Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office.

Published byMeredith Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office."— Presentation transcript:

1 Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing amb3@cornell.edu IT Security Office Cornell University

2 Topics of discussion Business drivers for Cornell’s Shibboleth implementation and participation in InCommon and eAuthentication (eAuth) Business drivers for Cornell’s Shibboleth implementation and participation in InCommon and eAuthentication (eAuth) Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s experience with it Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s experience with it Areas identified as commendable Areas identified as commendable Areas of common practice Areas of common practice Differences with the federal government’s CAF Differences with the federal government’s CAF Where next? Where next?

3 Cornell Legal Music Pilot with Napster in summer 2004 Cornell business drivers Library interest in: Library vendors DSpace Office of Sponsored Programs: streamlined process for grant submission Cornell University Weill Medical College Resource sharing between Cornell in Ithaca and Cornell in New York City

4 Broad objective of assessment Baseline exercise to determine area of common interest between eAuth Initiative and Cornell in its involvement with Shibboleth InCommon

5 Assessment objective clarified Evaluate Cornell practices against CAF Evaluate Cornell practices against CAF Find areas of common practice between Shibboleth community and eAuth, as well as differences Find areas of common practice between Shibboleth community and eAuth, as well as differences Suggest changes where they would be beneficial to common operations Suggest changes where they would be beneficial to common operations Evaluate whether the two communities can be an operationally good fit Evaluate whether the two communities can be an operationally good fit

6 Assessment components CAF – Credential Assessment Framework CAF – Credential Assessment Framework CS – Credential Service CS – Credential Service CSP – Credential Service Provider CSP – Credential Service Provider CAP – Credentials Assessment Profile CAP – Credentials Assessment Profile

7 Credential Assessment Framework Cornell University Credential Service Provider Credential Assessment Profile Credential Assessment Checklist NetIDs GuestIDs VMIDs Other Credential Assessment Checklist Credential Assessment Report eAuthentication assessors & Cornell staff

8 Assessment categories and examples Organizational maturity Organizational maturity –Valid legal entity w/authority to operate (1) –Risk management methodology (2) Identity proofing Identity proofing –Written policy on steps for identity proofing (2) Authentication protocol Authentication protocol –Secrets encrypted when transmitted over network (1) –Password not disclosed to third parties (2)

9 Assessment categories and examples Token strength Token strength –Password resistance to guessing, or entropy (1) –Stronger resistance to guessing (2) Status management Status management –Revoked credentials cannot be authenticated (1) –Revocation of credential within 72 hours of invalidation, compromise (2) Credential delivery Credential delivery –Credential delivered in manner that confirms postal address of record or fixed-line telephone number of record (2)

10 1.Assurance Level 1 1.Organizational Maturity TagDescriptionSuggested Evidence of Compliance Status Established1.The CSP shall be a valid legal entity, and a person with legal authority to commit the CSP shall submit the Assessment package. 2.The operational system will be assessed as it stands at the time of the Assessment. Planned upgrades or modifications will not be considered during the assessment. 1. Articles of incorporation, Organizational Charter, Affidavit, etc. 2. Demonstration Authorization to Operate 1.The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies. 2.The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS. 1. Copy of ATO or company authorization for Credential Service 2. Asserted in Authorization document as set forth in GSA policies General Disclosure 1.The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community. 2.In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy. 1.Terms, Conditions, & Privacy policies posted on Website 2.Document how provider will do this. Sample: CAF checklist for level 1

11 TagDescriptionSuggested Evidence of Compliance Status Documentation1.The CSP shall have all security related policies and procedures documented that are required to demonstrate compliance. 2.Undocumented practices will not be considered evidence. Copies or link to policies HelpdeskA helpdesk shall be available for subscribers to resolve issues related to their credentials during the CSP’s regular business hours, minimally from 9am to 5pm Monday through Friday. Observe Helpdesk Risk MgtThe CSP shall demonstrate a risk management methodology that adequately identifies and mitigates risks related to the CS. Copy of Risk Assessment 1.1 Assurance Level 2 Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and 2. 1.1.1 Organizational Maturity Sample: CAP checklist for level 2

