Documentation Standards for Information Technology Documents
The following establishes the standard for the creation of documentation of information technology standards. These standards will enable the University to maintain consistency and align with principles outlined in ISO/IEC 27001:2005 section 4.3.2 and TOGAF v9.1.
All documentation developed for University-wide technology standards, procedures, or best practices must follow the documentation standards described here. In addition, information technology standards intended to establish administrative policy or procedure must follow the University’s policy on Establishing Administrative Policies.
Standard and Process
All documentation for information technology standards within the scope of the enterprise architecture program must include all of the following components.
- Objective – the purpose of the document
- Scope – identifying to whom and/or to what assets the standards and process apply
- Compliance – identifying the requirement to comply with the document and where to report non-compliance and to request exceptions.
- Standard and Process – defining the rules by which the individuals or assets within the scope must adhere; the process provides greater detail on the standard by describing how the individuals or assets comply with the standard.
- Document Owner – the contact for document content questions and document revisions.
- Document Approver – the chief information officer has delegated document approval to the University enterprise architect and chief information security officer.
- Effective Date – date the document was implemented and enforced
- Last Reviewed Date – date the document was last reviewed for changes, updates, or document retirement.
Documents created and approved using this standard are to be reviewed at regular intervals for changes, updates, or document retirement. Current document owners must be updated or affirmed during the routine document maintenance. The document owner will determine how often the document requires routine maintenance, however the regular interval must not exceed three years from the prior last-reviewed date. Documents must be reviewed every three years or more frequently at the document owner’s discretion.
Documentation Development, Review, Approval, and Implementation
The diagram below depicts the document development, review, approval, and implementation process.
During the development/initial review, the document developer must identify the appropriate process owners, service owners, and/or stakeholders and review the document. While the requirement of any individual or groups review does not exist, it is highly recommended that representatives of those most impacted by the document contents be involved in the review.
During the University review, the document developer may request review by the appropriate stakeholders and the technology review board. While it is not required that any specific individual or group be consulted, it is highly recommended that representatives of those most impacted by the document’s contents be involved in the review.
In order for the enterprise architect and chief information security officer to approve the document, the document developer will provide, a final draft of the document, sufficient evidence of review by the process owner, service owner, and/or stakeholder approval, and an implementation plan that includes the communication and technology awareness plan.
The multiple layers of review and approval will work to establish consistency in documentation, appropriate IT community review, and standards for the University that are reasonable to follow.
- Effective Date: 01-January-2014
- Last Reviewed Date: 16-December-2013