The TIER Security and Audit working group (SAWG) is charged with providing ongoing recommendations, oversight, and support of the TIER project through identification and review of security and audit standards and best practices for the TIER application suite as well as the delivery of the TIER as a SaaS for higher education customers. In this case, we are defining “application suite” as the software developed by TIER and either used directly by schools or consumed as SAAS. The goal of the SAWG are to provide direction and feedback to TIER on the necessary best practices for secure coding as a part of the software design lifecycle; testing specifications to identify security issues; and standards and best practices that should be applied to TIER as a SAAS.
Workgroup focus and priorities will be listed in the accompanying Work Priorities document.
After the initial effort to support the building and packaging of the TIER applications, the working group will remain active to engage with stakeholders to provide advice and help define the standards for delivery of TIER as a SaaS, as well as propose improvements to logging and auditing to benefit TIER customers. The group may also be called upon to refine, review or add to existing standards or best practices and may be further engaged should the scope of TIER change.
The authority for making final decisions in such circumstances will rest with TIER project governance, not with this working group. The working group will also revise and update TIER security and audit standards and best practices following their professional judgment.
The working group will remain active until the TIER Adhoc Advisory group (TAA) brings it to a close. Activity will cease if the TAA group fails to reauthorize its continued operation at least annually, or by its specific decision.
The working group will leverage published standards, best practice documentation, established code security testing practices, and communication resources as much as possible. The working group will also vet any profiles, standards, best practices, or similar that it creates with recognized cognizant bodies.
Out of scope are security standards and best practices for organizations (e.g. schools) that operate TIER products.
Normative document identifying standards and best practices to be implemented within TIER development and release processes. Versioned.
In association with each TIER release, produce a report on the state of TIER products with respect to the standards and best practices identified in #1 above.