Child pages
  • TIER Security and Audit Working Group Charter
Skip to end of metadata
Go to start of metadata

Note: this Working Group is not active as of 2018

Problem Statement

Deployers of TIER products should be confident these products are produced and maintained in a manner that minimizes the chance of them containing exploitable security vulnerabilities. They should also expect that the various TIER products all provide the capability to audit key operations, in a common manner. 


  • Deployers and operators of TIER products.
  • Those responsible for security and IT operations at organizations that operate TIER products.
  • Internal Auditors at deploying organizations.
  • TIER product architects and product managers.
  • TIER developers.
  • Internet2/TIER quality assurance staff.
  • R&E security community representative bodies.

Group Charter

The TIER Security and Audit working group (SAWG) is charged with providing ongoing recommendations, oversight, and support of the TIER project through identification and review of security and audit standards and best practices for the TIER application suite as well as the delivery of the TIER as a SaaS for higher education customers.  In this case, we are defining “application suite” as the software developed by TIER and either used directly by schools or consumed as SAAS.  The goal of the SAWG are to provide direction and feedback to TIER on the necessary best practices for secure coding as a part of the software design lifecycle; testing specifications to identify security issues; and standards and best practices that should be applied to TIER as a SAAS.  

Workgroup focus and priorities will be listed in the accompanying Work Priorities document.

After the initial effort to support the building and packaging of the TIER applications, the working group will remain active to engage with stakeholders to provide advice and help define the standards for delivery of TIER as a SaaS, as well as propose improvements to logging and auditing to benefit TIER customers.  The group may also be called upon to refine, review or add to existing standards or best practices and may be further engaged should the scope of TIER change.

 The authority for making final decisions in such circumstances will rest with TIER project governance, not with this working group. The working group will also revise and update TIER security and audit standards and best practices following their professional judgment.

The working group will remain active until the TIER Adhoc Advisory group (TAA) brings it to a close. Activity will cease if the TAA group fails to reauthorize its continued operation at least annually, or by its specific decision.

The working group will leverage published standards, best practice documentation, established code security testing practices, and communication resources as much as possible. The working group will also vet any profiles, standards, best practices, or similar that it creates with recognized cognizant bodies.

Out of scope are security standards and best practices for organizations (e.g. schools) that operate TIER products.


 Primarily security professionals from Contributor organizations, with representation welcome also by those with privacy, development, audit, and QA experience and perspectives. Lead developers from TIER products will be included on an as-needed basis.


  1. Normative document identifying standards and best practices to be implemented within TIER development and release processes. Versioned.

  2.  In association with each TIER release, produce a report on the state of TIER products with respect to the standards and best practices identified in #1 above.

Internet2 Support Needed

  • Basics: scribe, list, phone bridge/webex, doc location.
  • The TIER development and release process may need to include pen testing or other security assessment in order to implement the WG’s standards and best practices in Deliverable #1 and to provide data for Deliverable #2.
  • TIER developers, QA people, maybe others will need to allocate some time to coordinate their work with this working group.

See Also:

TIER Working Groups Home


  • No labels