Going for the Silver Winter 2010 CSG January 13, 2010.

Slides:

Advertisements

Similar presentations

AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.

Advertisements

AUDITING Systematic process of objectively obtaining and evaluating evidence Regarding assertions about economic actions and events; To ascertain the degree.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Identity Assurance Profiles & Trust Federations David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon David Bantz, U Alaska Tom Barton,

InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.

Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.

Chapter 1 An Introduction to Assurance and Financial Statement Auditing McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights.

Copyright © 2004 by Prentice-Hall. All rights reserved. PowerPoint Slides to Accompany BUSINESS LAW E-Commerce and Digital Law International Law and Ethics.

March 6, 2012 SOC Reporting: What is New in the Audit Guides?

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

SAFE Implementation Toolkit How to use it. Implementation toolkit Overview Log-in Contents Search Toolkit Use Log-out.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Assurance, Attestation, and Internal Auditing Services

Security Controls – What Works

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Mary Dunker Common Solutions Group January 12, 2010.

InCommon and Federated Identity Management 1

Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis.

Winter 2011 CSG Workshop: InCommon Silver January 12, 2011.

The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University

© 2011 The University of Chicago InCommon Silver Implementation at UChicago Tom Barton 1.

SAS 70 (Statement on Auditing Standards No. 70) Kelley Piner Charles Roberts Ashley Walker.

SAS No. 70 BADM 559 Jong Choi. Overview of SAS 70 Definition ▫SAS 70 helps service auditors to assess operational and technical controls of a service.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Refining Silver CSG January 2011, Duke University Renee Shuey, RL "Bob" Morgan, Tom Barton.

State of Information Technology Presentation for Faculty Council November 14, 2013 Mike Carlin Vice Chancellor for IT and CIO.

InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb

The InCommon Federation The U.S. Access and Identity Management Federation

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Chapter 1 An Introduction to Assurance and Financial Statement Auditing Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Audit of predetermined objectives Presentation: Portfolio Committee on Economic Development March 2013.

Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.

Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

© 2007 Prentice Hall, Business Law, sixth edition, Henry R. Cheeseman Chapter 51: Liability of Accountants Chapter 51: Liability of Accountants.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Federated Identity in Texas Paul Caskey The University of Texas System HEAnet National Conference Kilkenny, Ireland 13 November 2008.

Level of Assurance. LOA LOA classic - The strength of the authentication assertion Depends on identity proofing, delivery of credential, repeated act.

Statement on Auditing Standards (SAS) No. 70, Service Organizations BADM 559 Final Project By: Kristina Morales.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The Demand for Audit and Other Assurance Services Chapter 1.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Winter 2011 CSG Workshop: InCommon Silver Campus Panel: University of Iowa January 12, 2011.

InCommon Federation: Federating Relationships. Topics Administration Library Research Student Services Personal and Collaborative Applications Federal.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.

Security in Research Computing John Sandefur UAB Comprehensive Cancer Center John-Paul Robinson UAB Research Computing.

Tom Barton, Senior Director for Integration, University of Chicago

The Demand for Audit and Other Assurance Services

Audit of predetermined objectives

The Demand for Audit and Other Assurance Services

Service Organization Control (SOC)

Privacy, Security, and Identity Management Update

Federal Requirements for Credential Assessments

Context, Gaps and Challenges

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

Going for the Silver Winter 2010 CSG January 13, 2010

What is it? When The University (Identity Provider) … asserts to a third party (Relying Party) … that you (subject) are who we say you are, … then that third party can trust that we have appropriate policies and practices in place (Identity Verification Process or Proofing) … to insure that we knew with reasonable certainty who you were when your identity was created (Registration) and … we subsequently issued you credentials (Credential Issuance). Further, that we have sufficient policies, practices, and technologies in place that the relying party can be reasonably sure that the credentials have not been compromised.

