University at Albany Information Technology policies are developed and maintained to support the University's mission and daily activities; to promote best practices in the usage and management of information resources; to support compliance with federal, state, and university law, regulation or policy; to manage risks associated with IT infrastructure and systems; and to guide the stewardship of the accessibility, privacy and security of information utilized by the UAlbany community.
The Office of the Chief Information Officer (OCIO) is responsible for drafting, obtaining approval, promulgating and maintaining all University at Albany IT policies. The policy development process is open and invites participation from all members of the University community. The OCIO is responsible for the formation and convening of a Policy Review Board (PRB) composed of faculty, staff and students. The PRB makes recommendations to the CIO, who in turn, seeks approval from the University President. Stakeholders are solicited for feedback throughout the approval process. All policies are subject to periodic review cycles in order to assess their continued applicability. The OCIO reserves the right to initiate the process to amend or retire a policy at any time. University at Albany IT policies and appropriate companion documents are accessible on the web at www.albany.edu/its.
University at Albany IT policies include a policy statement and may include companion documents such as standards, guidelines and/or procedures. These are defined as follows:
Policies state an institutional position and have broad application across the university. The PRB recommends approval of all policies to the CIO. Final approval of the University president is required for issuance and major changes to policies. University at Albany IT policies are enforced by the OCIO.
Protocols provide definition, context and rationale for how the University addresses broad areas relevant to specific policies. As an example, the Information Security Policy identifies a set of Security Domains providing a framework for an Information Security Program. Within each domain, protocols give a rationale for the security area, provide institutional direction and establish a framework for related standards and procedures.
Standards define a set of criteria established by the authority of the OCIO that promote compliance with applicable laws and regulations, mandate actions or constraints and contain information regarding compliance and/or a desired outcome. Generally, they are considered "must do's" that are enforceable on the basis of compliance or mitigation of risk. This includes industry standards which establish technical specifications pertaining to equipment and/or infrastructure requirements. All standards to IT policies are enforced by the OCIO.
Guidelines are recommended guides to action. Generally, they are considered "should do's" that reflect established customs or an efficient, effective means for complying with a policy. Guidelines are representative of ITS's expectation that users will follow them as they represent a model of example for day-to-day operations and/or regular business practices.
Procedures are the detailed steps associated with complying with a policy or provisioning an IT service. Generally, they are considered "how to's" and may be directed to a specific audience or the entire user community. They are approved by the CIO and may change in accordance with technology and other circumstances as warranted.
Questions regarding any University at Albany IT policies or companion documents should be directed to the OCIO at firstname.lastname@example.org.