Child pages
  • Community Comments
Skip to end of metadata
Go to start of metadata

If you'd like to make a comment, please send it to the assurance list at assurance@incommon.org.

This page lists the community comments on v1.2 of the IAP and IAAF that were contributed in venues other than the assurance email list. 

Click on the column headings to sort.

#

Date

Doc

Who/When

What

Comments

1

April 18

IAAF

Audit Community Call

Line 484: Replace audit with engagement in first sentence of 4.2 Audit Process and Report

 

2

April 18

IAAF

Audit Community Call

Add IIA Standard to section 4.2 as an option as well.

The wording doesn't have to reflect all the standards available. The doc uses such as to allow for flexibility and enable schools to use other standards. However, the standard used must be included in the summary report sent to InCommon.

3

April 19

IAP

Community Call

Clarify that 4.2.5.6 refers to mitigating risk of end-user credential compromise

 

4

May 2

IAP

Community Call

Clarify 4.2.1.4 and intent

Confusion about the goal of this point. Continuous review (like ongoing data and related classification review) equiv to periodic review. Should we remove periodic? Is the goal to have the risk management processes and the infrastructure aligned (even if your risk management processes are lax) AND a neutral third party involved providing feedback? If no audit is involved (at any time, any where), but the IT org has internal controls, is that okay?

Suggested wording from Mark Rank:
The IdPO's Information Technology operations must align with the 
organizations's risk management objectives as demonstrated by a 
periodic review process or other equivalent control.

 

 

 

 

 

 

  • No labels