webrev: 06/2008

CHAPTER IX  [PDF]

INFORMATION TECHNOLOGY

A.   INFORMATION TECHNOLOGY PLANNING AND OVERSIGHT PROCESSES   [PDF]

9-101  Arizona Board of Regents Technology Oversight Committee Charter (ATOC)   (PDF)

  1. The purpose of ATOC is to provide oversight for major Information Technology (IT) initiatives at the Arizona University System (AUS) campuses.  This oversight involves reviewing and approving plans for major campus investments to ensure that they are effectively planned and managed and that they are aligned with major ABOR and university goals.

  2. The  focus of ATOC will be to:

    1. Guide, establish, and approve IT strategic plans, technology-based standards, applications and services in support of future ABOR and University needs.

    2. Operate as a forum for the discussion of major issues related to technology, collaborative applications and IT services.

    3. Evaluate, approve and monitor significant systems development, collaborative projects and technology infrastructure expenditures in excess of $1 million.

    4. Facilitate appropriate technology collaboration in support of ABOR’s mission and business goals.

    5. Provide policy direction for the Arizona Universities Network (AZUN) and approve AZUN annual program budgets.

9-102  Definitions    (PDF)

Definitions for this Chapter are included in the ABOR Information Security Program Guidelines.  These Guidelines may be amended as necessary by the ATOC without the need for full Board review.

9-103  Tri-University Information Technology Architecture    (PDF)

The universities will participate in the creation and development of a Tri-University IT Architecture to guide the design, implementation, maintenance and organization of information technology management at each institution.  The Tri-University IT Architecture will be submitted to the ATOC for review and approval.

9-104  Information Technology Strategic Plans    (PDF)

  1. University IT and AZUN strategic plans should identify major initiatives and costs and should align with ABOR System and University five-year plans.  These strategic plans should also take into account best practices, the Tri-University IT Architecture, and the ABOR Information Security Program Guidelines.

  2. The plans should identify the current status of university IT initiatives and plans for achieving future initiatives including  benefits, costs, time frames, resources, sponsorship, and user involvement.

  3. The IT Strategic Plans will be submitted to ATOC for review and approval.

  4. IT strategic plans will follow a common format approved in advance by the ABOR Executive Director.

9-105  Project Approval Process   (PDF)

  1. IT project budget of $100K-$1M:

    1. Requires approval of university president and CIO;

    2. University must report to ATOC quarterly following university president’s approval;

    3. University must report status annually with the IT Strategic Plan.

  2. IT project budget of $1M-$10M:

    1. University must complete IT Project Justification Summary and submit it for ATOC approval;

    2. Prior ATOC approval is necessary before project is initiated.

    3. University must report status annually with the IT Strategic Plan or quarterly at the ATOC’s request.

  3. IT project budget over $10M:

    1. University must submit complete IT Project Justification Summary and submit it for ATOC review and recommendation to the Board;

    2. Prior ATOC review and Board approval is necessary before project is initiated.

    3. University must report on project status to ATOC quarterly;

    4. Project may be subject to external monitoring if required by ATOC.

  4. Project Justification Summaries should summarize the anticipated project budget for five years; projects may not be divided into smaller projects to affect the approval process.

  5. The Board may retain independent consultants to monitor significant projects.  All projects are subject to audit.

  6. If a University president believes that an emergency situation requires immediate action, the president may contact the Chair of ATOC or the Executive Director of the Board to request either a special meeting of ATOC or permission to take immediate action and submit a Project Justification Summary Sheet for ATOC review and ATOC or Board ratification at the next regularly scheduled meeting according to the preceding dollar thresholds.

9-106  Quarterly Reports   (PDF)

Every quarter, each university must provide a written report to ATOC showing the status of all active and pending IT projects between $100,000 to $1 million that have been approved at the university level.  The format for quarterly reports must be approved by the Executive Director of the Board.

9-107  Annual Reports   (PDF)

  1. Each university must submit an annual report to ATOC in a format approved by the Executive Director of the Board to report on expenditures and other issues relating to capital, operations, and personnel.