12 Assessment process steps Submit sign-up sheet Submit sign-up sheet Schedule assessment with eAuth team Schedule assessment with eAuth team Submit documentation to eAuth team Submit documentation to eAuth team Prepare Cornell overview for assessment meeting Prepare Cornell overview for assessment meeting Contact Cornell stakeholders to inform and/or schedule for eAuth team visit Contact Cornell stakeholders to inform and/or schedule for eAuth team visit

13 Assessment process steps Day 1 of assessment Day 1 of assessment –Provide background information on Cornell as credential provider –First pass through assessment checklist –Tour of data center Day 2 of assessment Day 2 of assessment –Review draft of assessment report and checklist –Correct and clarify assessment checklist

14 Assessment process participants Identity Management team or equivalent Identity Management team or equivalent IT Security Director IT Security Director IT Policy Director IT Policy Director University Counsel University Counsel IT Auditor IT Auditor Human Resources Records Human Resources Records Computer Access staff Computer Access staff University Registrar University Registrar Business continuity planner Business continuity planner Data center manager Data center manager

15 Commendable areas Position of the Identity Management program within the IT organization Position of the Identity Management program within the IT organization Complete and up to date documentation for users Complete and up to date documentation for users Data center security Data center security

16 Cornell Information Technologies VP, Info Tech Customer Services and Marketing * Information Systems * Distributed Learning Services Security Office Network and Communication Services Systems and Operations Identity Management Authentication Authorization Directory Services Provisioning Tools Security Incident Response Vulnerability Scanning Network Anomaly Detection Client Security Security Consulting IT Security Director Advanced Technology and Architecture * Units performing account management functions connected with this credential service

17 Areas of common practice General approach to IT policy General approach to IT policy –IT policy framework –Quality of policy documents Effective channels for communicating policies Effective channels for communicating policies Well-established disaster recovery plan Well-established disaster recovery plan Excellent delivery procedures for credentials Excellent delivery procedures for credentials

18 Differences with CAF – level 1 assessment Threat protection Threat protection –Measures to prevent on-line guessing of passwords insufficient –Federal government’s baseline recommendations:  Password life rules or  Lock-out rules –Uniqueness of password/forcing password change when user logs on for first time Password life rules and lock-out are particularly problematic for universities Password life rules and lock-out are particularly problematic for universities

19 Differences with CAF – level 2 Business Continuity Plan should be finalized Business Continuity Plan should be finalized Written policy or practice statement documenting all identity proofing procedures Written policy or practice statement documenting all identity proofing procedures Better remote proofing procedures for alumni Better remote proofing procedures for alumni

20 Where next? eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore County eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore County Individual arrangements between federal government and universities will not scale Individual arrangements between federal government and universities will not scale Goal will be interoperation between eAuth and InCommon Goal will be interoperation between eAuth and InCommon InCommon does not now require the same level of accreditation as eAuth for either credential providers or service providers InCommon does not now require the same level of accreditation as eAuth for either credential providers or service providers Accreditation could become an important function for any shared identity federation Accreditation could become an important function for any shared identity federation

21 For more information eAuthentication: eAuthentication: http://www.cio.gov/eauthentication/ eAuthentication credential assessment tool suite: eAuthentication credential assessment tool suite: http://www.cio.gov/eauthentication/CredSuite.htm Cornell IT Security Office web site (includes Identity Management): http://www.cit.cornell.edu/oit/Security.html Cornell IT Security Office web site (includes Identity Management): http://www.cit.cornell.edu/oit/Security.html http://www.cit.cornell.edu/oit/Security.html Cornell’s policy tutorial for new students: Cornell’s policy tutorial for new students: https://cuweblogin2.cit.cornell.edu/cuwl- cgi/policyPub.cgi https://cuweblogin2.cit.cornell.edu/cuwl- cgi/policyPub.cgi

Download ppt "Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.

FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
 The slides in this set are made available for use in presentations and educational sessions by health departments.  The information is provided for.

 The slides in this set are made available for use in presentations and educational sessions by health departments.  The information is provided for.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,

U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep

Similar presentations

Ads by Google