Caveat: this document is written at the time when there is only one global scale, production interfederation, eduGAIN, but the procedure could be ported to similar interfederation models.
Role and responsibilities of eduGAIN
- Follow the [IR] requirements described by Sirtfi, and [OS], [TR] and [PR] as applicable [1]
- Provide a security contact point (e.g. security@edugain.org) available to all federation participants, federation operators, other federations and external organisations
- Define communication channels to be used for security incident response by federation participants and Federation Security Incident Response Coordinators.
- Appoint an eduGAIN Security Incident Response Coordinator when notified about a suspected security incident. This role may be played by a federation, federation participant or external entity as appropriate.
- Ensure a unique identifier is assigned for each security incident
- Provide or source technical expertise necessary to assist federation participants and Federation Security Incident Response Coordinators (forensics, technical investigation, log analysis, etc.)
The eduGAIN Security Incident Response Coordinator is responsible for following the “Security Incident Response Procedure for the eduGAIN Security Incident Response Coordinator”.
Security Incident Response Procedure for the eduGAIN Security Incident Response Coordinator
1. Assist federation participants and Federation Security Incident Response Coordinator in performing appropriate investigation, system analysis and forensics, and strive to understand the cause of the security incident, as well as its full extent. Identifying the cause of security incidents is essential to prevent them from reoccurring. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.
2. In collaboration with Federation Security Incident Response Coordinators, ensure all affected participants in all federations are notified via their security contact with a “heads-up” within one local working day.
3. Coordinate the security incident resolution process and communication with affected participants until the security incident is resolved.
4. Ensure suspension of service (if applicable) is announced in accordance with federation and interfederation practices.
5. Share additional information as often as necessary to keep all affected participants up-to-date with the status of the security incident and enable them to investigate and take action should new information appear.
6. Assist and advise participants in taking corrective action, or restoring access to service (if applicable) and legitimate user access.
7. Produce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER [3] or higher.
8. Update documentation and procedures as necessary.
[1] https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf