Proposed text from Kyle Lewis:

Appendix A: Local enterprise -- Good enough for internal critical systems

Some of the components in section 2 define an assurance level implicitly by a statement that the level of assurance is good enough for accessing the Home Organisation’s internal critical systems. This relies on the assumption that if the Home Organisation deems the assurance level good enough for accessing critically important internal systems locally in the Home Organisation, the assurance level may be good enough for accessing some external resources, too. It is assumed that the Home Organisation has made a risk based decision on what exactly are the assurance level requirements for those accounts.

Home Organisations may have several internal systems with varying assurance level requirements. The local-enterprise tag is not appropriate for low levels of assurance granted for people limited in access to non-critical IT systems. It is assumed that the Home Organisation’s internal systems referred to here systems which contain information such that if the information were to be compromised, then it would cause grave harm to the organisation. Such systems would include:

• The ones that deal with money (for instance, travel expense management systems or invoice circulation systems)
• The ones that deal with some employment-related personal data (for instance, employee self-service interfaces provided by the Human Resources systems)
• The ones that deal with student information (for instance, administrative access to the student information system)

It is not required that the user account for whom the institution signals “local-enterprise” necessarily has access to these critical systems. This signal states that the institution has enacted the same or greater level of identity proofing process on that individual prior to issuing the network credential as the institution enacted for its members which have access to critical systems.