Policy Lifecycle and Governance | St. George's University

Policy Lifecycle and Governance

August 3, 2018

Purpose

St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, the Enterprise) Policy Lifecycle and Governance Policy is the institutional policy that creates the management framework for all polices created, modified, or archived within the Enterprise environment.

Scope

This policy applies to all Enterprise policies, standards, and procedures. All Enterprise personnel are required to adhere to the Enterprise’s Policy Lifecycle and Governance Policy.

Policies and Supporting Documents

This policy will formally define the hierarchy of policies and supporting documents.

  • Policies – high-level statements of essential precepts that support legislative, regulatory, and organizational requirements
  • Standards – documents that add a layer of specificity to policies, and describe with more detail how to implement policies, including how technology works at a conceptual level
  • Procedures – department-specific documents that support the standards and provide additional control-specific details that are not contained in the related policies or standards
  • Guidelines – recommendations and best practices from the Information Security Division that are suggested for users, but are not mandatory

Policy Management Framework

Drafting
For any request to create or modify a policy or standard, initial development will take place in the relevant department. The individuals involved in initial drafting of the proposal will serve as the first tier of the Enterprise’s policy lifecycle framework. The individual who leads the drafting efforts initially or leads the policy amendment is the Policy Owner and will be involved in its progress through the review and approval process. When the Policy Owner, in cooperation with other subject matter experts, have completed a draft policy or standard that is ready for review, he/she will pass the policy or standard to the second tier of the policy lifecycle framework.

Initial Review
The second tier of the Enterprise’s policy lifecycle framework provides the first level of review for proposed policies or standards. This middle tier should be composed of the Policy Owner, representative(s) from Human Resources, General Counsel, Information Technology, and any other policy-specific subject matter experts (as needed). When this second tier receives a proposed policy/standard or policy/standard alteration, these department leaders should work together to provide feedback on the drafted policy or standard and return it with comments to the Policy Owner. In this case, the Policy Owner should refine the policy or standard with the reviewer comments in mind, and then return it to the second tier for further review. The policy development process between the first and second tiers of the policy lifecycle framework should be iterative.

Executive Review
When the members of the second tier agree that a policy or standard is ready for executive review, the proposal is passed up to the Cyber Security Committee. The Cyber Security Committee should decide to either approve the proposal, pass it back with comments to the second tier for minor alterations, or back to the Policy Owner for major edits. This development process will continue to adapt and submit the proposal through the appropriate levels of review described above, until it receives the approval of the Cyber Security Committee.

Acceptance and Implementation
When a proposal for an addition or alteration to Enterprise policies is accepted, the Cyber Security Committee should assign responsibility to the appropriate parties for formal integration and communication of this change to all relevant stakeholders, including but not limited to: faculty, staff, students, and third-parties.

Compliance Monitoring

All policies, once approved, must be communicated to all stakeholders and inserted into relevant literature, such as Enterprise handbooks. Introduction to policies and signed acceptance must be a part of faculty and staff onboarding. Adherence to Enterprise security policies must be mandatory for all faculty, staff, students, third-party vendors, and other users of Enterprise information systems. The Enterprise must maintain a strategy for tracking policy compliance for each user group, coupled with clear repercussions for non-compliance.

Policy Exceptions

Exceptions to Enterprise security policies and standards must only be approved if they address a legitimate business need, and the benefit yielded by that exception outweighs any increased security risk it may introduce. The Cyber Security Committee will approve all exceptions as needed.

Periodic Review

Because regulations, business requirements, and organizational roles are always changing, policies and supporting documentation must be reviewed regularly to ensure compliance with those changing factors. Any policy exception must also be reviewed periodically by the Cyber Security Committee to verify that the exception’s original justification is still valid. All such reviews must be performed at formally specified intervals to assure the policies continued success in targeting business needs and compliance with Enterprise legal and regulatory requirements.