Statement of Purpose
The purpose of the Architecture and Security Review (ASR) is to partner with campus departments to act as a consultative and advising body during the selection and negotiation of a proposed technology product or service. The ASR does not approve or disapprove products, but will identify risks and provide actions and/or strategies to mitigate those risks. Having this discussion early in the selection process will optimize the service or product’s compatibility with the University’s information technology architecture, security, compliance, accessibility, and privacy principles. The ASR is a cross-functional team representing various areas in OIT: information security, network infrastructure, applications infrastructure, database management, web applications, research computing, and project management. The ASR will:
- partner with the campus departments, along with the Project & Technology Consulting Office (PATCO) and the Service Management Office (SMO) from OIT, to help ensure the best outcome
- collaborate with the requestor to resolve identified gaps or risks to develop a joint recommendation and mitigation strategy
- look beyond the “go live” date to consider the risk and sustainability for the full life-cycle of a service or product
- provide suggestions and observations for a successful implementation
The result of this collaborative process will be a recommended solution that is compatible with University architecture and mitigates risk. When the ASR is not confident in the security and/or risk of the solution, the ASR may from time to time elevate the review to Senior Staff for their decision on whether or how risks would be appropriately mitigated in order for a selected service or product to proceed. We will remain involved in the process to identify alternative actions or products.
ASR Schedule & Review Process
The ASR meets every Wednesday (3 - 4 p.m.) at 701 Carnegie Center, room 231A. Here is our calendar.
Reviews should be scheduled early in a project. A review would be useful to product selection for a software solution, during the design phase for a custom solution, or prior to a major change or update to an existing solution. For simple, known products, we might do a "light" review by one or two ASR members.
Request a review by identifying an available date on the ASR calendar and email your request to ASRemail@example.com. Please name the product and the lead contact from your business office. Ideally, you will also attach a Product Review Form at the same time, but we need to receive it no later than the Friday afternoon prior to the scheduled Wednesday review. It is important that the vendor or the lead contact describe the technical elements of the product.
The lead contact and any project manager should plan to attend the ASR review meeting. The vendor should also be available for the second portion of the meeting (so please bring the vendor phone number to the meeting). The first 30 - 40 minutes of conversation will be among the members from the University areas; if there are remaining questions, we will call the vendor after that time.
The ASR will provide the lead and project manager a report of the conversation and security recommendations, which summarize the risks and outline mitigation strategies for the business owner and project team.
Prior to the product going live, the OIT project or change management team may initiate a second, brief ASR to validate whether the recommendations were implemented.