IT Governance Framework
IT governance process for IT applications, software, and services
This article applies to: IT Governance , IT Project Management Office (PMO)
Overview and Purpose
Cornell University expects all stewards and custodians of information technology (IT) systems and services to develop, manage, and use those systems and services in a manner consistent with the university's requirements for data security, data confidentiality, and business continuity. In support of this charge, Cornell has an IT Governance Framework based on formal policy and delegated responsibilities.
Key IT Policies
- Data stewardship and custodianship as defined by University Policy 4.12: Data Stewards define appropriate use of data. In turn, Unit Custodians of data ensure proper adherence to policy and security of this data.
- Security of information technology resources as defined by University Policy 5.4.1: Deans, Vice Provosts, and Vice Presidents are responsible for unit IT policy compliance and, as appropriate, define unit adoption of best practice IT security mechanisms as promulgated by Cornell Information Technologies (CIT), the Chief Information Security Officer (CISO), and University Audit.
- Web accessibility as defined by University Policy 5.12: Cornell has adopted the WCAG 2.0 Level AA standards for all new, newly added, or redesigned university web content, web pages, web functionality, websites, and web applications. Furthermore, the university will strive to purchase only those web products and services that operate in accordance with the WCAG 2.0 Level AA standard.
- Complete list of governing policies
IT Governance Council Process
The IT Governance Council (ITGC) has an additional governance process for IT applications, software, and services.(*1),(*2) The purposes are to:
- enable effective stewardship of Cornell IT resources and reduce duplication
- provide the university a means of review and approval necessary to ensure appropriate use of institutional data
- make certain that any impacts to other systems and processes are known
- ensure coordination with pertinent stakeholders
- provide a streamlined and logical experience when employees, students, and external users are required to use Cornell applications
The governance process must provide these protections while also allowing colleges and units to obtain and/or develop IT applications, software, and services to: 1) meet business needs unique to that college/unit and 2) supplement or create new applications, software, and services that meet a business need that cannot or will not be provided by central systems.
Responsible Parties
IT Governance Council (ITGC)
The IT Governance Council (ITGC) has final decision-making authority for information technology across the Ithaca campus, including Cornell Tech. ITGC coordinates with counterparts at Weill Cornell Medicine.
Membership: Assigned by the Executive Vice President and Provost. List of members
Responsibilities:
-
Provide oversight of and decision authority over IT governance and associated subcommittees
-
Advise the Chief Information Officer (CIO) on institutional priorities and compliance issues
-
Approve enterprise IT capital requests
-
Confer with other vested parties as required
-
Halt the IT procurement process if all required legal, procurement, and security-related conditions are not met in the acquisition of IT
Chief Information Officer and Vice President for Information Technology (CIO/VP)
The Chief Information Officer and Vice President for Information Technology (CIO/VP) acts as an advisor and arbiter for all development of systems of record (SoR)(*3) and/or systems of engagement (SoE)(*4), regardless of funding source, with a key focus on operational practices to ensure business continuity across the Cornell enterprise.
Steering Committees
Steering Committees act as the principal sponsor, owner, and coordinating body for a given system of record (SoR)(*3) and/or system of engagement (SoE)(*4).
Membership: Vested business unit senior executives who understand funding, business need, policy, and compliance issues around a given SoR and/or SoE. The CIO helps identify and advocate for appropriate members.
Select functions:
-
Provide council and guidance for a given SoE or SoR.
-
Help develop and/or review select charters.
-
Review business impact of the service to Cornell at large.
-
Seek additional approval of the ITAC or ITGC where additional governance considerations are required.
-
Confer with Data Stewards as required.
Review and Approval for IT Applications, Software, and Services
Generally there are two classes of review and approval:
- The promulgation and collegial review of a simple IT Statement of Need for acquisition of any IT application, software, or service, and/or development
- The need for an additional, more rigorous IT Project Charter review when solutions create a system of record (SoR)(*3) and/or system of engagement (SoE)(*4), or if changes to an existing SoR or SoE have user impact.
IT Statement of Need Review
The intent of this review is to ensure broad community awareness, to avoid redundant development or acquisition of solutions, and to facilitate service alignment with Cornell’s goals.
An IT Statement of Need is required for any IT application, software, or service that would require internal or external IT expertise or effort, or products, tools, or resources to develop, purchase, alter, upgrade, decommission, etc., an IT application or service, regardless of the source of funds or availability of staff time. This includes IT applications, software, or services that are planned for use within a single department, center, college, or unit if the application requires expertise beyond that which a non-IT functional end-user could provide.
