I. SCOPE
This policy applies to all George Mason University faculty and staff who may authorize the acquisition of information services and applications on behalf of the university.
II. POLICY STATEMENT
All procurement and/or development of software applications, or information services that will use George Mason Protected data, will integrate with the university’s (George Mason’s) systems, or have a user interface, must be reviewed, and approved by the Architecture Standards Review Board (ASRB) and the Purchasing Department in advance of purchase or development. Additionally, all technology solutions and services where the availability, integrity, or confidentiality of the data that the solution/service uses may be critical to George Mason, must also undergo ASRB review. This review is required for all new services, or significant changes to existing services; the depth of the review is based upon financial and technical thresholds. The intent is to verify compliance with federal, state, and university policies; reduce duplication of services; validate that appropriate implementation and support resources are available; and ensure compatibility with existing systems. Research applications that will not use George Mason data or integrate with George Mason systems must comply with all applicable policies but are exempt from ASRB review.
University Policy 2106: Purchase of Goods and Services delegates purchasing authority for dollar amounts of $5,000 or less to certain employees at the department level. Purchases of $5,000 or less are not routed to the Purchasing Department for approval. Departments and PCard and eVA authorized approvers are responsible for ensuring that all purchases including those of $5000 or less, comply with George Mason’s purchasing policies and regulations, including ASRB review requirements, and may not accept, sign, or approve terms of use that may include purchasing and/or legal terms and conditions that are not acceptable to the university (such as indemnification of a vendor, governing law of another state, payment of attorney’s fees, waiver of sovereign immunity, etc.). If a department requires assistance with a purchase, including negotiations of terms and conditions, they are responsible for contacting the Purchasing Department at purch1@gmu.edu.
For Free and Open-Source Software (FOSS), where no purchase is involved, departments and Information Technology (IT) teams facilitating the installation, integration, or use of the software must advise the requestor to submit for ASRB review and approval. The requestor is responsible for complying with all applicable George Mason policies and standards, including for requesting the ASRB review.
Proposed additions of services and software applications not deemed appropriate by the ASRB will not be approved for purchase, development, or implementation by any university unit.
III. DEFINITIONS
Architecture Standards Review Board (ASRB): A committee of university employees responsible for reviewing and approving proposed acquisitions of software applications and information services. The Board includes representatives from Information Technology Services, Purchasing, and the Assistive Technology Initiative.
Data Steward: A university employee responsible for stewardship of protected data as defined in University Policy 1114 Data Stewardship.
Department Representative: Any university employee, contractor, affiliate, or duly authorized member of the community with the authority to request the procurement or development of information services or software applications.
Free and Open-Source Software (FOSS): is a term used to refer to groups of software consisting of both free software and open-source software where anyone is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright licensing and the source code is usually hidden from the users.
Information Service: In this context, refers to any vendor-provided service employing a combination of information technology and people to store, process, and/or transmit Mason data.
Protected Data: Highly Sensitive Data or Restricted Data, as defined by University Policy 1114: Data Stewardship.
Software Applications: Computing software designed to carry out a specific task, or tasks, other than those related to the operation of the computer itself.
University (George Mason’s) Systems: include applications, utilities, network, storage, compute, databases, and similar George Mason owned and/or operated assets that are either on-prem or in the cloud.
IV. RESPONSIBILITIES
Architecture Standards Review Board: The ASRB is responsible for the review and approval of software applications and information services in advance of purchase or development, regardless of cost or purchase price. Note that software applications and information services include but are not limited to cloud/web/internet-based software solutions.
This review will encompass the following items:
a) ensure compatibility with the current technology architecture;
b) verify compliance with accessibility and security standards;
c) verify compliance with federal, state and university policies;
d) review the proposed solution for any duplication of existing services and applications; and
e) validate that appropriate implementation and support resources are available.
Data Steward: The data steward works with the ASRB to ensure the project complies with applicable data stewardship policies, procedures, and regulations at the federal, state or university level.
Department Representative: Evaluates and documents the business or academic needs to be addressed by the proposed service or application. The department representative is responsible for preparing required documentation and submitting an ASRB service request.
Purchaser/Requestor: Requests directly or through a delegate for purchase or development of a software or service and must adhere to all applicable George Mason policies and procedures through the lifecycle of the use of the software or service at George Mason for that instance of subscription or build. It is recognized that multiple departments or personnel may subscribe to a software or service independent of each other. As a rule, the Purchaser/Requestor is designated as the Owner and responsible for ensuring that its usage complies with George Mason policies. Where the Purchaser is different from the Requestor, the latter will be deemed as the Owner unless otherwise noted on the ASRB ticket.
Purchasing Department: Administers all university purchases greater than $5,000. The Purchasing Department will assist the ASRB by confirming with the Department that applicable purchases that exceed $5,000 have received appropriate review and approval by the ASRB prior to procurement. If approval has not been granted, the Purchasing Department will not process the purchase requisition until the required review has taken place. The Department is ultimately responsible for confirming that their purchase complies with the ASRB requirements.
PCard and eVA Authorized Approvers: Review purchases and must refer the purchaser/requestor to the ASRB form when the purchase involves one or more of the following:
a) Use of Mason Protected data (as defined under University Policy 1114: Data Stewardship);
b) Integration with George Mason’s systems;
c) A user interface (this will warrant an Assistive Technologies/Accessibility review.
Fiscal Learning and Engagement: Administers mandatory training that must be completed before access to Fiscal systems including P-Card and eVA is granted. Training is available via MasonLeaps, and includes information on purchases that will qualify for ASRB review.
Vice President/Chief Information Officer: Reviews ASRB recommendations for requests involving elevated risk and complexity, and issues a decision factoring in resource availability, risk, and the university’s strategic direction. Serves as an escalation point for requests initially rejected by the ASRB.
V. COMPLIANCE
Information services and software applications found to be installed and operating without the approval of the ASRB are in violation of this policy and will be subject to appropriate corrective action, including deactivation and potential removal from the university’s systems and network.
VI. DATES
A. Effective Date:
The policies herein are effective July 21, 2008.
B. Date of Most Recent Review:
March 18, 2024
VII. TIMETABLE FOR REVIEW:
This Administrative Policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.
Approved:
__/S_____________________
Deb Dickenson
Executive Vice President, Finance and Administration
__/S___________________
Kenneth D. Walsh
Interim Provost and Executive Vice President
Date approved: July 21, 2008
Revised: May 18, 2021
Revision approved: June 16, 2024
Page last updated: July 15, 2024