The following organizations may be a part of the ASRB review process and will have specific areas of the request they will be reviewing:
- Solution Integration and Architecture (SIA)
- Project Management Office (PMO)
- Enterprise Applications (EA)
- Enterprise Infrastructure Services (EIS)
- Information Technology Security Office (ITSO)
- Accessible Technology Initiative (ATI)
- The owner of any data requested, if applicable (e.g., HR, Registrar, Finance, etc.)
- Other Departments
Solution Integration and Architecture (SIA)
SIA reviews the overall integration needs of a given project. The group makes sure that all systems that need to communicate with the requested software have been identified, and that the owners of those systems are involved in the review process. They make sure that ITS has the skills necessary to support one or more of the identified integration methods, and that the needs of those groups to do the work is identified and addressed. To do this, SIA will do the following:
- Review authentication requirements and provide guidance on the best solution.
- Provide an optional Cloud review for externally hosted applications to make sure a given solution is well designed and unlikely to have hidden costs or liabilities.
- Review integration, data transfer, or other functional and technical documents and provide guidance on missing and/ or incomplete information.
- Review and make recommendations on solution design and architecture to fit in the university environment.
- Review business process documentation, architecture diagrams, and data flow diagrams against university policy and standards.
Project Management Office (PMO)
If the request is a large integration it may have to be put in the ITS project schedule and go through ITGG prioritization. This is not a review, but the prioritization of the effort will determine when and how the request will be implemented by ITS teams.
Enterprise Applications (EA)
EA becomes involved if:
- Banner or integration with Banner or associated systems is part of the request (examples of associated systems are COEUS (Grants Management), Document Management (BDMS), Workflow, Residential Management System (RMS)).
- Integration or modification of systems/applications supported by EA. Examples of supported applications are Travel Reporting System (TRS), Online Deposit Application, Enrollment Central.
- Use of Business Intelligence for operational and strategic reporting and/or advanced analytics.
- Creation of data marts to collect and simplify data reporting from disparate sources or (where feasible) use enterprise BI reporting tools to report directly from unstructured data.
- Use of Content Management systems to manage website content.
- Development and/or deployment of enterprise Web-based applications.
- Utilization of Workflow tools to enhance and automate business processes.
- Integration or implementation of enterprise Document Management/Imaging systems.
Enterprise Infrastructure Services (EIS)
EIS becomes involved if:
- The request requires ITS supported hardware or software.
- The request uses central Authentication (Mason netID and password).
- The request includes colocation (colo) hardware/software services (Virtual Servers).
This review checks to make sure that:
- The requested server/software meets ITS architecture requirements and is supportable.
- There is sufficient staff resources to both implement and support the request.
- The request can be completed in a reasonable time frame (and provide that time frame).
Information Technology Security Office (ITSO)
The ITSO is charged with protecting information technology security. When making a purchase, the following IT security considerations should be addressed:
- Does the solution store, transmit, or receive data that is protected by law (e.g., CUI, HIPPA, FERPA, etc.) or Mason policy (e.g., University Policy Number 1114: Data Stewardship)? If so, the vendor will be required to sign a Data Sharing agreement.
- Does the solution provide data whose accuracy and integrity are mission critical to the university?
- Is the university dependent on the solution, such that a failure of the solution would result in a failure of the university to provide core services?
If ANY of the above conditions are true, ITSO will need to review the ASRB request. Most vendors have some documentation that can be provided that document the security of their software and/or hardware.
Preparing the following documentation prior to ASRB submission will expedite the process:
- Authentication Documentation—how do you log in/on to the application/system
- If the solution will use Mason NetID and password, the solution will need to be able to integrate with either Shibboleth or Central Authentication Service (CAS). If the vendor does not know what either authentication systems are, does not have existing integration paths for them, and/or cannot provide documentation around their integration with those systems, the review and implementation may be delayed.
- Data documentation—A list of data elements that will be transmitted to and/or stored in the solution with:
- Source system (e.g., Banner, Shibboleth, CAS, local, etc.)
- Data transmission method(s) used by the vendor
- Table and field name(s)—if known
- Justification—a business justification for the field(s). This is only required for protected data elements.
- If this is a cloud product, and any data is to be stored is regulated by state or federal law, is Personally Identifiable Information (PII), or could otherwise be considered sensitive, the vendor may be required to provide a SOC II assessment and asked to complete a risk assessment questionnaire. Examples of questionnaires are Educause Higher Ed Cloud Vendor Assessment Tool and Assessment questionnaire based upon the FedRAMP framework.
- Vendor policies around liability for security breaches, to include: notification, indemnity, auditing, and review.
Accessible Technology Initiative (ATI)
The role of the ATI office is to make certain that ASRB requests meet Section 508 accessibility requirements. Helping the software vendor understand what these are can greatly speed up the review process. ATI generally needs the following items to complete their review. Detailed information on what these are for and what the expectations are can be found here.
- A Section-508-VPAT_distributed from the vendor.
- A software demo that can be evaluated for accessibility.
Data owners use the same data document as the ITSO and check the following:
- Are any of the fields being requested restricted?
- Is the data in the fields being requested reliable enough to be used in the manner requested?
- Would releasing any of the data create support or data integrity issues?
Other reviews could include, but are not limited to, legal, purchasing, or any other group and will be involved as needed to make sure that a given solution’s risk is understood and acceptable given the benefit it provides. These reviews are less common, and their involvement will be determined based on the risk presented by a given request.