Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Eric, Mark, et al,

Some thoughts:

• In thinking how address Eric's comment about the kinds of non-compliance we would allow here, it occurred to me that maybe we don't really care too much, as long as it's corrected quickly.  It had also occurred to me that I hadn't said anything about how quickly non-compliant behavior had to be detected, so I change the "72 hours after detection" requirement to just "72 hours."
• Mark had some good comments to clarify what we mean by policy and education, but I realized that there are already expectations that the IdPO has policy and education for its community members, so I dropped those.

So, I've changed the statement on https://spaces.internet2.edu/x/zoE_Ag to say "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring through technical means, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours."

What do you think?  Would it help to add some more specific about AD to the discussion?  I was avoiding pointing fingers, but it might help with understanding of what we're trying to do.

David

On Mon, 2013-04-01 at 15:31 +0000, Rank, Mark wrote:
>     David et al.: 
>     
>     
>     Just word smithing a bit...
>     
>     
>     Instead of...
>     
>     
>     "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, it is acceptable to comply through the use of policy, education, and monitoring for non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."
>     
>     
>     how about...
>     
>     
>     "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, valid compensating controls may be considered. Proposed valid compensating controls would be an acceptable use policy that includes a recurring education component and a monitoring program to detect and report non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."
>     
>     
>     Regards,
>     Mark
>     
>     
>     --------------------------------------------------
>     Mark Rank
>     Project Manager - Identity & Access Mgt
>     UCSF Information Technology Services (ITS)
>     email: 
>     phn:414-331-1476
>     --------------------------------------------------

---

>     From:  [] on behalf of David Walker []
>     Sent: Friday, March 29, 2013 11:15 AM
>     To: 
>     Cc: DHW
>     Subject: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
>     
>     
>     
>     Everyone,
>     
>     I've drafted a proposed alternative means to address the general case of non-compliance due to end-user use of non-compliant technology (e.g., something that uses unencrypted LDAP against AD):
>     
> >         https://spaces.internet2.edu/x/zoE_Ag 
> >     
>     
>     Comments welcome.
>     
>     David