Versions Compared

Old Version 4

changes.mady.by.user Nicole Harris

Saved on

compared with

New Version Current

changes.mady.by.user Daniela Pöhn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SURFnet

Doc (in Dutch)

  • Simple (Single?) Sign On
    • How many systems/applications can be used with the account, authentication, identities in the organisation
  • Authorization
    • How many systems/applications can be authorized with the account, roles/groups, central or decentral, types of groups/roles, differenciate between identities
  • Source Identified source system
    • which/how many source systems are used, manual input with documentation, one leading system, add attributes/information for SP
  • Policies?
    • for authorization, authentication, provisioning, standardisation, FIM, privacy; responsibilities for them; architecture; security policy; password policy; lifecycle for accounts; how often is FIM updated; how often are policies updated; are those policies in use; monitoring and updating policies
  • Processes and procedures
    • processes for new users, rules for username and email, verification of the identity, lifecycle, process how data is given to a third party, process to generate new passwords, how often is the data updated, reviews and reports, conclusions from reports and reviews
  • Suitable IdP System
    • standardised, which standard, availability, when available
  • Quality of data/identities
    • correctness, completeness, change management of data, verification of data with external databases/systems
  • Implementation of processes and procedures
    • clearly described, monitoring, ?, legal entity?
  • Security
    • awareness, audits, intrusion tests, classified, actions, data protection, logfiles

...

https://aaf.edu.au/wp-content/uploads/2015/04/AAF_example_org_report.pdf
aaf.edu.au/wp-content/uploads/2015/04/AAF_example_sum_report.pdf

  • Assurance: understand requirements, aware of identity proofing
  • Technical: attribute filtering, high availability configuration, deployment, responsibility for operation, monitoring, version of IdP software, version of Java JDK
  • User Interface: help desk, recover passwords, terms of use
  • Security: old versions, vulnerabilities, SHA1 in metadata, web server and server configuration, open ports

ISO 27k

relevant: annex 9 ISO 27k1 and chapter 9 ISO 27k2

...

  • Identity/account concept: unique id, not reasigned, individual accounts, registration, proof of identity, processes for new users

  • Authentication and authorization: authentication itself, authorization (roles/groups), quality of data (correctness, completeness), change management for data, life cycle of an account and user rights, closing accounts, rules for passwords (and enforcement of quality)
  • Policies, processes and procedures: password policy, security policy, how often FIM updated, policies updated and monitored, privacy, access control policy
  • Security: awareness, audits, IDS/intrusion tests, data protection, logfiles, monitoring, reports, updates, availability, up-to-date metadata

from AARC:

  • Accounts belong to a known individual (i.e. no shared accounts)
  • Persistent identifiers (i.e. are not re-assigned)
  • Documented identity vetting (not necessarily F2F)
  • Password authN (with some good practices)
  • Departing user’s account closes/ePA changes promptly
  • Self-assessment (supported with specific guidelines)