Why? For certain interactions with relying parties, we will have to be able to make assurances regarding identities in order for the relying party to allow our community to access the services their requesting. Specific use cases: NIH CTSA (Clinical and Translational Science Awards) Teragrid and International Grid Trust Federation National Student Clearinghouse NSF Fastlane Possible CIC private cloud services

What have we been doing? Started a gap analysis toward the end of 2008 when InCommon guidelines were still in draft form Discovered that we had many gaps of various sizes Some technical Some policy Some process Some not trivial Decided that we should work toward an immediate goal of Bronze certification with a longer term goal of Silver Put together a remediation plan over the summer of 2009 In the mean time …

Had the first contract appear that specified Bronze and Silver level assurances for different classes of access (National Student Clearinghouse) We decided that there was little value in achieving compliance with the Bronze level profile Tom came to this conclusion through his various peer interactions Primary reason being judgment that not many (if any) high value government interactions will be at the Bronze level Now we’re focused on being able to make Silver level assurances CIC CIOs agreed that all CIC schools will be able to make Silver level assertions by Fall of 2011

The CIC and InCommon Silver CIC CIOs decided in August 2009 that all CIC schools should be Silver certified by Fall 2011 Why? Sustain adoption of fundamentally sound campus business practices and technologies in Identity Management Expand inter-institutional collaboration Support emergent trends, relationships, needs on the national identity scene and elevate prominence of CIC in those dimensions Project leads: Renee Shuey & Tom Barton

High level CIC Project Phases

Dissecting the problem Category “A” Activities InCommon specifications 4.2.1, 4.2.6, and Centered on documentation of policy, standards, and management of the operating infrastructure (SOP) Category “B” Activities InCommon specifications 4.2.3, 4.2.5, and Technical implementation issues regarding strength of authentication and shared secrets Category “C” Activities InCommon specifications and Proofing, registration, and credential issuance and management processes

9 Who needs Silver assurance? Timeframe sooner later User group size smallerlarger NIH apps TeraGrid OSG CILogon NSCNat’l Labs CIC storage cloud CIC CourseShare Payroll caBIG Benefits Student Loans

What it will take us to do Silver Documentation, documentation, and more doc Review and strengthen the linkages between registration, proofing, and credential issuance Create records management practices for registration, proofing, and credential issuance processes Cleanup legacy problems (e.g. no account lockout and non-expiring passwords) Possibly create a new credential (re)issuance process for people needing Silver Create a risk management plan and documentation Document operational management practices, e.g. change management, logging, administrative access controls, etc.

What else? Have an internal audit to insure that our IdM policies and practices are consistent with all other institutional policies and practices for a service of this type Address audit points Have an audit specifically for Identity Assurance Profile compliance Address audit points Pop a cork Rinse and repeat every two years

Lightweight Project Planning Constraints MS Project not ubiquitous No Sharepoint service in place even if it were Various OSS and Freeware project management tools were examined and rejected as too immature Requirements Has to be easily shareable to support collaboration, therefore low security bar Shouldn’t require training Should serve as an anchor to project collateral Solution - Google Docs SpreadsheetGoogle Docs Spreadsheet

Observations of a reformed auditor The InCommon “Assurance Profile Assessment Checklist” Good starting point Doesn’t express the requirements in terms of audit controls What to expect to receive from an auditor Qualified or unqualified opinion, hopefully without explanation, disclaimer or adverse opinion Statement of Attestation or Attestation of Compliance A type II external attestation puts the auditor’s name on a statement that the controls are operating effectively. What will InCommon or relying parties require? InCommon says that they want a letter from an independent auditor. Does InCommon needs to better define the controls to be tested? Is this an internal assurance argument? If so, then we need to define the controls (TBD). What will be an acceptable number of exceptions and are there guidelines for compensating controls? Compliance, an all or nothing state? From the auditor’s POV, either you’re meeting the requirements or are not Business judgment enters in. Need to understand the full cost, including damage to reputation How do you put lightweight controls in place to meet the objectives? How do you have rigor without going overboard?