: refers to the University objective that everyone within the University community, regardless of physical disability, will have the opportunity for appropriate access to information technology.
Policy Statement: The procurement, development, and/or maintenance of information technology and user support services for persons with disabilities align with accessibility standards specified in Section 508 of the Rehabilitation Act and in "Web Content Accessibility Guidelines" from the World Wide Web Consortium, appropriately tailored to the specific circumstances of the University and its Medical Center.
Accessibility standards are designed to evolve and change, as newer technologies are introduced and user needs change. At the same time, the standards maintain a consistent framework for accessibility training and support services. University information technology development, maintenance, training, and support personnel who are responsible for information technology procurement, programs, and services possess an appropriate level of technical knowledge related to accessibility standards for persons with disabilities.
An overview of information technology accessibility issues and tools is provided at: <links to be added>
- Academic Division’s IT website
- The Medical Center’s IT website
- The College at Wise’s IT website
Procedures: N/A
Related Information:
U.S. Government – Americans with Disability Act and the Rehabilitation Act of 1973 Section 504 standards
U.S. Government – the Rehabilitation Act of 1973 Section 508 standards
The World Wide Web Consortium (W3C) is an international organization that develops inter-operable technologies (technologies that can communicate with each other), e.g., specifications, guidelines, software, and tools, to lead the Web to its full potential. W3C is a forum of information, commerce, communication, and collective understanding. Of particular relevance are the Web Content Accessibility Guidelines 1.0 Copyright © 1999 W3C (MIT, INRIA, Keio) and the Web Content Accessibility Guidelines 2.0 Copyright © 2005 W3C ® (MIT, ERCIM , Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
Background: The Commonwealth of Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 grants institutions additional authority over financial and administrative operations, on condition that certain commitments to the Commonwealth are met. The University of Virginia’s Management Agreement with the Commonwealth provides full delegated responsibility for management of the institution’s information technology architecture, infrastructure, and ongoing operations, of which IT accessibility is a part. This delegation includes the authority to conduct these activities in accordance with industry best practices appropriately tailored for the specific circumstances of the University, in lieu of following Commonwealth-determined specifications. This policy documents the industry best practices with which the University will align its IT accessibility activities.
| Board of Visitors minutes June 9, 2006 | |