  2. Each university will provide an annual expense report to ATOC for capital, operations, and personnel expenses.  The report will be provided to ATOC in a fall meeting to be determined by ATOC in a format approved by the Executive Director of the Board and will reflect data for the prior year.

9-108  Budget Overrun Protocol   (PDF)

If an IT project over $1 million is anticipated to exceed the Board approved budget by 25% or $1 million dollars, whichever is less, the project must be resubmitted to the ATOC Committee for review and to ATOC or the Board for approval according to the preceding dollar thresholds.

9-109  Regent’s IT Innovation Fund   (PDF)

The Regent’s IT Innovation Fund primarily supports central office and university collaborative IT projects. Requests for ATOC approval for the use of these funds are to be submitted on a form approved by the Executive Director of the Board.  Annual progress and expenditure reports for collaborative projects will be submitted to ATOC at the same time as the IT annual reports.

 

B.        INFORMATION TECHNOLOGY SECURITY (PDF)

 

9-201  General Policy  (PDF)

Information created, collected, or distributed by the universities and the Board is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction.  The universities and the Board must employ prudent information security policies, standards, and practices to minimize the risk to the integrity, confidentiality, and availability of information.  Each university and the Board central office shall create and maintain an internal information security technology infrastructure to protect the confidentiality, availability, and integrity of information assets.

9-202  University Responsibilities   (PDF)

  1. Each university president is responsible for assuring that appropriate and auditable information security controls are in place at the university for all university information resources and systems.

  2. Each university shall develop, implement, and maintain an information security program.  Each university must submit its information security program to ATOC and to the Board for review and must report annually the university’s progress on meeting its program goals.

  3. Each university shall develop, implement, and maintain a set of information security policies, and guidelines that are consistent with ABOR Information Security Program Guidelines and applicable law.

  4. Each university will establish detailed security standards that are consistent with the ABOR Information Security Program Guidelines.

  5. Each university shall establish an Information Security Office and designate an individual as Information Security Officer or Information Security Director.  This individual will be responsible for the creation and implementation of an information security program that is consistent with ABOR Information Security Program Guidelines.

  6. Each university shall establish an Information Security Committee.  The Committee will review and recommend information security policies and standards, and provide guidance and support to the Information Security Officer or Information Security Director for the implementation and maintenance of the Program.

  7. If a university determines that the probability of a security breach involving the acquisition of and access to personal information as defined in A.R.S. § 44-7501 (Security Breach Notification) is likely or has occurred, the Information Security Officer or Information Security Director shall report the incident promptly and in writing to the Executive Director of the Board.  The Information Security Officer or Information Security Director shall also notify the Executive Director when the incident is closed.  The incident closure report shall provide a description of the incident, including the nature of the incident and the numbers of individuals impacted, the incident handling process, a copy of the notification, if any, and the actions taken to prevent further breaches of security.

C.    ARIZONA UNIVERSITIES NETWORK (AZUN) PLANNING, BUDGETING AND OVERSIGHT PROCESSES (PDF)

9-301  AZUN Planning   (PDF)

The principal activities of AZUN are to support e-learning, workforce development program priorities and the management and development of the tri-university AZUN web portal.  The web portal provides access to academic programs and courses that are available on-line from the universities.  AZUN is funded annually from TRIF sources.

9-302  AZUN Management   (PDF)

The management of AZUN is delegated to Northern Arizona University.  The Board retains policy and budgetary oversight of AZUN activity by requiring periodic reporting and detailed annual budgetary approval by ATOC.

9-303  AZUN Budgeting   (PDF)

Annually AZUN will submit a detailed program budget request for approval by the ATOC.

9-304  AZUN Annual Reports   (PDF)

AZUN will provide an annual report that includes: goals, program performance evaluations and measures, and summary expenditure data.

9-305  Arizona Regents Reach Out Grants   (PDF)

Arizona Regents Reach Out (ARRO) grants are annual grants provided by the Board to promote and support e-learning initiatives.

webrev: 06/2008