1

April 18

IAAF

Audit Community Call

Line 484: Replace audit with engagement in first sentence of 4.2 Audit Process and Report

2

April 18

IAAF

Audit Community Call

Add IIA Standard to section 4.2 as an option as well.

The wording doesn't have to reflect all the standards available. The doc uses such as to allow for flexibility and enable schools to use other standards. However, the standard used must be included in the summary report sent to InCommon.

3

April 19

IAP

Community Call

Clarify that 4.2.5.6 refers to mitigating risk of end-user credential compromise

4

May 2

IAP

Community Call

Clarify 4.2.1.4 and intent

Confusion about the goal of this point. Continuous review (like ongoing data and related classification review) equiv to periodic review. Should we remove periodic? Is the goal to have the risk management processes and the infrastructure aligned (even if your risk management processes are lax) AND a neutral third party involved providing feedback? If no audit is involved (at any time, any where), but the IT org has internal controls, is that okay?

Suggested wording from Mark Rank:
The IdPO's Information Technology operations must align with the 
organizations's risk management objectives as demonstrated by a 
periodic review process or other equivalent control.