The process for submitting for certification using this alternative means first involved providing the auditor with evidence that the SafeNet 64K USB eToken PRO device would meet or exceed each of the criteria in IAP section 4.2.3. Details supporting our assertion are provided in the CIC Multi-factor Working Group page.
The initial audit report contained a description of the eToken solution and an opinion that Virginia Tech met the criteria in Section 4 of the IAP. After receiving the report, the InCommon Assurance Advisory Committee (AAC) asked questions about our alternative means. Mary participated in a conference call with the AAC to answer their questions, and followed up with answers in writing. Ultimately, the following information was included in the audit summary.
- Explicit Management Assertion that the multi-factor alternative meets or exceeds the effect of the requirments in section 4.2.3 of the IAP.
- Description of the basis on which management is making that assertion.
- Auditor's explicit concurrence and positive attestation to management's assertion that the multifactor alternative meets or exceeds the effect of the rquirements in 4.2.3.