Procedure

Timeframe:

On average, ASRB reviews are completed in 6-8 business weeks once the request has been promoted to “In Progress”.

Submitting a Request

To initiate the review process, a department representative creates a service request ticket via the university IT Service Management ticketing tool system. The ITS Support Center can assist as needed.

The ASRB will review requested acquisitions to identify potential risks to the university, mitigations that must be implemented, or restrictions on the solution’s use. The ASRB will include Mason identified Subject Matter Experts (SME) in their respective fields to facilitate mitigation of identified risks. Proposed solutions that appear to substantially duplicate existing services will require a business case outlining the justification, supported by business, stakeholder, and or technical requirements.  If in the ASRB’s estimation the proposed solution represents medium to high risk or complexity, the requester may be asked to provide additional documentation supporting the business or academic need.

Review and Evaluation

The ASRB considers a number of factors when evaluating a request, including but not limited to the following:

  • Intended user base of the service or application
  • Impact on the Mason community
  • Sensitivity level of data that will be accessed, stored, or output
  • Required integrations with Mason systems, including Single Sign-On
  • Compatibility with existing technology architecture and strategic roadmaps
  • Level of risk to the university

Completing a Review

Requests that appear to represent low risk and complexity will be forwarded on for purchasing and/or implementation.

Medium risk and complexity requests are dispositioned directly by the ASRB, resulting in approval or rejection. Rejected requests may be appealed to the ASRB for escalation to the Vice President/Chief Information Officer.

When an initial ASRB review determines that a submitted request is highly complex and/or would have a major impact on the University, the request may be then placed under a "waiting for approval" status and may follow a specialized review approval process prior to ASRB approval.  ASRB request associated with Portfolio and Project Management Office may be subject to purchase timeframes identified during the Project Charter.

Preparing for ASRB Review

Once the requestor has created a service request ticket via Mason’s IT Service Management ticketing tool system and the requestor has received email notification that a ticket has been created, the preparation for the ASRB review needs to begin. The following artifacts can be prepared in advance of the ASRB review to facilitate and expedite the process. Some of the documents are mentioned in specific review sections.

  • Data dictionary for any data gathered and/or stored in the solutions (SIAprovides templates upon request).
  • Data definition and justification for any data requested from Mason systems or offices.
  • Data integration documentation specifying, but not limited to:
    • transmission method(s)
    • vendor supported integration method(s)
    • supported file format(s)
    • API information
  • Business process and data flow diagrams for complicated solutions.
  • Architecture diagram showing the proposed solution architecture and proposed integration.
  • Vendor security model/design document(s).
  • Educause Higher Ed Cloud Vendor Assessment Tool, if applicable
  • Assistive Technology Initiative's Vendor Assessment

Definitions

Data Definition

Data is defined as information processed, transmitted, and/or stored by a computer. Data is typically stored in the following forms, but not limited to:

  • documents
  • images
  • audio and video files
  • software

Data may be stored locally on a hard drive, on a server, or in the cloud.

Data may contain sensitive personal information that is regulated by university policy, state and federal regulations and laws. Policies are listed below.

Regulated Data Definition

Regulated data is any data or software element regulated by state/federal law, university policy, or other entity that the university is bound to comply with (contracts, agreements, etc.). Further, all software requests should be reviewed by the ASRB to determine if any data or software element is regulated by state/federal law, university policy, or other entity that the university is bound to comply with (contracts, agreements, etc.).

The following constitutes regulated data. A system, in this context, refers to software or multiple software/hardware components working together as a single process.

  • A system that uses extracted data or information from a Mason-owned system.
  • A system that uses Mason authentication (NetID and password).
  • A system that contains sensitive information (from Mason or captured by the software).
  • A system that will be installed on Mason's networks, specifically in a secured network zone or zone containing sensitive systems or data.
  • A system with a GUI must meet accessibility standards and comply with all accessibility policies, rules, regulations, and laws.
  • A system with other integration with Mason-owned systems.
  • A system with restrictions around import/export control.
  • A system requiring ITS resources and/or services.

Ticketing System Status Definitions

Status identifies the activity stage request.  The status can be viewed by reviewing open requests in the university IT Service Management ticketing tool system under the Services tab and Ticket Request tab

New A request has been submitted and is being reviewed to determine if all information has been submitted.  A request may not be moved to In Progress if the current In Progress reviews is at maximum capacity.

In Progress A request is in current active review by the assigned team members.

Waiting for Approval A request has had all reviews completed and has been submitted for final approval.

Waiting on Requester A request is on hold until requested information has been supplied by the requester.

Closed A request has been removed from the ASRB review process due to the explanation provided in the ITSM tool.

Resolved A request has completed all reviews and final approval.

Rejected A request has been rejected for use due to the explanation provided in the ITSM tool.

Canceled A request has been requested to be removed from review by the requester.

On Hold A request waiting on further information before continuing with the ASRB process.