Skip to main content

1. IT Governance Framework

IT governance process for administrative IT applications and related services

Overview and Purpose

Cornell University expects all stewards and custodians of information technology (IT) systems and services to develop, manage, and use those systems and services in a manner consistent with the university's requirements for data security, data confidentiality, and business continuity. In support of this charge, Cornell has developed an IT Governance Framework based on formal policy and delegated responsibilities.

Key IT policies are: 

Data stewardship and custodianship as defined by University Policy 4.12: Data Stewards define appropriate use of data. In turn, Unit Custodians of data ensure proper adherence to policy and security of this data. 

Security of Information Technology Resources as defined by University Policy 5.4.1: Deans, Vice Provosts, and Vice Presidents are responsible for unit IT policy compliance and, as appropriate, define unit adoption of best practice IT security mechanisms as promulgated by Cornell Information Technologies (CIT), the Chief Information Security Officer (CISO), and University Audit.

Complete list of governing policies

The IT Governance Council (ITGC) is implementing an additional governance process for all administrative IT applications and related services.(*1),(*2) The purposes are to:

  • enable effective stewardship of Cornell IT resources and reduce duplication
  • provide the university a means of review and approval necessary to ensure appropriate use of institutional data
  • make certain that any impacts to other systems and processes are known
  • ensure coordination with pertinent stakeholders
  • provide a streamlined and logical experience when employees, students, and external users are required to use Cornell applications

The governance process must provide these protections while also allowing colleges and units to obtain and/or develop IT applications and related services to: 1) meet business needs unique to that college/unit and 2) supplement or create new applications and related services that meet a business need that cannot or will not be provided by central systems. 

Responsible Parties

IT Governance Council (ITGC)

The IT Governance Council (ITGC) has final decision-making authority for information technology across the Ithaca campus, including Cornell Tech. ITGC will coordinate with counterparts at Weill Cornell Medicine.

Membership: Assigned by the Executive Vice President and Provost. List of members


  • Provide oversight of and decision authority over IT governance and associated subcommittees.

  • Advise the Chief Information Officer (CIO) on institutional priorities and compliance issues.

  • Approve enterprise IT capital requests.

  • Confer with other vested parties as required.

  • Halt the IT procurement process if all required legal, procurement, and security-related conditions are not met in the acquisition of IT.

Chief Information Officer and Vice President for Information Technology (CIO/VP)

The Chief Information Officer and Vice President for Information Technology (CIO/VP) acts as an advisor and arbiter for all development of systems of record (SoR)(*3) and/or systems of engagement (SoE)(*4), regardless of funding source, with a key focus on operational practices to ensure business continuity across the Cornell enterprise.

IT Advisory Council (ITAC)

The IT Advisory Council (ITAC) reviews SoE and SoR development and changes if the impact requires feedback from multiple steering committees.

Membership: Executive leaders from the functional area(s) and SoE/SoR steering committees. The CIO or ITGC calls for the formation of ITAC when appropriate or asked to do so by a functional unit, Vice President, or Dean. List of members

Select functions:

  • With vested parties, review and prioritize competing annual IT capital requests.

  • Approve presented charters for formal discovery and/or implementation.

  • Work to resolve conflicts between competing functional area interests.

  • Seek additional approval from the ITGC where additional governance considerations are required.

  • Confer with Data Stewards as required.

Steering Committees

Steering Committees act as the principal sponsor, owner, and coordinating body for a given SoE or SoR.

Membership: Vested business unit senior executives who understand funding, business need, policy, and compliance issues around a given SoR and/or SoE. The CIO helps identify and advocate for appropriate members.

Select functions:

  • Provide council and guidance for a given SoE or SoR.

  • Help develop and/or review select charters.

  • Review business impact of the service to Cornell at large.

  • Seek additional approval of the ITAC or ITGC where additional governance considerations are required.

  • Confer with Data Stewards as required.

Review and Approval for Administrative IT Applications and Related Services

Generally there are two classes of review and approval:

  1. The promulgation and collegial review of a simple Statement of Need for any new administrative application acquisition and/or development
  2. The need for an additional, more rigorous Charter review when solutions create a SoR or SoE, or if changes to an existing SoR or SoE have user impact.

Statement of Need Review

The intent of this review is to ensure broad community awareness, to avoid redundant development or acquisition of solutions, and to facilitate service alignment with Cornell’s goals.

