Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Slides:



Advertisements
Similar presentations
June 27, 2005 Preparing your Implementation Plan.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Tom Parker Project Manager Identity Management Team IT Security Group.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Intra-ASEAN Secure Transactions Framework Project Progress Report
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office.
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb
Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Levels of Assurance in Authentication Tim Polk April 24, 2007.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
U.S. Department of Agriculture eGovernment Program July 9, 2003 eAuthentication Initiative Update for the eGovernment Working Group eGovernment Program.
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
The world leader in serving science OMNIC DS & Thermo Security Administration 21 CFR Part 11 Tools for FT-IR and Raman Spectroscopy.
CSCE 201 Identification and Authentication Fall 2015.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Understanding Security Policies Lesson 3. Objectives.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.
Information Security Standards 2016 Update IIPS Security Standards Committee Roderick Brower - Chair.
Understanding Security Policies
Audit Findings: SQL Database
Federal Requirements for Credential Assessments
Identity Management at the University of Florida
Drew Hunt Network Security Analyst Valley Medical Center
IS4680 Security Auditing for Compliance
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Appropriate Access InCommon Identity Assurance Profiles
PLANNING A SECURE BASELINE INSTALLATION
Chapter Goals Discuss the CIA triad
Introduction to the PACS Security
Presentation transcript:

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security

The Case Study The University of Wisconsin System uses a loosely federated authentication system. Each of the 16 campuses maintain their own credential store and identity proofing processes. Business ERPs that contain personable identifiable information are beginning to use the federated authentication system

Case Study: The Problem It was unknown how each campus assures the: –Accuracy of an identity subject –Strength of the authentication token –Reliability of the controls and procedures that protect the credential store

Go from...

... to get to...

to prevent something like... Man-in-the-Middle Replay Attack Password Guessing Brute Force Dictionary Attack DDoS

Case Study: The Goal Identify gaps by assessing the Credential Store against a standard. Measure the risk by considering the gaps. Report the risks to management: – What are the risks – How can the risks be reduced Allow management to determine risk mitigation strategy.

The CAF Assessment Tool Can be located at:

Creating an Self-Assessment Tool Self-Assessment Questions were based on requirements / recommendations from: –InCommon Credential Assessment Profile r0.3 –NIST : Electronic Authentication Guideline –NIST : Recommended Security Controls for Federal Information Systems –Payment Card Industry - Data Security Standard

The CAF Assessment Tool The assessment tool consists of 37 questions (requirements). Five “disciplines” are represented disciplines: –Operations and Management –Authentication Protocol –Token Strength –Registration and Identity Proofing –Status Management

The Questions SectionExample Question Part 1:Operations and Management Configuration Management Part 2:Authentication ProtocolStored Secrets Part 3:Token StrengthPassword Policy Part 4:Registration and Identity Proofing Records Management Part 5:Status ManagementCS Avilability

Part 1: Operations and Management 10 Configuration Management a. Does the CS demonstrate Configuration Management methodology that includes: i. A documented process for reviewing, approving and implementing changes ii. Version control for software system components iii. Timely identification and installation of all applicable patches for any software used in the provisioning of the CS.

Part 3: Token Strength 2828 Password Policy aWhat is the minimum required length of the password? fCan individuals recover lost or forgotten passwords? bFrom password inception, is the total number of failed attempts tracked? gIs password history maintained and used to prohibit the re-use of passwords? How many password changes are stored? cAre passwords prevented from containing the username and/or the Identity Subjects proper name? hAre controls in place that prevent a consecutive character string of three or more (e.g. aaa, 111, dWhat it the maximum number of failed logon attempts before an account is locked? iWhich of the following character sets are required in establishing a password: Uppercase letters, lowercase letters, digits, special characters or control characters? eHow often are password changes required? InCommonToken Strength: 10 At this assurance level, the PIN (numeric-only) or Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected identity subject’s PIN or Password shall have a probability of success of less than (1 chance in 1,024) success over the life of the PIN or Password. Refer to NIST SP Appendix A, and the CAF Suites’s Entropy Spreadsheet to calculate resistance to online guessing.

Case Study: The Process Each campus provided: –A response to the assessment questionnaire. –A network scan of the devices that comprise the Credential Store Infrastructure. The responses were analyzed for compliance with: –Identity Proofing –Token Strength –Technical Controls

Case Study: The Process Each Campus was provided a report that identified – Overall Status – Findings (Gaps and Risk) – Recommendation The Governance Council was provided a report that identified the status of each campus’ credential store.

Case Study: The Process Reports are provided to applications or services owners upon request. Reports may be provided to Legislative Auditors upon request Re-assessments occur every six months.

Who Was Involved CIOs from each of the 16 campuses. Campuses had a differing types of employees involved in completing the assessment Chief Information Security Officer Directory Services Analyst Network Administrator Security Analyst System Administrator * Typically employees with a strong technical understanding of the controls and requirements

Findings: August ‘07 Assessment –No one campus was compliant in all five domains. –Some campuses were good at token strength. –Few campuses were positive in identity assurance. –Few campuses were strong in technical controls and processes.

Findings: January ‘08 Assessment Progress!!!! Two campuses planned to be compliant in all five areas by October –Some campuses improved their token strength. –Many campuses still struggle with identity assurance. Identified plans to meet requirements.

Case Study: General Findings Documentation was lacking in most cases. Process was lacking in some cases (especially identity assurance). Great in some technical controls and cryptographic algorithms. Some positive answers in the first assessment were answered in the negative during the second assessment.

Next Steps We will begin conducting a third assessment in August Some requirements will be audited (tested) during the third assessment. Update the Self-Assessment Tool to reflect the changes in the CAP/IAP. Provide documentation on how to meet requirements.

Other Considerations Office of Admissions: Sourcing Applicants Registrars Office: Sourcing Students Human Resources: Sourcing Employees Photo ID: Identity Proofing Process Help Desk: Identity Proofing Process Typically employees with a strong understanding of the business process. Employees who need to be able to follow the business process. Include Business Partners

Other Considerations ✓ Finalize the Identity Assurance Profile. – With the assumption that it will change overtime ✓ Develop a self-assessment tool based on the IAP ✓ Consider using a maturity scale for determining compliance. ✓ How do we verify our state of compliance.

Discussion... Stefan Wahe University of Wisconsin - Madison y/resources/ y/resources/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.