IT Policy Governance - Policy

1.1 Purpose

1.1.1 The purpose of the IT Governance Policy is to define and consolidate the authorities, responsibilities, and administrative elements common to all IT Policies, Standards, Practices, and Guidance.

1.2 Benefits

1.2.1 Consolidation of common policy elements improves consistency and comprehension of policy materials, permitting shorter and more focused policies, standards, and practices.

1.2.2 Consolidation of common policy elements improves administrative efficiency by permitting changes in one location rather than engaging policy change procedures across multiple policies.

1.3 Scope

1.3.1 Unless otherwise stated in a policy, Penn IT policy applies to all University of Pennsylvania Schools and Centers including any entity that uses Penn's central networking service but excludes the University of Pennsylvania Health System (Penn Medicine).

2.1 Campus Engagement

2.1.1 The Privacy and Security Executive Committee (PSEC) shall ensure that new policy and significant policy changes are vetted with appropriate campus bodies prior to adoption.

2.1.2 IT Policy and Standards proposals and changes will be brought before the IT Policy Committee (ITPC) for discussion and impact analysis to be supplied along with recommendations to the Privacy and Security Executive Committee (PSEC) for review and disposition.

3.1 Information Security

3.1.1 Information Systems and Computing's Office of Information Security has the authority and responsibility to establish information security policies, guidelines, and standards.

3.2 Network

3.2.1 Information Systems and Computing's Technology Services Division has the authority and responsibility to establish network policies, guidelines, and standards for Penn's central network services.

3.3 Enforcement

3.3.1 Line management within Schools and Centers is responsible to ensure compliance with all Penn policies.

3.4 Approval

3.4.1 Final approval on all IT Policy matters is held by Penn's Vice President of Information Systems and Computing.

4.1 Verification

4.1.1 Penn's Office of Audit, Compliance, and Privacy (OACP), Office of Information Security (OIS) and ISC Technology Services have authority to verify compliance to Penn IT policies, standards.

4.2 Notification

4.2.1 Penn School and Center line management are responsible to notify Penn's Office of Information Security (OIS) or ISC Technology Services of discovered areas of non-compliance to Penn Security or Networking policy respectively.

4.3 Variances

4.3.1 Variances to Penn IT Policy and Standards can be submitted to the IT Policy Committee which will review the variance request and prepare a recommendation to the Vice President of Information Systems and Computing for approval or rejection decision.

4.3.2 Penn School and Center line management is responsible to submit requests for variances to discovered or anticipated areas of non-compliance to policy or standards.

4.4 Responsibility

4.4.1 Responsibility for compliance with Penn policy and standards resides with the School and Center executive management.

4.4.2 Penn's Office of Information Security (OIS) is responsible for consultatively assist Schools and Centers in their compliance efforts.

4.5 Appeals

4.5.1 Policy and standards appeals and disputes may be addressed to Penn's Vice President of Information Systems and Computing for final disposition.