Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT


Chronological Thread 
  • From: "Rank, Mark" <>
  • To: "" <>
  • Cc: DHW <>
  • Subject: RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
  • Date: Mon, 1 Apr 2013 15:31:24 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none

David et al.:

Just word smithing a bit...

Instead of...

"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, it is acceptable to comply through the use of policy, education, and monitoring for non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."

how about...

"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, valid compensating controls may be considered. Proposed valid compensating controls would be an acceptable use policy that includes a recurring education component and a monitoring program to detect and report non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."

Regards,
Mark

--------------------------------------------------
Mark Rank
Project Manager - Identity & Access Mgt
UCSF Information Technology Services (ITS)
email:
phn:414-331-1476
--------------------------------------------------

From: [] on behalf of David Walker []
Sent: Friday, March 29, 2013 11:15 AM
To:
Cc: DHW
Subject: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT

Everyone,

I've drafted a proposed alternative means to address the general case of non-compliance due to end-user use of non-compliant technology (e.g., something that uses unencrypted LDAP against AD):

https://spaces.internet2.edu/x/zoE_Ag

Comments welcome.

David



Archive powered by MHonArc 2.6.16.

Top of Page