Template for Hosted Application Architecture Review Checklist
All technical projects managed by UTS and R&HS must complete an architecture review conducted by the Architecture Review Team (ART) in the project's planning phase before it can be moved into the next phase, Project Execution & Control. A second Architecture Review should be conducted during the production readiness assessment.
Huron Engagement - eIACUC
August 14, 2017
The Institutional Animal Care and Use Committee (IACUC) is a working group that Emory appointed as required by the Animal Welfare Act (AWA) and PHS Policy on Humane Care and Use of Laboratory Animals. This project proposes the following:
Vendor Background and Viability
Huron is the consulting partner we rely upon for the eIRB at Emory University. Emory conducted a vendor evaluation and validated that the majority of commercial products are niche products, and the only mature IACUC product was Huron. We demoed two vendors and Huron came out as the top choice. Huron has the only product currently on the market with the track record and the solution set to meet Emory's needs. We have based this assertion on the direct experience from other research institutions with our animal research volume as well as our own testing of the product. In addition, since we have Huron’s eIRB module up and running for many years, we have direct experience working with Huron as a solution provider. With the frustration by faculty, administration, and information technology alike and the inability for Topaz (the current vendor that the IACUC uses) to deliver a stable, reliable product, we recommend moving forward with the implementation of Huron IACUC solution set.
Architecture Review Questions
Describe what data will be stored on this hosted application
Animal Protocol Information
Describe performance and scalability of this hosted application
Describe authentication/authorization of this hosted application
We will use Emory Shibboleth for Authentication. Similar to the eIRB, the business office (IACUC office) will maintain the authorization level of the user. Just like the eIRB, the eIACUC will provide a link for 'first time users' to easily request a level of access to the system.
Describe integration of this hosted application with other Emory applications
The Huron application will export files to be consumed by other Emory applications. These files will be transferred on a nightly basis.
Describe availability of this hosted application
Huron Consulting Group maintains an Information Security Management System (ISMS) and Business Continuity Management System (BCMS) to mitigate the risk associated with both Huron data and client data. Huron maintains both the ISO 27001 ISMS and ISO 22301 BCMS certifications for IT Infrastructure and applicable systems. Overall the policies provide three security features to the data we are protecting: Confidentiality, Integrity, and Availability.
Physical security at the datacenter is provided via two factor authentication access only to authorized personnel, 24x7 security monitoring, video camera surveillance, motion sensors, and smoke and fire suppression systems. Network security is provided via redundant firewalls and routers, separate VLANs and subnets, Virtual Server segregation, intrusion detection hardware, and redundant domain controllers. All servers have antivirus and anti-malware installed. Additionally, Huron is certified ISO 27001 compliant.
Describe backup and disaster recovery of this hosted application
Describe monitoring of this application and the process of notifying Emory
Included in the maintenance agreement is 24x7 emergency coverage if the production site has a “Site Down”. Examples of a site down would include: unable to browse site; can browse site, but cannot login; can login, but can’t submit anything; etc. You can loosely define the 24x7 emergency assistance as critical functionality is unavailable to most users.
Huron always staffs three on-call software engineers and one network administrator to respond to afterhours emergency issues. Our Support and Subscription SaaS (Hosting) teams are tightly integrated and use the same process for interaction; you only need contact us through our Support mechanisms to get to any internal team within Huron for assistance.
Describe SLA and maintenance/support plan
Emory’s IACUC subscription has an 8x5 maintenance agreement; M-F 9am – 5pm local time zone. However, Huron has Software Engineers available from 6am to 6pm Pacific time and all clients benefit from the extra time that would be outside of those hours.
Will this application be used by EHC and, if so, has it been tested on the VDT?
No, this will not be used by Healthcare.
List challenges that the project team see with the application that they would like support/guidance from architecture review team.
Architecture Review Team Feedback
1) Investigate policies around obtaining Emory owned data if ever decide to leave the vendor.
I have information here. The subscription agreement that Emory has w/Huron states that Emory owns the data. I have attached two images that have information about that.
2) Look at adding CIs for this system in Service Now. (ITSM)
We have a meeting w/the ITSM team on 9/15 to discuss and get the CI's into ServiceNow. We already know who will be Tier 1 and Tier 2 (ORA Application Support).