Assurance

[Benn Oshrin <>]

Hi all,

I just wanted to get some clarification around this language:

§4.2.1.2.2 "The IdPO must report to InCommon any breach of security or 
integrity of its IdMS Operations that may affect the status of its 
compliance and hence its qualification under this IAP. A report must be 
made as soon as practicable after any such incident is noted."

This presumably applies at a macro-level and not, say, if a few users 
are compromised due to phishing and credentials or IAQs for them revoked 
(as per §4.2.4.2).

Now let's say a major compromise happens, eg all credentials are 
compromised due to a password sniffer being placed on a secure part of 
the network. The IdPO immediately (within 72 hours, as per §4.2.4.2) 
disables all IAQ assertion. Does notification still need to happen as 
per §4.2.1.2.2? Note that technically the IdPO may still be compliant 
with the IAPs. Does it matter if, say, all credentials are immediately 
reset vs a decision being made to stagger resets over the course of a 
week or two? (The latter being not compliant with §4.2.4.2.)

If notification is required, and if notification is not required when 
just a few users are compromised (as may happen on a daily basis), where 
is the threshold for when notification is required?

Thanks,

-Benn-