You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

InCommon IAP and Information Security Guide – a Cross Reference updated for ISO 27002:2013

Link to InCommon Identity Assurance Profiles Bronze and Silver
Link to Information Security Guide

4.2 Specification of Identity Assurance Requirements

Applicable Topics in the Information Security Guide

4.2.1 Business, Policy and Operational Criteria
IdP Operators must have the organizational structures and processes to come into and remain in compliance with the provisions of this IAP.

ISO 6: Organization of Information Security

.1  InCommon Participant.

 

.2  Notification to InCommon

 

.3  Continuing Compliance

ISO 18: Compliance

4.2.2 Registration and Identity Proofing

ISO 7: Human resources Security.
Including pre-employment screening procedures ion the Guide could help InCommon participants. Alternatively, the Guide might point to the IAP for identity proofing procedures for onboarding employees.

ISO 9: Access control

Page 59 of AACRAO Vol. 87 No. 3: Establishing Remote Student Identity would be a useful reference for the Guide. See definitions from the AACRAO article at InCommon Assurance Remote Proofing Definitions and Concepts

.1  RA authentication

 

.2  Identity verification process

ISO 9.2: User Access Management

.3  Registration records

ISO 9.1 Business Requirements for Access Control
ISO 9.2: User Access Management

.4  Identity proofing

ISO 9.2: User Access Management

.4.1  Existing relationship

ISO 9.2: User Access Management

.4.2  In-person proofing

ISO 9.2: User Access Management

.4.3  Remote proofing

ISO 9.2: User Access Management

.5.  Address of Record confirmation

ISO 9.2: User Access Management

4.2.3 Credential Technology

ISO 12: Operations Security ??
ISO 10: Cryptography

Criteria

 

.1  Credential unique identifier

 

.2  Resistance to guessing Authentication Secret

 

.3  Strong resistance to guessing Authentication Secret

 

.4  Stored Authentication Secrets

ISO 10: Cryptography

.5  Protected Authentication Secrets

ISO 10: Cryptography

4.2.4 Credential Issuance and Management

 

 

 

.1  Credential issuance process

 

.2  Credential revocation or expiration

 

.3  Credential renewal or re-issuance

 

.4  Retention of Credential issuance records

 

4.2.5 Authentication Process

ISO 9: Access Control

Criteria

 

.1  Resist replay attack

 

.2  Resist eavesdropper attack

 

.3  Secure communication

ISO 11.4 Network access Control??

.4  Proof of Possession

 

.5  Session authentication

ISO 11.5 Operating System Access Controls??

.6 Mitigate risk of sharing Credentials

ISO 5: Security Policies
ISO 9.3: User Responsibilities

4.2.6 Identity Information Management

 

Criteria

 

.1  Identity record qualification

 

4.2.7 Assertion Content

 

Criteria

 

.1  Identity Attributes

 

.2  Identity Assertion Qualifier

 

.3  Cryptographic security

ISO 10: Cryptography

4.2.8 Technical Environment

ISO 11: Physical and Environmental Security
ISO 12: Operational Security
ISO 13: Communications Security

Criteria

 

.1  Software maintenance

ISO 12.6: Technical Vulnerability Management??

.2  Network security

ISO 10.6: Network Security Management??

.3  Physical security

ISO 11: Physical and Environmental Security

.4  Reliable operations

ISO 12: Operations Security
ISO 10.10 Systems Monitoring??


  • No labels