Child pages
  • Community Comments
Skip to end of metadata
Go to start of metadata

If you'd like to make a comment, please send it to the assurance list at

This page lists the community comments on v1.2 of the IAP and IAAF that were contributed in venues other than the assurance email list. 

Click on the column headings to sort.








April 18


Audit Community Call

Line 484: Replace audit with engagement in first sentence of 4.2 Audit Process and Report



April 18


Audit Community Call

Add IIA Standard to section 4.2 as an option as well.

The wording doesn't have to reflect all the standards available. The doc uses such as to allow for flexibility and enable schools to use other standards. However, the standard used must be included in the summary report sent to InCommon.


April 19


Community Call

Clarify that refers to mitigating risk of end-user credential compromise



May 2


Community Call

Clarify and intent

Confusion about the goal of this point. Continuous review (like ongoing data and related classification review) equiv to periodic review. Should we remove periodic? Is the goal to have the risk management processes and the infrastructure aligned (even if your risk management processes are lax) AND a neutral third party involved providing feedback? If no audit is involved (at any time, any where), but the IT org has internal controls, is that okay?

Suggested wording from Mark Rank:
The IdPO's Information Technology operations must align with the 
organizations's risk management objectives as demonstrated by a 
periodic review process or other equivalent control.







  • No labels