|Responsible office||Information Technology|
|Classification||Board of Trustees-delegated Policy|
|Category||12. Information Technology and Data Security|
Statement of policy
To ensure that information systems at WMU are effectively integrated.
To ensure that information systems at WMU are effectively integrated, that those systems are effectively used across organizational boundaries, and to support evidence-based decision-making at the University. See more:
- Data classification policy
- Emerging Technology Process for General Purpose Classrooms
- Product review process
This policy applies to the acquisition of information software and hardware using University resources and/or University funds, including the general fund, designated funds, grant and donor funds and any other funds for which the University and its various subunits are accountable. The policy defines different levels of review and control, depending on the type of information system contemplated for acquisition.
The University seeks to maximize effectiveness in the use of resources designated for information systems by distinguishing different types of systems, the level of review required for those types of information systems, and the role of various offices in that review. Specifically, the policy distinguishes between enterprise systems, enterprise support systems, departmental unit support systems, and infrastructure systems. These types of systems are defined below, along with the approval process required for each. Adherence to this policy is required to receive acquisition authority and to get necessary signatures on contracts.
- Enterprise systems: enterprise systems are those which manage the data for core business functions of the University, which require integration or which have significant integration potential with other systems and which must be managed and maintained effectively for the University to thrive. Examples of these systems are the Banner Student Information System, the Banner Operational Data Store, the Banner Enterprise Data Warehouse, the PeopleSoft Human Resources and Financial systems, the Elearning system, the development and alumni system, the University email collaboration system, the time-keeping system, the institutional reporting system, the imaging system, the e-commerce system, customer relationship management systems, strategic planning systems, and the emergency alert system. Enterprise systems may be hosted by WMU or they may be hosted externally (cloud-based).
Acquisition and replacement of these systems require approval from the IT Executive Advisory Board or an appropriate subcommittee of that body, which functions as the data governance executive sponsors. In addition the Office of Information Technology should be involved at all states of selection of these systems, from problem definition through request for proposal, vendor review, vendor selection, contract negotiation, change management, implementation, and any subsequent stages. WMU hosted enterprise systems will be hosted by information technology in the University Computing Center and will be incorporated into disaster recovery and data backup systems. Information technology will manage the exchange of data between WMU-hosted enterprise systems and any cloud-based enterprise system, in collaboration with functional user offices. Change management for these systems will be controlled by collaborative change management committees. These systems are subject to the University's information security policies as set by the Campus Information Security Committee and as implemented by change management committees.
- Enterprise support systems: enterprise support systems are those that are integrated with the enterprise systems to perform specific functions, but which are not, by themselves, enterprise systems. Examples include FSA-Atlas data reporting data on international students to the federal servicer, DegreeWorks advising and planning system, and the Docufide electronic transcript system.
Acquisition and replacement of these systems require notice to the IT Executive Advisory Board, which functions as the data governance executive sponsors. The board may require full review by a board subcommittee, especially where the integration potential is significant. In addition, the Office of Information Technology should be involved at the stage of vendor selection, contract negotiation, change management, implementation, and and any subsequent stages. Most enterprise support systems will be maintained by information technology, in collaboration with functional user offices. Change management for these systems will be controlled by collaborative change management committees. These systems are subject to the University's information security policies, as set by the Campus Information Security Committee and implemented by change management committees.
- Unit support systems: unit support systems are those that principally support one department, unit, or one function and which require minimal integration, usually only one-way, with enterprise systems or enterprise support systems. Examples include Media Site Live for video streaming, PeopleAdmin job system, Pinnacle telecommunications billing system, Roomview classroom scheduling system, and the SPSS statistical software.
Acquisition and replacement of these systems require collaboration among offices that use the systems. The Office of Information Technology should be involved at the stage no later than product review and contract approval.
- Infrastructure systems: infrastructure systems are those platforms largely managed by the Office of Information Technology n collaboration with appropriate technical staff in other units. These systems support information technology operations and ensure stability and security, but are not directly involved in delivering services to faculty, staff, students, alumni, donors, or other stakeholders. Examples include Oracle and SQL database systems, data backup systems, IP network and firewall systems, voice-over-internet systems, security monitoring systems, computer lab management systems, job scheduling systems, address verification systems, and anti-virus protection systems.
Acquisition and replacement of these systems require collaboration among the technical staff that use the systems across campus. The Office of Information Technology will manage the stages of problem definition, proposal solicitation, product review, product selection, contract negotiation, implementation, and any subsequent stages. Change management for these systems will be controlled by collaborative change management committees. These systems are subject to the University's information security policies, as set by the Campus Information Security Committee and as implemented by change management committees.
Additional policy considerations
Information security must be carefully considered in all of the types of systems described above, but particularly for systems that manage, store, or transmit confidential-restricted information, as defined in the University's information security policies. Responsibility for information security rests on all those who use an information system and is regularly monitored and reviewed by the Office of Information Technology.
Many systems hold data that are subject to compliance requirements, including HIPAA, FERPA, GLBA, HSIRB, and PCI requirements. The University has identified specific individuals who are responsible for compliance in these areas and who must be involved in system acquisition and management decisions as required.
There are other policies that apply to the acquisition of information technology, especially those that will hold data that are protected by law, and policies that require competitive bidding for some purchases.
Any person found to be in violation of this policy will be subject to the appropriate disciplinary actions as defined by current University policy and/or collective bargaining agreements.
Note: these rules and requirements may be amended at any time by the IT Executive Advisory Board of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the information technology public website.
|Effective date of current version||March 1, 2014|
|Date first adopted||September 1, 2013|
|Revision history|| |
Sunday, September 1, 2013 - 17:39 Reviewed by: Information Technology Executive Advisory Board.
Friday, November 1, 2013 - 17:38 Approved by Faculty Senate Academic Information Technology Council.
Sunday, December 1, 2013 - 17:38 Approved by: President's Senior Leadership Team.
Saturday, March 1, 2014 - 17:37 Approved by: Information Technology Executive Advisory Board.
|Proposed date of next review||April 1, 2020|