Architecture & Security Review

Statement of Purpose

 

The purpose of the Architecture and Security Review (ASR) is to partner with campus departments to act as a consultative and advising body during the selection and negotiation of a proposed technology product or service. The ASR does not approve or disapprove products, but will identify risks and provide actions and/or strategies to mitigate those risks. Having this discussion early in the selection process will optimize the service or product’s compatibility with the University’s information technology architecture, security, compliance, accessibility, and privacy principles. The ASR is a cross-functional team representing various areas in OIT: information security, network infrastructure, applications infrastructure, database management, web applications, research computing, and project management. The ASR will:

  • partner with the campus departments, along with the Project & Technology Consulting Office (PATCO) and the Service Management Office (SMO) from OIT, to help ensure the best outcome
  • collaborate with the requestor to resolve identified gaps or risks to develop a joint recommendation and mitigation strategy
  • look beyond the “go live” date to consider the risk and sustainability for the full life-cycle of a service or product
  • provide suggestions and observations for a successful implementation

The result of this collaborative process will be a recommended solution that is compatible with University architecture and mitigates risk. When the ASR is not confident in the security and/or risk of the solution, the ASR may from time to time elevate the review to Senior Staff for their decision on whether or how risks would be appropriately mitigated in order for a selected service or product to proceed. We will remain involved in the process to identify alternative actions or products.


ASR Schedule & Review Process

  • The ASR meets every Wednesday (3 - 4 p.m.) at 701 Carnegie Center, room 231A. Here is our calendar.

  • Reviews should be scheduled early in a project. A review would be useful to product selection for a software solution, during the design phase for a custom solution, or prior to a major change or update to an existing solution. For simple, known products, we might do a "light" review by one or two ASR members.

  • Request a review by identifying an available date on the ASR calendar. Complete and submit the ASR Intake and Background Form and a representative from the Information Security Office will reach out to confirm receipt.  Once the intake form is evaluated and the date of the review is confirmed, an email will be sent requesting additional documentation from the vendor. (See ASR Documentation) It is important that the completed documents are recieved no later than five days prior to the review. 

  • The lead contact and any project manager should plan to attend the ASR review meeting. It is important that the lead contact describe the technical elements of the product. The first 30 - 40 minutes of conversation will be among the members from the University areas. A technical representative from the vendor should be available for the second portion of the meeting.

  • The ASR will provide the lead and project manager a report of the conversation and security recommendations, which summarize the risks and outline mitigation strategies for the business owner and project team.

  • Prior to the product going live, the OIT project or change management team may initiate a second, brief ASR to validate whether the recommendations were implemented.