assurance - RE: [Assurance] Silver assurance and process compliance
Subject: Assurance
List archive
- From: "Jones, Mark B" <>
- To: "" <>
- Subject: RE: [Assurance] Silver assurance and process compliance
- Date: Fri, 23 Mar 2012 15:55:45 -0500
- Accept-language: en-US
- Acceptlanguage: en-US
I’m not sure if InCommon has similar documents or not, but considering Silver is intended to satisfy ICAM level 2 I would assume that the formal advice you are looking for can be found in NIST 800-63. As far as risk… I’m not sure if this was exactly what you are asking about, but OMB M-04-04 has a section that deals with “Assurance Levels and Risk Assessments”. From: [mailto:] On Behalf Of Eric Goodman This is a question that I ask on various lists periodically, but as we're beginning to come out with "cookbooks" for the technical implementatoins, I'm wondering if we can perhaps get some more detailed insight from "ahead of the curve" campuses. Do we have any formal advice as to what level of rigor is required to meet the process-based elements of assurance? By process-based, I mean those that aren't (inherently) technology driven, such as processes for delivery of passwords to individuals, phone or email based help desk password resets or defining assurance for pre-existing hires. The typical answer I get to this question is "it's a risk assessment that should be worked out with your auditor", but I'm still looking for some objective measure to base those assessments on. For example, assuming a strong identity vetting process is completed for all new employees (e.g., I-9 processing in the US), which of these methods for actually delivering credentials to our new employees provide acceptable ("recommended"? "advisable"?) levels of rigor for meeting the NIST LoA2 requirements:
I can make arguments in support of each of these methods, and even though some are clearly (or arguably) better than others, I imagine I could convince some auditors or executives of any of them depending on how they interpret the actual risk involved. I naturally lean towards the more rigorous methods, but to argue for money to be spent to meet a specific target, I'd like to have a sense of how each "reasonably" meets the LoA2 requirements. Perhaps another view on this question is, has anyone put together an overview of what the liabilities are of claiming compliance and then having a breach that was due to lack of sufficient IdP practices (as compared to user misconduct)? Thanks in advance, --- Eric Eric Goodman UC Santa Cruz |
- [Assurance] Silver assurance and process compliance, Eric Goodman, 03/19/2012
- RE: [Assurance] Silver assurance and process compliance, Roy, Nicholas S, 03/22/2012
- RE: [Assurance] Silver assurance and process compliance, Jones, Mark B, 03/23/2012
- Re: [Assurance] Silver assurance and process compliance, Eric Goodman, 03/26/2012
- Re: [Assurance] Silver assurance and process compliance, Tom Scavo, 03/26/2012
- RE: [Assurance] Silver assurance and process compliance, Roy, Nicholas S, 03/29/2012
- RE: [Assurance] Silver assurance and process compliance, Jones, Mark B, 03/26/2012
- Re: [Assurance] Silver assurance and process compliance, Ann West, 03/30/2012
- Re: [Assurance] Silver assurance and process compliance, Tom Scavo, 03/26/2012
- Re: [Assurance] Silver assurance and process compliance, Eric Goodman, 03/26/2012
Archive powered by MHonArc 2.6.16.