Review is required in advance of expending time and/or money, regardless of source, for planning beyond the basic conception of the idea. Activities beyond basic conception include investigating commercial products; conducting an IT assessment of new modules and functionality; developing user or technical requirements or an RFP; planning for or conducting a vendor assessment; procuring consulting or IT services or goods; decommissioning an existing application; or making modifications that impact end-users.
An IT Statement of Need is a brief narrative description of an IT application, software, or service sought by a unit, college, or combination of multiple units. It should be drafted and submitted by appropriate IT and business leaders from the unit involved. A recommended framework is to have a title or brief description (e.g., automated faculty leave tracking system), followed by a brief explanation of the issue at hand or problem to solve, and ending with a proposed IT solution if practical (e.g., consider developing in-house in unit or college, consider adding to existing university system, consider purchasing from an external vendor, etc.).
It is the responsibility of the Office of the CIO to shepherd IT Statements of Need through the review process. The Senior Financial Group (SFG), Data Steward, and CIO will review all IT Statements of Need. In turn, they will share their collective feedback regarding a project, be it as a standalone initiative or as new multi-unit SoR or SoE. Upon request of the SFG and CIO, the IT Service Group directors forum (ITSG) will be asked to provide additional information and/or perspectives.
Review by the SFG, Data Steward, and CIO may include some or all of these themes:
-
Availability of similar applications and related services in other units
-
Functionality of current or planned central applications and related services that provide, or will provide in a reasonable timeframe, the application functionality
-
Unique requirements of the business need to be supported by the application
-
Demand from other areas for a similar solution
-
Impact on other systems, processes, and data users
-
Users and purpose of the proposed application; conflicts, synergies, and/or duplications with current or planned systems
-
Data Steward assessment of the impact on central systems and data, and on planned initiatives
IT Project Charter Review
Regardless of funding source, development of any new or end-user impacting changes to any system of record (SoR)(*3) and/or system of engagement (SoE)(*4) is subject to an additional Charter process.(*5)
IT Project Charters concisely frame a proposed project’s scope. Effort to produce a charter should be modest. Charters generally outline the roles and responsibilities for each project, including resourcing from CIT or contracted services, the CIT Project Management Office (PMO), and units as requested by the executive sponsors. All Charters are promulgated to steering committees and posted on a common website (access restricted) for review and comments.
Minimally, charters will outline:
-
Executive summary of proposed project
-
Executive sponsor(s)
-
Stakeholders
-
Requested timeframe for implementation
-
Benefits and beneficiaries
-
Potential risks and concerns (security, other)
-
Integration complexity
-
CIT or contracted services that will be required to deliver the solution
-
Costs and responsibilities of ownership (beyond implementation), including training, documentation, ongoing support, etc.
-
Usability and other considerations
- Accessibility: web (user interface) and physical
-
Explanation for why a solution is required if a similar one exists
-
Estimated funding range required for discovery and implementation
-
Proposed funding source (IT Capital, CIO discretionary funds, or recharge)
Charter and Statement of Need Facilitation
The CIT Project Management Office (PMO) is the initial receiver for all IT Statements of Need and IT Project Charters.
For Charters, the CIO holds a CIT leadership meeting every two weeks with the CIT directors and assistant directors. A standard agenda item is the triage of new Charters. Based on recommendations and feedback from the meeting participants, the CIO will:
-
Approve the Charter for formal discovery and/or implementation
-
Request the gathering of additional information
-
Seek additional counsel and/or approval from a steering committee or ITGC as required
Process for Funded and Approved IT Project Charters(*6)
Once an IT Project Charter has been approved, the CIT PMO, or other project management resources as approved by the CIO, or non-CIT project management resources where applicable, will work with project stakeholders, including unit project managers (PMs), business analysts (BAs), and subject matter experts (SMEs), as required, to provide detailed analyses of functionality, scope, resourcing, cost/benefit, deliverables, etc. to accurately predict the initial costs and ongoing operational costs, as well as a risk/benefit analysis. For some discovery projects, there will be a go/no go decision after sponsors and stakeholders review the discovery findings.
(*5) For context, past SoE and/or SoR projects that would have been subject to the Charter process include but are not limited to: Kuali Financial System, Workday, PeopleSoft, Facilities Inventory System, select datamarts, ImageNow, Salesforce orgs, TDX, Active Directory, Kaltura, Microsoft Office 365, etc. (*6) Individual projects greater than $100,000 may also be subject to the University’s capital project approval process.
Comments?
To share feedback about this page or request support, log in with your NetID