A Statement of Need is required for any administrative IT application or related service that would require internal or external IT expertise or effort, or products, tools, or resources to develop, purchase, alter, upgrade, decommission, etc., an IT application or service, regardless of source of funds or availability of staff time. This includes IT applications or related services that are planned for use within a single department, center, college, or unit if the application requires expertise beyond that which a non-IT functional end user could provide.

Review is required in advance of expending time and/or money, regardless of source, for planning beyond the basic conception of the idea. Activities beyond basic conception include investigating commercial products; conducting an IT assessment of new modules and functionality; developing user or technical requirements or an RFP; planning for or conducting a vendor assessment; procuring consulting or IT services or goods; decommissioning an existing application; or making modifications that impact end users.

Statement of Need process:

A Statement of Need is a brief narrative description of an administrative IT application or related service sought by a unit, college, or combination of multiple units. It should be drafted and submitted by appropriate IT and business leaders from the unit involved. A recommended framework is to have a title or brief description (e.g., automated faculty leave tracking system), followed by a brief explanation of the issue at hand or problem to solve, and ending with a proposed IT solution if practical (e.g., consider developing in-house in unit or college, consider adding to existing university system, consider purchasing from external vendor, etc.).

It is the responsibility of the Office of the CIO to shepherd Statements of Need through the review process. The Senior Financial Group (SFG), Data Steward, and CIO will review all Statements of Need. In turn, they will share their collective feedback regarding a project, be it as a standalone initiative or as new multi-unit SoR or SoE. Upon request of the SFG and CIO, the IT Service Group directors forum (ITSG) will be asked to provide additional information and/or perspectives.

Review by the SFG, Data Steward, and CIO may include some or all of these themes:

  • Availability of similar applications and related services in other units

  • Functionality of current or planned central applications and related services that provide, or will provide in a reasonable timeframe, the application functionality

  • Unique requirements of the business need to be supported by the application

  • Demand from other areas for a similar solution

  • Impact on other systems, processes, and data users

  • Users and purpose of the proposed application; conflicts, synergies, and/or duplications with current or planned systems

  • Data Steward assessment of impact on central systems and data, and on planned initiatives

Charter Review

Regardless of funding source, development of any new or end-user impacting changes to any SoR or SoE is subject to an additional Charter process.(*5)

Charter process:

Charters concisely frame a proposed project’s scope. Effort to produce a charter should be modest. Charters generally outline the roles and responsibilities for each project, including resourcing from CIT or contracted services, the CIT Project Management Office (PMO), and units as requested by the executive sponsors. All Charters are promulgated to steering committees and posted on a common website [access restricted] for review and comments.

Minimally, charters will outline:

  • Executive summary of proposed project

  • Executive sponsor(s)

  • Stakeholders

  • Requested timeframe for implementation

  • Benefits and beneficiaries

  • Potential risks and concerns (security, other)

  • Integration complexity

  • CIT or contracted services that will be required to deliver solution

  • Costs and responsibilities of ownership (beyond implementation), including training, documentation, ongoing support, etc.

  • Usability and other considerations

  • Accessibility: web (user interface) and physical
  • Explanation for why a solution is required if a similar one exists

  • Estimated funding range required for discovery and implementation

  • Proposed funding source (IT Capital, CIO discretionary funds, or recharge)

Charter and Statement of Need Facilitation

Illustration of IT governance workflow

The CIT Project Management Office (PMO) is the initial receiver for all Statements of Need and Charters. The PMO can, but is not required to, draft a given Charter or Statement of Need. If the PMO is used in this way, there is no charge for these documents.

For Charters, the CIO holds a CIT leadership meeting every two weeks with the CIT directors and assistant directors. A standard agenda item is the triage of new Charters. Based on recommendations and feedback from the meeting participants, the CIO will:

  • Approve the Charter for formal discovery and/or implementation

  • Request the gathering of additional information

  • Seek additional counsel and/or approval from a steering committee, ITAC, or ITGC as required

Process for Funded and Approved Charters(*6)

Once a Charter has been approved, the CIT PMO, or other project management resources as approved by the CIO, will work with project stakeholders, including unit project managers (PMs), business analysts (BAs), and subject matter experts (SMEs), as required, to provide detailed analyses of functionality, scope, resourcing, cost/benefit, deliverables, etc. to accurately predict the initial costs and ongoing operational costs, as well as a risk/benefit analysis. There will be a go/no go decision after sponsors and stakeholders review the discovery findings.

About this Article

Last updated: 

Friday, March 9, 2018 - 10:08pm

Was this page helpful?

Your feedback helps improve the site.