• Deployers and operators of TIER products.

• Those responsible for security and IT operations at organizations that operate TIER products.

• TIER product architects and product managers.

• TIER developers.

• Internet2/TIER quality assurance staff.

• R&E security community representative bodies.

The TIER Security and Audit working group (SAWG) is charged with providing ongoing recommendations, oversight, and support of the TIER project through identification and review of security and audit standards and best practices for the TIER application suite as well as the delivery of the TIER as a SaaS for higher education customers.  In this case, we are defining “application suite” as the software developed by TIER and either used directly by schools or consumed as SAAS.  The goal of the SAWG are to provide direction and feedback to TIER on the necessary best practices for secure coding as a part of the software design lifecycle; testing specifications to identify security issues; and standards and best practices that should be applied to TIER as a SAAS.  

Workgroup focus and priorities will be listed in the accompanying Work Priorities document.

After the initial effort to support the building and packaging of the TIER applications, the working group will remain active to engage with stakeholders to provide advice and help define the standards for delivery of TIER as a SaaS, as well as propose improvements to logging and auditing to benefit TIER customers.  The group may also be called upon to refine, review or add to existing standards or best practices and may be further engaged should the scope of TIER change.

The authority for making final decisions in such circumstances will rest with TIER project governance, not with this working group. The working group will also revise and update TIER security and audit standards and best practices following their professional judgment.

The working group will remain active until the TIER Adhoc Advisory group (TAA) brings it to a close. Activity will cease if the TAA group fails to reauthorize its continued operation at least annually, or by its specific decision.

The working group will leverage published standards, best practice documentation, established code security testing practices, and communication resources as much as possible. The working group will also vet any profiles, standards, best practices, or similar that it creates with recognized cognizant bodies.

Out of scope are security standards and best practices for organizations (e.g. schools) that operate TIER products.

• Basics: scribe, list, phone bridge/webex, doc location.

• The TIER development and release process may need to include pen testing or other security assessment in order to implement the WG’s standards and best practices in Deliverable #1 and to provide data for Deliverable #2.

• TIER developers, QA people, maybe others will need to allocate some time to coordinate their work with this working group.

See Also:

TIER Working Groups Home

Background information on TIER, Internet2 initiative on Trust and Identity in Education and Research