...
Identity/account concept: unique id, not reasigned, individual accounts, registration, proof of identity, processes for new users
- Authentication and authorization: authentication itself, authorization (roles/groups), quality of data (correctness, completeness), change management for data, life cycle of an account and user rights, closing accounts, rules for passwords (and enforcement of quality)
- Policies, processes and procedures: password policy, security policy, how often FIM updated, policies updated and monitored, privacy, access control policy
- Security: awareness, audits, IDS/intrusion tests, data protection, logfiles, monitoring, reports, updates, availability, up-to-date metadata
from AARC:
- Accounts belong to a known individual (i.e. no shared accounts)
- Persistent identifiers (i.e. are not re-assigned)
- Documented identity vetting (not necessarily F2F)
- Password authN (with some good practices)
- Departing user’s account closes/ePA changes promptly
- Self-assessment (supported with specific guidelines)