ad-assurance - Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
Chronological Thread
- From: David Walker <>
- To: "Rank, Mark" <>
- Cc: "" <>
- Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
- Date: Mon, 01 Apr 2013 09:58:34 -0700
- Authentication-results: sfpop-ironport07.merit.edu; dkim=pass (signature verified)
Eric, Mark, et al,
Some thoughts:
- In thinking how address Eric's comment about the kinds of non-compliance we would allow here, it occurred to me that maybe we don't really care too much, as long as it's corrected quickly. It had also occurred to me that I hadn't said anything about how quickly non-compliant behavior had to be detected, so I change the "72 hours after detection" requirement to just "72 hours."
- Mark had some good comments to clarify what we mean by policy and education, but I realized that there are already expectations that the IdPO has policy and education for its community members, so I dropped those.
So, I've changed the statement on https://spaces.internet2.edu/x/zoE_Ag to say "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring through technical means, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours."
What do you think? Would it help to add some more specific about AD to the discussion? I was avoiding pointing fingers, but it might help with understanding of what we're trying to do.
David
On Mon, 2013-04-01 at 15:31 +0000, Rank, Mark wrote:
David et al.:
Just word smithing a bit...
Instead of...
"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, it is acceptable to comply through the use of policy, education, and monitoring for non-compliant behavior. The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."
how about...
"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, valid compensating controls may be considered. Proposed valid compensating controls would be an acceptable use policy that includes a recurring education component and a monitoring program to detect and report non-compliant behavior. The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."
Regards,
Mark
--------------------------------------------------
Mark Rank
Project Manager - Identity & Access Mgt
UCSF Information Technology Services (ITS)
email:
phn:414-331-1476
--------------------------------------------------
From: [] on behalf of David Walker []
Sent: Friday, March 29, 2013 11:15 AM
To:
Cc: DHW
Subject: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
Everyone,
I've drafted a proposed alternative means to address the general case of non-compliance due to end-user use of non-compliant technology (e.g., something that uses unencrypted LDAP against AD):
https://spaces.internet2.edu/x/zoE_Ag
Comments welcome.
David
- RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, Rank, Mark, 04/01/2013
- Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, David Walker, 04/01/2013
- RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, Capehart,Jeffrey D, 04/01/2013
- Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, David Walker, 04/01/2013
- RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, Capehart,Jeffrey D, 04/01/2013
- Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, David Walker, 04/01/2013
- RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, Rank, Mark, 04/01/2013
- Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, David Walker, 04/01/2013
- RE: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, Capehart,Jeffrey D, 04/01/2013
- Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT, David Walker, 04/01/2013
Archive powered by MHonArc 2.6.16.