...
Virginia Polytechnic Institute and State University is a legal entity that is an InCommon Participant in good standing, and has the organizational structures and processes to comply with the provisions of this IAP.
Evidence of
...
Compliance:
InCommon Participation Agreement, Participant Operational Practices, and PO number for most current membership payment. Virginia Tech's InCommon Administrative contacts acknowledged and agreed to perform their responsibilities to comply with this section of the IAP. IT organizational documentation at www.it.vt.edu.
...
Virginia Tech asserts that identity proofing in this IAP is based on a government issued ID and that information verified at the time of employment is used to create a record for the Subject in Virginia Tech's Identity Management System.
Evidence of
...
Compliance:
The Token Administration System is documented in a TAS User Guide, to which the auditors were given access. Requirements for RA administrators, who access TAS using a Silver-level eToken, are documented in the Virginia Tech User CA Certification Practice Statement. Since we based the registration on an existing relationship with the university, we consulted with HR, payroll, and the Bursar's office, and then provided the auditors with documentation of the procedures used to verify a person's identity during the hiring process. The auditor observed the TAS registration procedures by obtaining a Virginia Tech eToken from the RA Administrators in the Student Network Services office.
...
The Virginia Tech User Certification Authority issues an X.509 personal digital certificate (PDC) onto a SafeNet 64K USB eToken Pro device. The eToken is activated using a password. Public-private key exchange (client SSL) is used to perform authentication. This is not a typical "Shared Authentication Secret" form of Identity Credential, but the institution asserts that this multi-factor credential meets or exceeds the requirements of the IAP. Additional guidance is provided in NIST 800-63.
Evidence of
...
Compliance:
See Sample Management Assertions under multi-factor Excample 2 at the CIC Multi-factor Working Group page.
...
The authentication Credential is bound to the physical Subject and to the IdMS record pertaining to the Subject.
...
Evidence of Compliance:
...
The authentication credential is bound to the Subject during credential issuance according to procedures that are described in the Virginia Tech User Certification Authority CPS. These procedures are carried out by the RA and CA Administrators who use TAS to register the subjects and issue certificates onto eTokens. The process requires the RAA to verify the person's identity in person, comparing information from the required government-issued photo IDs with information in the IdMS and comparing the photo with the pysical appearance of the Subject. Unique attributes associated with the Subject in the IdMS are included in the X.509 certificate. Revocation requests are taken by the Help desk and offices that issue eTokens. The revoked certificate serial numbers are included in the CRL, which is published at least once every 24 hours. Certificates are issued for a period of two years, and upon expiration or revocation, the Subject must appear in person to receive a new public-private key pair and certificate using the same procedures as for initial personal digital certificate issuance on the eToken. The tAS audit logs (records of issuance & revocation) and archives are retained for three years. Auditors confirmed compliance by observing the credential issuance process.
...
Virginia Tech's IdP authentication implementation allows the Subject to interact with the IdP in a manner that proves he or she is the holder of a Credential, thus enabling the subsequent issuance of Assertions.
...
Evidence of Compliance:
...
CAS is the authentication handler for Virginia Tech's Shibboleth implementation. CAS contains functionality to resist replay attacks. SSL provides secure communication and resistance to eavesdropper attacks. Proof of possession is provided via the requirement for the user to possess a hardware eToken whose private key can only be unlocked using a password which is known only to the Subject. The CAS protocol specification requires entropy in session ids and cryptographic techniques to ensure that sessioins are at least as resistant to attach as initial authentication. The risk of sharing credentials is mitigated by the requirement for the Subject to use two-factor authentication. The Subject is required to read and digitally sign that he/she will comply with the eToken Usage Agreement before the device is given to the Subject.
...
The eToken PDCs have a validity period of two years from the date of issuance. The PDC Usage Agreement requires eTokens to be returned at the end of employment or enrollment, and employee Separation Notice assigns departmental responsibility for collecting them. Supervisors are instructed to return any eTokens they collect to the nearest eToken issuance location, where the certificates will be revoked. (See PDC FAQ.)The certificate revocation list is checked during CAS authentication, and authentication is denied if the certificate has been revoked.
...
Evidence of Compliance:
...
To enroll for an eToken PDC, the Subject presents all required credentials (including a valid current government-issued photo ID containing the subject's full name, date of birth, picture, and either an address or nationality) to the TAS operator. If the Subject proves to be eligible for a Silver PDC,TAS issues PDC on eToken with the "medium silver" Object Identifier (OID) as defined in the Virginia Tech User CPS. All other eToken PDCs are issued with "medium bronze" OID. Users wishing to access services that require the InCommon Bronze or Silver profile must authenticate to CAS using the eToken PDC. At authentication time, the CAS login handler recognizes the "medium silver" or "medium bronze" OID in the PDC, and passes information to Shibboleth that is used to determine if this person has authenticated with a credential that meets the Silver or Bronze profile. If the person qualifies, the Shibboleth IdP will then assert the applicable "silver" or "bronze" IAQ for this person to the SP. The SP will use InCommon metadata associated with the Virginia Tech entity id to determine whether or not Virginia Tech is certified to assert Bronze and/or Silver.
...
Gap Analysis:
Management Assertion:
Evidence of Compliance:
...
info coming soon
Did you use Alternative Means? If yes, describe briefly the process.
...
Gap Analysis:
Management Assertion:
Evidence of Compliance:
...
What did the auditors do during the audit?
...
Gap Analysis:
Management Assertion:
Evidence of Compliance:
...
Provide any lessons learned for those just starting.
...