You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

 

This document has been written following the identification of a need within the Research and Education Federation communities for a tool by which to express and monitor compliance with policies and best practices. The self-assessment tool is intended to manage the quality standards self-evaluation process for the entities registered to the eduGAIN inter-federation service. At the time of inception, the following use cases were drivers for the development of a centralised, flexible tool:
  • the evaluation of Level of Assurance (LoA) for Identity Providers (IdPs)
  • the evaluation of LoA for Service Providers (SPs)
  • the assertion of compliance with the Security Incident Response Framework for Federated Identity (Sirtfi)
  • the assertion of compliance with the Data Protection Code of Conduct (CoCo)

 

Please comment in the document or send the editors (Hannah Short and Mikael Linden) an email if there is anything specific you would like to discuss. 

Software requirements specification

Draft requirements specification (please comment!): Google doc

Summary

Tool Use Cases

    - LoA assessment for IdPs
    - Sirtfi compliance for IdPs and SPs
    - GEANT Data protection Code of Conduct for SPs EU/EEA
    - SP Assurance level ("inverse" of IdP LoA assessment)

Key Requirements (for details, see the requirements specification)

    - Responsibility for the tool should be at a federation level. This does not preclude running the tool centrally. This will aid scalability
    - The tool should send assessment requests to organisations based on contact information in metadata
    - The tool should support multiple question types, yes/no and multiple choice
    - Machine readable responses (yes/no/multiple choice) should be supported by secondary, evidence-based free text
    - The tool should facilitate peer review; peer assignment should not be determined by the assessee 
    - Results of assessments should be made available; individual assessee results would be private to the assessee but an agregated view should be freely available
    - Fed Ops should have access to all results of the assessments within their federation
    - Access control for an assessment should facilitate private and public sharing
    - The tool should support re-assessment and have configurable behaviour in the event that the re-assessment is not done or if it fails


  • No labels