Versions Compared

Old Version 7

changes.mady.by.user Daniela Pöhn

Saved on

compared with

New Version 8

changes.mady.by.user Daniela Pöhn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Maturity Templates

SURFnet: Doc (in Dutch)

  • Simple (Single?) Sign On
    • How many systems/applications can be used with the account, authentication, identities in the organisation
  • Authorization
    • How many systems/applications can be authorized with the account, roles/groups, central or decentral, types of groups/roles, differenciate between identities
  • Source system
    • which/how many source systems are used, manual input with documentation, one leading system, add attributes/information for SP
  • Policies?
    • for authorization, authentication, provisioning, standardisation, FIM, privacy; responsibilities for them; architecture; security policy; password policy; lifecycle for accounts; how often is FIM updated; how often are policies updated; are those policies in use; monitoring and updating policies
  • Processes and procedures
    • processes for new users, rules for username and email, verification of the identity, lifecycle, process how data is given to a third party, process to generate new passwords, how often is the data updated, reviews and reports, conclusions from reports and reviews
  • IdP System
    • standardised, which standard, availability, when available
  • Quality of data
    • correctness, completeness, change management of data, verification of data with external databases/systems
  • Implementation of processes and procedures
    • clearly described, monitoring, ?, legal entity?
  • Security
    • awareness, audits, intrusion tests, classified, actions, data protection, logfiles

haka: Excel file (in English)

...

  • responsibility for information asset, assets clearly identified and documented

...

...

  • firewall rules defined to allow only traffic defined in configuration documentation, IdP in DMZ, internal and external zones, IDS, IPS, automated ports scans executed regularly, management interfaces seperated

...

  • monitoring system + logs, automated alterting messages, reports, checks that no personal data is logged to avoid privacy issues, automation

...

-

...

  • remote root or admin logins forbidden, default passwords changed

...

  • description of IM of IdP, unique identities, verification, shared secrets, password policy, minimum password length, password complexity enforcement, password lifetime, passwords by secure channels, strong authentication

...

  • vulnerabilitiy scanning tools, critical updates, up-to-date metadata

...

  • statistics on authentications, accounts disabled, statistics on SPs, regularity of statistics

...

  • legal & contractual compliance, User acceptance, consent of end users, due notification in changes of the service are in place, privacy policy service

...

  • backup copies, restore procedure tested, backups in secure location, incident response procedures, known what should be done in the case of a compromize of the certificate private key

...

-> moved to Maturity Template page

Recommendations

SWAMID - eduID

...