InCommon Assurance Implementation Example

Overview

Name of Organization: Virginia Tech

Name of Contact: Mary Dunker

Email Address: dunker at vt dot edu

Would you be willing to be contacted for more details? yes

Profile(s), Version and Method of Determination(s) of Conformance:
__ Bronze 1.2 - Representation of Conformance
_x_ Bronze (1.1) - Audited
_x_ Silver (1.1) - Audited


Why is Assurance important to your organization?  Include the service providers with which you'd like to federate under this Program.

Virginia Tech has long recognized the importance of mapping the the level of assurance needed to access our online services with the credential that corresponds to that LoA. We created a Standard for Personal Digital Identity Levels of Assurance in 2010. This standard reflected guidance from NIST 800-63, but since NIST publications are designed with the federal government in mind, we were very excited when the InCommon Identity Assurance Profiles were established. These profiles allowed Virginia Tech to verify and strengthen our existing identity assurance program and credential technology based on a standard for higher education. In addition to using Bronze and Silver assurance to access external services that require those levels, Virginia Tech services will also have the option to request/require Bronze or Silver from our local users.

A few Virginia Tech research faculty members have already federated with the CILogon service, which is currently accepting InCommon Bronze and Silver credentials in production.  Further use is anticipated by the Office of Sponsored Programs for grant submissions. It is hoped that Virginia Tech financial aid officers will be able to use their Silver credentials to access services offered by the Department of Education and National Student Clearing House. NSFand NIH may have other services that will require Bronze or Silver credentials, so Virginia Tech will be ready when those services are available.   

Who/what department led the Assurance Project? With whom did you engage during the process?

Mary Dunker, Director of Secure Enterprise Technology Initiatives (SETI) and Karen Herrington, Director of Identity Management Services (IMS) served as co-leaders for the "InCommon Silver for Virginia Tech" project. Both departments are within the Information Technology (IT) organization. Formal project management processes were followed, with IT's Associate Director for Project Planning as the designated project manager. Technical support and software development tasks were handled by the developers in the Middleware and Secure Information Exchange Services units in SETI.

The InCommon Silver for Virginia Tech team interacted with the Virginia Tech Payroll and Human Resources offices to gain a good understanding of the identity information that is collected and entered into the ERP system when an employee is hired. Staff in the Hokie Passport Office confirmed identity proofing procedures used to obtain the university's ID card. The Director for Policy and Planning, the IT Security Office, the Office of Sponsored Programs, Student Network Services, and Internal Audit were all involved in the project and were kept informed of status through a project wiki space. The level of engagement with Internal Audit was high, including a pre-project briefing with the Director of Internal Audit, weekly meetings with the IT Auditor assigned to collect information and perform the verification, and working with the the Associate Director of Internal Audit to create the audit summary that was submitted to InCommon.  

   

What specific steps did you take to address the functional areas?

4.2.1 Business, Policy and Operational Criteria

Scope:

Legal agreements required to join InCommon. 

Gap Analysis:

No gaps were identified.

Management Assertion:

Virginia Polytechnic Institute and State University is a legal entity that is an InCommon Participant in good standing, and has the organizational structures and processes to comply with the provisions of this IAP. 

Evidence of compliance: 

InCommon Participation Agreement, Participant Operational Practices, and PO number for most current membership payment. Virginia Tech's InCommon Administrative contacts acknowledged and agreed to perform their responsibilities to comply with this section of the IAP. IT organizational documentation at www.it.vt.edu.

4.2.2 Registration and Identity Proofing

Scope:

The project was scoped to achieve InCommon Silver for faculty/staff only - not students. This allowed us to concentrate on registration and identity proofing applicable to employees. Registration is handled by the Token Administration System (TAS) -- a desktop client that interfaces with the Enterprise LDAP directory component of our Identity Management System. In-person identity proofing is performed by Registration Authority Administrators using TAS to retrieve information about employees with an existing relationship to the university. TAS also records the required registration information in its database. 

Gap Analysis:

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.2.3 Registration Records – the record of the facts of registration needs to be modified to include issuer of document; i.e., Drivers license is currently recorded. The issuer (State/country of issuance) is not captured.

SETI SIES, SNS, Software Dist.

