assurance - [Assurance] Clarification on §4.2.1.2.2 (Notification to InCommon)
Subject: Assurance
List archive
- From: Benn Oshrin <>
- To:
- Subject: [Assurance] Clarification on §4.2.1.2.2 (Notification to InCommon)
- Date: Tue, 22 Oct 2013 15:56:03 -0400
Hi all,
I just wanted to get some clarification around this language:
§4.2.1.2.2 "The IdPO must report to InCommon any breach of security or integrity of its IdMS Operations that may affect the status of its compliance and hence its qualification under this IAP. A report must be made as soon as practicable after any such incident is noted."
This presumably applies at a macro-level and not, say, if a few users are compromised due to phishing and credentials or IAQs for them revoked (as per §4.2.4.2).
Now let's say a major compromise happens, eg all credentials are compromised due to a password sniffer being placed on a secure part of the network. The IdPO immediately (within 72 hours, as per §4.2.4.2) disables all IAQ assertion. Does notification still need to happen as per §4.2.1.2.2? Note that technically the IdPO may still be compliant with the IAPs. Does it matter if, say, all credentials are immediately reset vs a decision being made to stagger resets over the course of a week or two? (The latter being not compliant with §4.2.4.2.)
If notification is required, and if notification is not required when just a few users are compromised (as may happen on a daily basis), where is the threshold for when notification is required?
Thanks,
-Benn-
- [Assurance] Clarification on §4.2.1.2.2 (Notification to InCommon), Benn Oshrin, 10/22/2013
Archive powered by MHonArc 2.6.16.