IT Directives Review Processes

May 5th, 2011

admin

Introduction


Some agencies or agency components have a process for approving IT policies or directives. Agency Information Technology (IT) directives often omit critical security, privacy, records management, and civil rights requirements when relevant stakeholders are not included in the IT Directives Review Process. If a Section 508 stakeholder is included within the life cycle of developing an IT policy, organizations can avoid legal risks and costly remediation. Directives Review processes improve policy life cycle by including all relevant stakeholders, identifying potential impacts and opportunities for harmonization, and presenting opportunities for disparate agency components to collaborate and coordinate their efforts. Inclusion of Section 508 also helps socialize the requirements where familiarity is often much less than for security and privacy.

Best Practice Guidelines


The Department of Transportation (DoT) has an IT Directives Review process that Section 508 practitioners, whether or not they have a similar agency review process, can draw from. The DoT CIO Office uses a formalized process to develop, review, approve and disseminate agency IT policies.

Originally, the Section 508 Coordinator’s office was not included as a stakeholder in the review process. The DoT Coordinator, organizationally, does not reside in the CIO’s office or within an IT organization, but, while presenting challenges this should not discourage Section 508 practitioners. Through networking, a Section 508 Coordinator needs to successfully convince policy and process owners that representation within the Directives Review process is vital.

The Section 508 office should go beyond attending meetings and commenting on draft policies. Coordinators should use their stakeholder role as an opportunity:

  • To educate components about accessibility and Section 508,
  • Ensure that policies and procedures support accessibility,
  • Identify common, critical points where policy or agency components intersect, so that potential accessibility conflicts can be identified and eliminated before policies are approved,
  • Ensure that policies permit the collection of metrics for the purpose of monitoring progress.

Whether an agency is large or small, centralized or decentralized, placement of Section 508 must be manifestly visible. Close coordination with the Directives Policy owner will result in greater exposure and a more meaningful outcome for Section 508 requirements.

The IT Directive Review processes will vary in their structure. In the case of the DoT, the process is divided into three phases or rounds:

Round 1—Policy Components

  • Sponsor(s) and subject matter experts develop a first draft without stakeholders
  • Approval of first draft

Round 2—Informal Review

  • Stakeholders contribute comments to Round 1 documents (Section 508, Human Capital, Procurement, Privacy, Security, Legal Counsel, Capital Planning, etc.)
  • Sponsors reconcile all reviewer comments
  • Round 2 draft approved

Formal Review

  • Reviewed by Administrators, Commissioners, and Secretarial Offices
  • All comments are reconciled
  • IT Directive Sponsor presents the document to the CIO for final approval
  • CIO Approval and signature
  • Publish and distribute new IT directive

Benefits


The benefits of an IT Directives process are apparent and measurable. Few agencies have a similar process, but Section 508 practitioners can realize the benefits regardless. Implementing an effective program requires agency policies and employing a similar peer and hierarchical review will improve policies and their effectiveness.

The benefits of a Defects Review process include:

  • Providing a framework for addressing Section 508 requirements (and other legal, regulatory and policy requirements) during the policy development life cycle;
  • Establishing roles and responsibilities for relevant compliance requirements; and
  • Improving policy by identifying potential conflicts and opportunities for harmonization, collaboration and coordination;
  • Saving the numerous hours and costs inherent in remediation.

Applicability


The DoT and other agencies that deploy an IT Directives Review are generally large (40,000+ employees) and/or highly diversified agencies. Competing and potentially conflicting policies are not limited to large organizations, however. Within your organization, query whether such a process exists by asking many of the “Usual Suspects” in IT policymaking:

  • CIO Office
  • Legal Council
  • IT Procurement
  • Human Capital
  • Privacy Office
  • Security Office
  • Civil Liberties Office
  • Capital or Business Planning
  • Records Management