InCommon IAP and Information Security Guide – a Cross Reference updated for IAP v1.2 and ISO 27002:2013
Link to InCommon Identity Assurance Profiles Bronze and Silver v1.2
Link to HEISC Information Security Guide
4.2 Specification of Identity Assurance Requirements | Applicable Topics in the Information Security Guide | |||
4.2.1 Business, Policy and Operational Criteria | ISO 6 : Organization of Information Security | |||
.1 InCommon Participant. | ISO 18 Compliance | |||
.2 Notification to InCommon | ISO 18 Compliance | |||
.3 Continuing Compliance | ISO 18 : Compliance | |||
4.2.2 Registration and Identity Proofing | ISO 7 : Human resources Security. | |||
.1 RA authentication | ISO 9.2 User access management | |||
.2 Identity verification process | ISO 9.2 : User Access Management access management | |||
.3 Registration records | ISO 9.1 Business Requirements for Access Control | |||
.4 Identity proofing | ISO 9.2: User Access Management 7.1 Prior to employment | |||
.4.1 Existing relationship | ISO 9.2: User Access Management 7.1 Prior to employment | |||
.4.2 In-person proofing | ISO 9.2: User Access Management 7.1 Prior to employment | |||
.4.3 Remote proofing | ISO 9.2: User Access Management 7.1 Prior to employment | |||
.5. Address of Record confirmation | ISO 9.2: User Access Management 7.1 Prior to employment | |||
4.2.3 Credential Technology | ISO 9 : Access control | |||
Criteria |
| |||
.1 Credential unique identifier | ISO 9.2 User access management | |||
.2 Resistance to guessing Authentication Secret | ISO 9.4 System and application access control | |||
.3 Strong resistance to guessing Authentication Secret | ISO 9.4 System and application access control | |||
.4 Stored Authentication Secrets | ISO 10 : Cryptography | |||
.5 Protected Authentication Secrets | ISO 10 : Cryptography | |||
4.2.4 Credential Issuance and Management | ISO 9 : Access control | |||
|
| |||
.1 Credential issuance process | ISO 9.2 .1: User registration and de-registration User access management | |||
.2 Credential revocation or expiration |
| ISO 9.2 .1: User registration and de-registration | ||
.3 Credential renewal or re-issuance |
|
|
| ISO 9.2 User access management |
.4 Retention of Credential issuance records |
| |||
4.2.5 Authentication Process | ISO 9 : Access Control | |||
Criteria |
| |||
.1 Resist replay attack | ISO 14.1 .3: Protecting application services transactions Security requirements of information systems | |||
.2 Resist eavesdropper attack | ISO 12.2 Protection from malware | |||
.3 Secure communication | ISO 14.1 .3: Protecting application services transactions Security requirements of information systems | |||
.4 Proof of Possession | ISO 14.1 Security requirements of information systems | |||
.5 Session authentication Resist session hijacking threat | ISO 14.1 Security requirements of information systems | |||
.6 Mitigate risk of sharing Credentials credential compromise | ISO 5 : Security Policies | |||
4.2.6 Identity Information Management |
| |||
Criteria |
| |||
.1 Identity record qualification |
| |||
4.2.7 Assertion Content |
| |||
Criteria |
| |||
.1 Identity Attributes |
| |||
.2 Identity Assertion Qualifier |
| |||
.3 Cryptographic security | ISO 10 : Cryptography | |||
4.2.8 Technical Environment | ISO 11 : Physical and Environmental Security | |||
Criteria |
| |||
.1 Software maintenance | ISO 12.6 .1: Management of Technical Vulnerabilities Technical vulnerability management | |||
.2 Network security | ISO 13.1 .1: Network controls security management | |||
.3 Physical security | ISO 11 : Physical and Environmental Security | |||
.4 Reliable operations | ISO 12.4: 1 Operational procedures and responsibilities |
...