Draft Minutes: Assurance Implementers Call of 9-Jan-2013
Attending
Ann West, InCommon/Internet2
Mary Dunker, Virginia Tech
Karen Harrington Virginia Tech
Jim Green, Michigan State University
Mark Jones, UT Houston
Susan Neitsch, Texas A&M
David Walker, Independent
David Bantz, University of Alaska
Benn Oshrin, Internet2
Michael Brogan, U. Washington
Steven Carmody, Brown
Chris Spadanuda, U-W Milwaukee
Mark Rank, U-W Milwaukee
Thomas Callaci, U-W Madison
Shreya Kumar, Michigan Tech University
David Langenberg, University of Chicago
Ron Thielen, University of Chicago
Mary Murphy, University of Chicago
Eric Goodman, UCSC
Emily Eisbruch, Internet2, scribe
DISCUSSION
FICAM Process
There was a call with FICAM in late December to discuss version 1.2 and another call will take place this afternoon. Important topics are criteria for Alternative Means and a process for publishing approved Alternative Means for the community. The goal is that once an Alternative Means is approved, it in effect becomes part of the spec, so another campus could also use the approved alternative approach.
Most likely we will be on track for FICAM approval in January. There will then be an opportunity for public review of the spec. Then it will be reviewed by Assurance Advisory Committee (AAC) and recommended to InCommon Steering for approval.
Review of Virginia Tech Implementation Example Draft
https://spaces.at.internet2.edu/x/MwAlAg
Mary Dunker has been developing a Virginia Tech Implementation example, based on a template available on the wiki. The goal is to share the Virginia Tech experience getting bronze and silver certification so that other campuses can benefit from this information during their own process.
...
The implementation example uses the gap analysis template available on the assurance wiki:https://spaces.at.internet2.edu/display/InCAssurance/Wiki+page+template+for+gap+analysis%2C+IAP+1.2+%28pending+approval%29
The management assertions are close to verbatim from what Virginia Tech gave to the auditors. However, the "Evidence of Compliance" sections are summaries, since there was so much detail in that area.
Comments on the VA Tech Implementation Example
Q: Did VA Tech use the Silver Assessment Report Template, that is linked from the Assurance wiki Toolkits page:https://spaces.at.internet2.edu/display/InCAssurance/Assurance+Implementation+Toolkits
A: No. The VA Tech internal audit dept had their own format. They were encouraged to look at the template
...
Comment: in the gap analysis table, would be helpful to give more info on what was done to address each gap.
Password Entropy Calculators
There have been requests for an InCommon Assurance Password Entropy Calculators tool. A couple of existing 800-63 calculators can be found at https://spaces.at.internet2.edu/x/RQAlAg
Do we want to develop a tool specifically for Bronze and Silver?
Thomas Callaci from UW- Madison spoke about the tool he's developed:
Tom stated that his first goal in developing the tool was to see if he could do the calculations according to NIST 863 for LOA1 or LOA2. His tool succeeded in that. Once more people started using the tool, Tom improved the user interface. The UI could probably use additional improvement.
...
We may need to continue the discussion on the list in order to decide if developing a bronze/silver Password Entropy Tool is a worthwhile project.
Next Call: Wed. 6-Feb-2013 at noon ET