Date: Fri, 29 Mar 2024 02:05:04 +0000 (UTC) Message-ID: <2106092654.7397.1711677904525@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7396_247324295.1711677904522" ------=_Part_7396_247324295.1711677904522 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
I'd love to get their thoughts about the remote proofing approac= hes on the I2 wikispaces - I talked a bit with Chad Sharp from Iowa and Ste= ve Kurncz from MSU about this, but they had mentioned the possibility of ge= tting some more detailed feedback at their upcoming meeting.
1. Remote identity proofing -- from Nick Roy of Iowa -- as far as = I can tell institutions are not able to do remote identity proofing as desc= ribed in the IAP (checking a combination of government ID numbers and finan= cial account numbers obtained through credit bureaus or similar databases).= Two alternate methods have been proposed: a) the person to be = verified can appear in person with the appropriate documents and a form and= have the verification confirmed by a notary public near where they live; t= he notarized form would serve as proof of the verification event; b) = The identity documents could be verified remotely using some kind of videoc= onferencing technology. See Remote= -Proofing Approaches= .
Do the auditors think either or both of these methods can be asserted as= equivalent to the approach the IAP describes? What are the issues?= p>
2. Strong password authentication -- a question came up on one of = the documentation group's calls as to whether an institution can legitimate= ly claim to be in compliance via strong password authentication (described = in 4.2.3.3 of v. 1.2 of the IAP) when we cannot technically force non-IdP a= pplications always to use protected channels as required in 4.2.3.6. = With regard to 4.2.3.6, the discussion has always centered around the idea = of presenting institutional policy requirements for non-IdP applications as= mitigating controls. But many of us are uncomfortable with that conc= ept as we do not have much in the way of enforcement authority for our poli= cies. I am wondering what the auditors think about this -- what would= policies and enforcement mechanisms that legitimately constitute equivalen= t controls look like? How would we document this for the audit, and h= ow would the auditor go about evaluating it?
3. Multi-factor authentication -- a number of institutions plan to= pursue certification based on multi-factor authentication technology, as d= id Virginia Tech. Since compliance via multi-factor is not described = in the IAP, how do we go about documenting that our particular flavor of mu= lti-factor is equivalently strong, and how will the auditor evaluate our ma= nagement assertions?
4. Do the auditors have guidelines or suggestions as to how we sho= uld prepare our submission to facilitate the auditor's job, and to include = the right amount of information? From time to time we've had auditors= or people with audit experience on our conference calls talk about includi= ng just enough information to meet the scope of whatever factor we're writi= ng our assertion for. It reminds me of things our general counsel's o= ffice has said from time to time -- if you include too much information you= have a risk of inadvertently expanding the scope.