What You Can Expect from the TRA Process
Your initiative is important!
We realize that your intiative is important to Western University. The Technology Risk Assessment (TRA) process is intended to serve the needs of the organization as well as mitigate concerns you might have about risk and policy adherence.
We further understand that while risk might be revealed within the solution you are proposing, there may be equal or greater risk associated with not moving forward due to certain opportunities and advantages your solution affords either in your area or the institution more broadly.
The TRA Committee (TRAC) will render a technical risk opinion about the solution submitted - it will provide commentary on the soundness of the solution's security model, use of sensitive data, and the processes that underpin any commercial activities. The TRA process will also provide some indications of any issues related to Legal componentry.
NOTES ON EXPECTATIONS
Procurement Note: the TRA Committee (TRAC) process does not substitute for formal Request for Proposals (RFP), Request for Information (RFI), or Request for Quotes (RFQ) processes.
Please coordinate with Procurement Services (email@example.com) to ensure you are following the policies associated with procuring goods and services.
A few specific notes on the overall process:
- We recognize that there are risks associated with potential delays or deferred action or a risk opinion that problematizes the initiative you've put forward. While the TRA process is meant to help you understand the risks associated with implementing your solution, there are also potential risks to not moving forward. The opinion rendered by the TRA Committee (TRAC) is meant to be used as a collection of expertise from the areas represented in the committee.
- For an Administration or Operations-focused initiative, the decision to move forward with a proposed solution is largely* kept within the leadership of the unit or function you represent. The higher the risk with an initiative, the more deeply you should look at compensating controls or sign-off from relevant representatives from the university. For projects that are assessed at the highest risk level and fit the description of having high impact within the organization, the initiative will need to have the associated risks accepted by the VP stratum of the university.
* The TRA process culminates with an assessment. Legal, Privacy, and Financial Services components may continue beyond the TRAC process which may more directly affect the decision to move forward.
- For a Research-oriented initiative, ultimate decision-making is in the hands of the Principal Investigator**. The TRA Committee (TRAC) is on deck to provide an assessment to help the research team understand any potential risks and to provide suggestions in terms of how they might be mitigated.
** The TRA process culminates with an assessment. Depending on the risk level assigned and the items in play, the PI may need to work with Research Ethics (if applicable), Legal (if there is a contract), Privacy (if there are personnally identifiable information present), and/or WTS (if technologies need to be implemented or deeper security protocols need to be engaged).
- Given the understanding that the TRA process should be time-sensitive, it is important to pragmatically understand how the process would unfold. After the submission has been received (with all relevant and required documentation from yourself and/or the vendor), the TRA process should work within an approximate 4 week response window. There are representatives from each of the specified areas of the university that need to weigh in on your solution and the diligence required may take some time. The TRA Committee (TRAC) is scheduled to meet bi-weekly to move through documentation and there may be opportunities for your to attend, for clarity purposes. Unfortunately, there are many TRA submissions to look at that might affect the actual completion time.
- The TRA process will result in a summary of potential issues and analysis of the solution's risk profile within the organization. It is not a commentary on how the solution will address your specific business concerns.
- There may be residual processes that may seem to be part of the TRA process that are, in actuality, associated with tasks that fall outside of this scope.
Contract negotiation is a separate exercise which, if necessary, would include the offices of Legal Counsel and Procurement Services to help your initiative reach conclusion. While the TRAC process is designed to render an assessment in relatively quick fashion, contract negotation is dependent on a range of factors and can take some time to engineer.
firstname.lastname@example.org for more information on this process.
A Privacy Impact Assessment (PIA) may be required depending on the kind and nature of the data being used within your initiative (specifically, corporate data or research collection data). Composition and disposition of data are important within this context, as is the intended location of the data.
email@example.com for more information on this process.
Merchant account requisition and Bankcard Committee approval of ecommerce activities (if applicable) is another. The TRA will provide some commentary on ecommerce activities for the purposes of moving the procurement or initialization of the project to commence, but there will be a requirement to obtain a Western merchant account (from an approved vendor, if required) and a final approval from Bankcard Committee to use the apparatus. The reason for this is compliancy to the Payment Card Industries Data Security Standard (PCI DSS), which Western is required to achieve on an annual basis. The TRA opinion will inform the work that the Bankcard Committee will perform. The inclusion of eCommerce for your solution will automatically involve the Bankcard Committee so tht Western can maintain its audited compliancy, whether the application is locally-hosted at Western or is hosted within a 3rd party data centre or cloud-based location.
firstname.lastname@example.org for more information on this process.
Published on and maintained in Cascade CMS.