You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

InCommon IAP and Information Security Guide – a Cross Reference updated for ISO 27002:2013

Link to InCommon Identity Assurance Profiles Bronze and Silver
Link to Information Security Guide

4.2 Specification of Identity Assurance Requirements

Applicable Topics in the Information Security Guide

4.2.1 Business, Policy and Operational Criteria
IdP Operators must have the organizational structures and processes to come into and remain in compliance with the provisions of this IAP.

ISO 6: Organization of Information Security

.1  InCommon Participant.

 

.2  Notification to InCommon

 

.3  Continuing Compliance

ISO 18: Compliance

4.2.2 Registration and Identity Proofing

ISO 7: Human resources Security.
Including pre-employment screening procedures in the Guide could help InCommon participants. Alternatively, the Guide might point to the IAP for identity proofing procedures for onboarding employees.

ISO 9: Access control

Page 59 of AACRAO Vol. 87 No. 3: Establishing Remote Student Identity would be a useful reference for the Guide. See definitions from the AACRAO article at InCommon Assurance Remote Proofing Definitions and Concepts

.1  RA authentication

 

.2  Identity verification process

ISO 9.2: User Access Management

.3  Registration records

ISO 9.1 Business Requirements for Access Control
ISO 9.2: User Access Management

.4  Identity proofing

ISO 9.2: User Access Management

.4.1  Existing relationship

ISO 9.2: User Access Management

.4.2  In-person proofing

ISO 9.2: User Access Management

.4.3  Remote proofing

ISO 9.2: User Access Management

.5.  Address of Record confirmation

ISO 9.2: User Access Management

4.2.3 Credential Technology

ISO 9: Access control
ISO 12: Operations Security ??
ISO 10: Cryptography

Criteria

 

.1  Credential unique identifier

 

.2  Resistance to guessing Authentication Secret

 

.3  Strong resistance to guessing Authentication Secret

 

.4  Stored Authentication Secrets

ISO 10: Cryptography

.5  Protected Authentication Secrets

ISO 10: Cryptography

4.2.4 Credential Issuance and Management

 

 

 

.1  Credential issuance process

 

.2  Credential revocation or expiration

 

.3  Credential renewal or re-issuance

 

.4  Retention of Credential issuance records

 

4.2.5 Authentication Process

ISO 9: Access Control
ISO 14: System acquisition, development, and maintenance

Criteria

 

.1  Resist replay attack

ISO 14.1.3: Protecting application services transactions

.2  Resist eavesdropper attack

 

.3  Secure communication

ISO 14.1.3: Protecting application services transactions

.4  Proof of Possession

 

.5  Session authentication

ISO 11.5 Operating System Access Controls??

.6 Mitigate risk of sharing Credentials

ISO 5: Security Policies
ISO 9.3: User Responsibilities

4.2.6 Identity Information Management

 

Criteria

 

.1  Identity record qualification

 

4.2.7 Assertion Content

 

Criteria

 

.1  Identity Attributes

 

.2  Identity Assertion Qualifier

 

.3  Cryptographic security

ISO 10: Cryptography

4.2.8 Technical Environment

ISO 11: Physical and Environmental Security
ISO 12: Operational Security
ISO 13: Communications Security
ISO 16: Information security incident management

Criteria

 

.1  Software maintenance

ISO 12.6.1: Management of Technical Vulnerabilities

.2  Network security

ISO 13.1.1: Network controls

.3  Physical security

ISO 11: Physical and Environmental Security

.4  Reliable operations

ISO 12.4: Logging and monitoring
ISO 13.1.1: Network controls
ISO 16.1: Management of information security incidents and improvements


  • No labels