...
Action item (identify section and sub-section) | Who (Univ. unit) | Type (documentation, infrastructure, procedure, Token Administration System) | Effort (Major, moderate, minor, complete) |
|---|---|---|---|
4.2.2.3 Registration Records – the record of the facts of registration needs to be modified to include issuer of document; i.e., Drivers license is currently recorded. The issuer (State/country of issuance) is not captured. | SETI SIES, SNS, Software Dist. | TAS or procedure | Minor if issuer is entered in existing comment field by TAS operator; moderate if TAS is modified to enforce entry of issuer. Resolution: Change TAS, providing all acceptable document types in pulldown menus, and to require entry of the issuer. |
4.2.2.4 Identity Proofing – Details about payroll and departmental procedures and documentation are unknown, so it is possible that changes could be required to meet the IAP. If graduate students who are not employees remain eligible for Silver LoA PDCs, it might be necessary to review initial identity proofing procedures for them. | Meet with representatives from Payroll and HR to determine procedures. | Documentation, procedure | minor if documentation exists and procedures do not need to change. Resolution: documentation exists for payroll, HR, I-9 hiring procedures. No changes to procedures required. |
4.2.2.4.1 Existing relationship - TAS should record the person’s eligible affiliation(s) at the time the certificate was issued. | SETI SIES | TAS | minor |
4.2.2.4.2 In-Person proofing - determine if any changes are needed based on conversations addressing 4.2.2.4. Item 3 under 4.2.2.4.2 is N/A. We will require that addresses match. Update October 27, 2011 - Since the only government issued photo ID that contains an address seems to be the driver's license, we will ensure we have a process for address confirmation according to one of the options in 4.2.2.5 | Project leads, SETI SIES if TAS changes are needed. | Documentation, procedure, TAS, Enterprise Directory | moderate |
4.2.2.5 Address of record confirmation - need to add this to TAS registration process. | SETI Middleware, SIES; IMS, TAS RAAs ED | , IMS SMS to phone web app TAS | Moderate |
...
Did you use Alternative Means? If yes, describe briefly the process.
Virginia Tech used alternative means for the Credential Technology, IAP section 4.2.3. Virginia Tech's credential is a personal digital certificate (PDC) stored on the multi-factor SafeNet 64K USB eToken PRO deviceand eToken 5100 devices. The Shared Authentication Secret is the Private Key component of the X.509 certificate. The Private Key is generated onboard the eToken, and cannot be exported off the device. Access to the Private Key is activated using a password that meets the requirements for "strong" resistance to guessing Authentication Secrets outlined in section 4.2.3.3. Virginia Tech asserts that the PDC on the eToken meets or exceeds the criteria outlined in section 4.2.3.
The process for submitting for certification using this alternative means first involved providing the auditor with evidence that the SafeNet 64K USB eToken PRO SafeNet eToken device would meet or exceed each of the criteria in IAP section 4.2.3. Details supporting our assertion are provided under Sample Management Assertions at the CIC Multi-factor Working Group page.
The initial audit report contained a description of the eToken solution and an opinion that Virginia Tech met the criteria in Section 4 of the IAP. After receiving the report, the InCommon Assurance Advisory Committee (AAC) asked questions about our alternative means. Mary Dunker participated in a conference call with the AAC to answer their questions, and followed up with answers in writing. Ultimately, the following information was included in the audit summary.
...