About ITS Policies
Information Technology Services at UNC-Chapel Hill is the source for University-wide policies on the use of technology, along with standards and procedures for compliance with policy. These policies exist within several frameworks of law, regulation, broader University mission, technical best practices for information security, for interaction with other institutions, for the purchasing and use of technology, and other constraints. We follow requirements from the Office of Ethics and Policy in developing these documents. Our goal is to provide useful guidance that makes clear the position of the University while making it easy to do what is right.
We are always looking for feedback on our existing policies, standards, and procedures. If you find something here that is confusing, or out of date, or that impedes your ability to do the work you are at UNC to do, we want to hear about it. The policies are reviewed continuously, and any feedback we get is considered when we next look at a policy.
In order to keep people up-to-date on our policy process, the Policy Office puts out a bulletin when big changes happen. That bulletin is sent to technical staff on campus (the CTC list and others) and is also posted here.
Q: What are the differences between “Policies,” “Standards,” and “Procedures?”
A: Policies describe things that are important for the University community to be aware of, to take action on, to do or not do. Sometimes these deal with the values of the University, such as policies on privacy, or non-discrimination. For IT, the Acceptable Use Policy is an example. That describes how to be a part of the University community when you are online or using University computers or the network. Other policies deal with very specific topics, such as passwords, or sending sensitive information, or how to keep your computer secure. Standards set a minimum requirement. Departments or individuals may choose to do MORE than a standard, but not less. Standards don’t tell you HOW to do something, they tell you what must be (or must not be) done. For example, the Password standard doesn’t tell you any steps to take to set a password on any system, it does tell you to use a certain number of characters and how often to change it. Procedures tell you steps to take. We don’t issue a lot of procedures for the campus, those are typically documents that your school or department would create to comply with policies and standards. For example, if a security standard says that you must have your laptop scanned regularly for vulnerabilities, your department may have a procedure telling you the steps to take to make that scanning happen.
Q: Where do IT policies come from? Why are there so many?
A: There are certain policies that are accepted as important best practices for Universities or other organizations to have. Some of those are required for all UNC institutions, or all NC state agencies, but we write the policy to fit UNC-Chapel Hill’s environment. If a “gap” is identified to us, we check to see whether a policy already addresses the problem, or whether a policy is the best WAY to address a problem. Oftentimes adding another document isn’t that helpful. But sometimes there seems to be confusion about what is expected, and a policy can be an easy way to point everyone in the same direction and make things clear and fair. The Policy Office works with IT people across the campus to get input and to understand the implications of every policy, standard, and procedure we have. A policy is of no value if it can’t be followed or doesn’t make sense, or keeps us from accomplishing our goals.
Please ask us other questions! If you have any questions (or suggestions) about any policy, standard, procedure, or you can’t figure out whether something is ok and think it SHOULD be covered by a policy. We’re happy to talk with you. email@example.com is the best way to do that.