...
Table of Contents
Table of Contents | ||
---|---|---|
|
Contact and Profile Information
Name of Organization: Virginia Tech
...
Profile(s), Version and Method of Determination(s) of Conformance:
__ Bronze 1.2 - Representation of Conformance
_x_ Bronze (1.1) - Audited
_x_ Silver (1.1) - Audited
Certification Date: September 10, 2012
...
Why is Assurance important to your organization? Include the service providers with which you'd like to federate under this Program.
...
Action item (identify section and sub-section) | Who (Univ. unit) | Type (documentation, infrastructure, procedure, Token Administration System) | Effort (Major, moderate, minor, complete) |
---|---|---|---|
4.2.2.3 Registration Records – the record of the facts of registration needs to be modified to include issuer of document; i.e., Drivers license is currently recorded. The issuer (State/country of issuance) is not captured. | SETI SIES, SNS, Software Dist. | TAS or procedure | Minor if issuer is entered in existing comment field by TAS operator; moderate if TAS is modified to enforce entry of issuer. Resolution: Change TAS, providing all acceptable document types in pulldown menus, and to require entry of the issuer. |
4.2.2.4 Identity Proofing – Details about payroll and departmental procedures and documentation are unknown, so it is possible that changes could be required to meet the IAP. If graduate students who are not employees remain eligible for Silver LoA PDCs, it might be necessary to review initial identity proofing procedures for them. | Meet with representatives from Payroll and HR to determine procedures. | Documentation, procedure | minor if documentation exists and procedures do not need to change. Resolution: documentation exists for payroll, HR, I-9 hiring procedures. No changes to procedures required. |
4.2.2.4.1 Existing relationship - TAS should record the person’s eligible affiliation(s) at the time the certificate was issued. | SETI SIES | TAS | minor |
4.2.2.4.2 In-Person proofing - determine if any changes are needed based on conversations addressing 4.2.2.4. Item 3 under 4.2.2.4.2 is N/A. We will require that addresses match. Update October 27, 2011 - Since the only government issued photo ID that contains an address seems to be the driver's license, we will ensure we have a process for address confirmation according to one of the options in 4.2.2.5 | Project leads, SETI SIES if TAS changes are needed. | Documentation, procedure, TAS, Enterprise Directory | moderate |
4.2.2.5 Address of record confirmation - need to add this to TAS registration process. | SETI Middleware, SIES; IMS, TAS RAAs ED | , IMS SMS to phone web app TAS | Moderate |
Management Assertion
Virginia Tech asserts that identity proofing in this IAP is based on a government issued ID and that information verified at the time of employment is used to create a record for the Subject in Virginia Tech's Identity Management System.
...
Action item (identify section and sub-section) | Who (Univ. unit) | Type (documentation, infrastructure, procedure, Token Administration System) | Effort (Major, moderate, minor, complete) |
---|---|---|---|
4.2.3 Credential Technology – This section does not apply to multifactor credentials. Documentation will be produced to show how Virginia Tech’s credential technology meets or exceeds IAP requirements. Where guidance is needed, we will refer to NIST 800-63. | IMS, SETI | Documentation | moderate |
Management Assertion
The Virginia Tech User Certification Authority issues an X.509 personal digital certificate (PDC) onto a SafeNet 64K USB eToken Pro device. The eToken is activated using a password. Public-private key exchange (client SSL) is used to perform authentication. This is not a typical "Shared Authentication Secret" form of Identity Credential, but the institution asserts that this multi-factor credential meets or exceeds the requirements of the IAP. Additional guidance is provided in NIST 800-63.
Evidence of Compliance
See Sample Management Assertions under multi-factor Excample 2 at the CIC Multi-factor Working Group page.
...
Action item (identify section and sub-section) | Who (Univ. unit) | Type (documentation, infrastructure, procedure, Token Administration System) | Effort (Major, moderate, minor, complete) |
---|---|---|---|
4.2.4.2 Credential revocation or expiration – item #1 specifies the IdPO shall revoke Credentials or Tokens within 72 hours of being notified that a credential is invalid or compromised. We must document this in CPS and publish/enforce procedures. | SIES for draft language, PMA for approval | Documentation, procedure | minor |
4.2.4.4 Credential issuance records retention – IdPO shall retain records of credential issuance and revocation for minimum of 180 days beyond expiration of the credential. VT User CPS states VTCA retains audit logs for 1 year. | PMA, SIES | documentation, Infrastructure, TAS | minor |
Management Assertion
The authentication Credential is bound to the physical Subject and to the IdMS record pertaining to the Subject.
...
Did you use Alternative Means? If yes, describe briefly the process.
Virginia Tech used alternative means for the Credential Technology, IAP section 4.2.3. Virginia Tech's credential is a personal digital certificate (PDC) stored on the multi-factor SafeNet 64K USB eToken PRO deviceand eToken 5100 devices. The Shared Authentication Secret is the Private Key component of the X.509 certificate. The Private Key is generated onboard the eToken, and cannot be exported off the device. Access to the Private Key is activated using a password that meets the requirements for "strong" resistance to guessing Authentication Secrets outlined in section 4.2.3.3. Virginia Tech asserts that the PDC on the eToken meets or exceeds the criteria outlined in section 4.2.3.
The process for submitting for certification using this alternative means first involved providing the auditor with evidence that the SafeNet 64K USB eToken PRO SafeNet eToken device would meet or exceed each of the criteria in IAP section 4.2.3. Details supporting our assertion are provided under Sample Management Assertions at the CIC Multi-factor Working Group page.
The initial audit report contained a description of the eToken solution and an opinion that Virginia Tech met the criteria in Section 4 of the IAP. After receiving the report, the InCommon Assurance Advisory Committee (AAC) asked questions about our alternative means. Mary Dunker participated in a conference call with the AAC to answer their questions, and followed up with answers in writing. Ultimately, the following information was included in the audit summary.
...