Child pages
  • Assurance Implementation Example - Virginia Tech

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Profile(s), Version and Method of Determination(s) of Conformance:
_x_ Bronze (1.1) - Audited
_x_ Silver (1.1) - Audited

Certification Date: September 10, 2012

...

Why is Assurance important to your organization?  Include the service providers with which you'd like to federate under this Program.

...

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.2.3 Registration Records – the record of the facts of registration needs to be modified to include issuer of document; i.e., Drivers license is currently recorded. The issuer (State/country of issuance) is not captured.

SETI SIES, SNS, Software Dist.

TAS or procedure

Minor if issuer is entered in existing comment field by TAS operator; moderate if TAS is modified to enforce entry of issuer. Resolution:  Change TAS, providing all acceptable document types in pulldown menus, and to require entry of the issuer.

4.2.2.4 Identity Proofing – Details about payroll and departmental procedures and documentation are unknown, so it is possible that changes could be required to meet the IAP. If graduate students who are not employees remain eligible for Silver LoA PDCs, it might be necessary to review initial identity proofing procedures for them.

Meet with representatives from Payroll and HR to determine procedures.

Documentation, procedure

minor if documentation exists and procedures do not need to change. Resolution: documentation exists for payroll, HR, I-9 hiring procedures. No changes to procedures required.

4.2.2.4.1 Existing relationship - TAS should record the person’s eligible affiliation(s) at the time the certificate was issued.

SETI SIES

TAS

minor
Resolution: TAS was changed to record eligible affiliations.

4.2.2.4.2 In-Person proofing - determine if any changes are needed based on conversations addressing 4.2.2.4. Item 3 under 4.2.2.4.2 is N/A. We will require that addresses match. Update October 27, 2011 - Since the only government issued photo ID that contains an address seems to be the driver's license, we will ensure we have a process for address confirmation according to one of the options in 4.2.2.5

Project leads, SETI SIES if TAS changes are needed.

Documentation, procedure, TAS, Enterprise Directory

moderate
Resolution: TAS workflow, registration screens, and recording enhanced to ensure criteria met.

4.2.2.5 Address of record confirmation  - need to add this to TAS registration process.

SETI Middleware, SIES; IMS, TAS RAAs ED

, IMS SMS to phone web app TAS

Moderate
Resolution: electronic address verification added to workflow in TAS.

...

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.3 Credential Technology – This section does not apply to multifactor credentials. Documentation will be produced to show how Virginia Tech’s credential technology meets or exceeds IAP requirements. Where guidance is needed, we will refer to NIST 800-63.

IMS, SETI

Documentation

moderate
Resolution: See management assertion and evidence of compliance.

Management Assertion

The Virginia Tech User Certification Authority issues an X.509 personal digital certificate (PDC) onto a SafeNet 64K USB eToken Pro device. The eToken is activated using a password. Public-private key exchange (client SSL) is used to perform authentication. This is not a typical "Shared Authentication Secret" form of Identity Credential, but the institution asserts that this multi-factor credential meets or exceeds the requirements of the IAP. Additional guidance is provided in NIST 800-63.

...

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.4.2 Credential revocation or expiration – item #1 specifies the IdPO shall revoke Credentials or Tokens within 72 hours of being notified that a credential is invalid or compromised. We must document this in CPS and publish/enforce procedures.

SIES for draft language, PMA for approval

Documentation, procedure

minor
Resolution: CPS changed, administrators alerted.

4.2.4.4 Credential issuance records retention – IdPO shall retain records of credential issuance and revocation for minimum of 180 days beyond expiration of the credential. VT User CPS states VTCA retains audit logs for 1 year.

PMA, SIES

documentation, Infrastructure, TAS

minor
Resolution: CPS changed, Retention requirement communicated.

Management Assertion

The authentication Credential is bound to the physical Subject and to the IdMS record pertaining to the Subject. 

...

Did you use Alternative Means? If yes, describe briefly the process.

Virginia Tech used alternative means for the Credential Technology, IAP section  4.2.3. Virginia Tech's credential is a personal digital certificate (PDC) stored on the multi-factor SafeNet 64K USB eToken PRO deviceand eToken 5100 devices. The Shared Authentication Secret is the Private Key component of the X.509 certificate. The Private Key is generated onboard the eToken, and cannot be exported off the device. Access to the Private Key is activated using a password that meets the requirements for "strong" resistance to guessing Authentication Secrets outlined in section 4.2.3.3.  Virginia Tech asserts that the PDC on the eToken meets or exceeds the criteria outlined in section 4.2.3. 

The process for submitting for certification using this alternative means first involved providing the auditor with evidence that the SafeNet 64K USB eToken PRO SafeNet eToken device would meet or exceed each of the criteria in IAP section 4.2.3. Details supporting our assertion are provided under Sample Management Assertions at the CIC Multi-factor Working Group page. 

The initial audit report contained a description of the eToken solution and an opinion that Virginia Tech met the criteria in Section 4 of the IAP. After receiving the report, the InCommon Assurance Advisory Committee (AAC) asked questions about our alternative means. Mary Dunker participated in a conference call with the AAC to answer their questions, and followed up with answers in writing. Ultimately, the following information was included in the audit summary.

...