TAS or procedure

Minor if issuer is entered in existing comment field by TAS operator; moderate if TAS is modified to enforce entry of issuer. Resolution:  Change TAS, providing all acceptable document types in pulldown menus, and to require entry of the issuer.

4.2.2.4 Identity Proofing – Details about payroll and departmental procedures and documentation are unknown, so we do not know if changes may be required to meet the IAP. If graduate students who are not employees remain eligible for Silver LoA PDCs, we will need to review initial identity proofing procedures for them.

Meet with representatives from Payroll and HR to determine procedures.

Documentation, procedure

minor if documentation exists and procedures do not need to change. Resolution: documentation exists for payroll, HR, I-9 hiring procedures. No changes to procedures required.

4.2.2.4.1 Existing relationship - TAS should record the person’s eligible affiliation(s) at the time the certificate was issued.

SETI SIES

TAS

minor

4.2.2.4.2 In-Person proofing - determine if any changes are needed based on conversations addressing 4.2.2.4. Item 3 under 4.2.2.4.2 is N/A. We will require that addresses match. Update October 27, 2011 - Since the only government issued photo ID that contains an address seems to be the driver's license, we will ensure we have a process for address confirmation according to one of the options in 4.2.2.5

Project leads, SETI SIES if TAS changes are needed.

Documentation, procedure, TAS, Enterprise Directory

moderate

4.2.2.5 Address of record confirmation  - need to add this to TAS registration process.

SETI Middleware, SIES; IMS, TAS RAAs

ED, IMS SMS to phone web app

Moderate

Management Assertion:

Virginia Tech asserts that identity proofing in this IAP is based on a government issued ID and that information verified at the time of employment is used to create a record for the Subject in Virginia Tech's Identity Management System.

Evidence of compliance:

The Token Administration System is documented in a TAS User Guide, to which the auditors were given access. Requirements for RA administrators, who access TAS using a Silver-level eToken, are documented in the Virginia Tech User CA Certification Practice Statement. Since we based the registration on an existing relationship with the university, we consulted with HR, payroll, and the Bursar's office, and then provided the auditors with documentation of the procedures used to verify a person's identity during the hiring process. The auditor observed the TAS registration procedures by obtaining a Virginia Tech eToken from the RA Administrators in the Student Network Services office.   

4.2.3 Credential Technology

Scope:

Virginia Tech employees will use an X.509 personal digital certificate on the SafeNet 64K USB eToken Pro device as their credential for InCommon Silver.

Gap Analysis:

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.3 Credential Technology – This section does not apply to multifactor credentials. Documentation will be produced to show how Virginia Tech’s credential technology meets or exceeds IAP requirements. Where guidance is needed, we will refer to NIST 800-63.

IMS, SETI

Documentation

moderate

Management Assertion:

The Virginia Tech User Certification Authority issues an X.509 personal digital certificate (PDC) onto a SafeNet 64K USB eToken Pro device. The eToken is activated using a password. Public-private key exchange (client SSL) is used to perform authentication. This is not a typical "Shared Authentication Secret" form of Identity Credential, but the institution asserts that this multi-factor credential meets or exceeds the requirements of the IAP. Additional guidance is provided in NIST 800-63. 

Evidence of compliance:

See Sample Management Assertions under multi-factor Excample 2 at the CIC Multi-factor Working Group page.

4.2.4 Credential Issuance and Management

Scope:

Gap Analysis: 

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.4.2 Credential revocation or expiration – item #1 specifies the IdPO shall revoke Credentials or Tokens within 72 hours of being notified that a credential is invalid or compromised. We must document this in CPS and publish/enforce procedures.

SIES for draft language, PMA for approval

Documentation, procedure

minor

4.2.4.4 Credential issuance records retention – IdPO shall retain records of credential issuance and revocation for minimum of 180 days beyond expiration of the credential. VT User CPS states VTCA retains audit logs for 1 year.

PMA, SIES

documentation, Infrastructure, TAS

minor

 Management Assertion:
Evidence of Compliance:

4.2.5 Authentication Process

      info coming soon

4.2.6 Identity Information Management

      info coming soon

4.2.7 Assertion Context

       info coming soon

4.2.8 Technical Environment

      info coming soon

Provide any lessons learned for those just starting.

What resources (templates, documents, planning tools, URLs, etc) where especially helpful during this process?

The following resources were helpful during the "InCommon Silver for Virginia Tech" process: