Vetting, Proofing and Registration Focus Group



Similar documents
Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Provisioning and Deprovisioning 1 Provisioning/De-provisiong replacement 1

Identity and Access Management Final Report. Monday, February 18, 2008

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Glossary of Key Terms

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Securing Adobe PDFs. Adobe - Certified Document Services Registration Authority (RA) Training. Enterprise Security. ID Verification Services

[Identity and Access Management Self-Service Portal]

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

Provide access control with innovative solutions from IBM.

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Step-up-authetication as a service

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Presentation to House Committee on Technology: HHS System Identity & Access Management

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Identity Assurance Framework

Identity Management Issues for Multi-Campus Institutions - University of California -

The Top 5 Federated Single Sign-On Scenarios

NC Identity Management (NCID)

HEALTH INFORMATION TECHNOLOGY EXCHANGE OF CONNECTICUT

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Smithsonian Enterprises

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

InCommon Bronze Self-Certification September 26, 2014

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

When millions need access: Identity management in an increasingly connected world

Central Oregon Community College. Identity Theft Prevention Program

Identity and Access Management Point of View

APPLICATION FOR DIGITAL CERTIFICATE

The Virginia Electronic Notarization Assurance Standard

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

esign Online Digital Signature Service

Guideline on Access Control

Policy on Transfer of Registrations between Registrars Takes effect 31 January 2015

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

Identity Theft Prevention Policy

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

Information Technology Policy

Web Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management.

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Introduction. About Image-X Enterprises. Overview of PKI Technology

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

DEPARTMENTAL REGULATION

HSIN R3 User Accounts: Manual Identity Proofing Process

How To Create Trust Online

managing SSO with shared credentials

101 Things to Know About Single Sign On

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Five Business Drivers of Identity and Access Management

Audio: This overview module contains an introduction, five lessons, and a conclusion.

GNB RSA Token Standards and Procedures

IDENTITY THEFT PREVENTION PROGRAM

Identification of Red Flags, Detecting Red Flags, and Preventing and Mitigating Identity Theft

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP

Knowledge-Based Authentication Challenge Response System

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

Department of Public Safety and Correctional Services Information Technology and Communications Division

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

POLICY TITLE: IDENTITY THEFT PROTECTION POLICY

Class 3 Registration Authority Charter

How much do you pay for your PKI solution?

Quest One Identity Solution. Simplifying Identity and Access Management

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

An Operational Architecture for Federated Identity Management

Ubisecure. White Paper Series. e-service Maturity Model

DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010

Certification Practice Statement

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Enterprise SSL FEATURES & BENEFITS

Date: March 26, Audit, Finance and Enterprise Committee. Jennifer Ruttman, City Auditor. Annual Credit Card Security Review

Project Charter for ITPC-0375

Integrating Hitachi ID Suite with WebSSO Systems

Department of Veteran Affairs VA HANDBOOK 6510 VA IDENTITY AND ACCESS MANAGEMENT

Baseline requirements Version 1.0 Errata

Identity Assurance Assessment Framework. February 11, 2013 Version 1.2

GlobalSign CA Certificate Policy

ADRIAN COLLEGE IDENTITY THEFT POLICY

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

Subject: Public Key Infrastructure: Examples of Risks and Internal Control Objectives Associated with Certification Authorities

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Understanding Digital Signature And Public Key Infrastructure

Authentication Tokens

AT&T Healthcare Community Online - Enabling Greater Access with Stronger Security

Identity Management Overview. Bill Nelson Vice President of Professional Services

Identity and Access Management. An Introduction to IAM

Approved by the Audit Committee of the Board of Trustees, effective February 3, 2009.

e-governance Password Management Guidelines Draft 0.1

I. Purpose. Definition. a. Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.

Single Sign On Business Case

X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) Version 2.24

Web Applications Access Control Single Sign On

HITRUST CSF Assurance Program

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

Joshua Beeman June 18, 2012

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Transcription:

Vetting, Proofing and Registration Focus Group Group Participants Masume Assaf, University Office of International Programs Jason Gilham, University Outreach Paula Hamaty, University Outreach Tom Irwin, Commonwealth Campus Cindy Kellerman, Houseing and Food Services, ID+ Office Steve Kellogg, Information Technology Services, Applied Information Technologies Linda Klimczyk, University Libraries Jerry Mihally, Information Technology Services, Digital Credential Services Steve Selfe, Office of Human Resources Jim Smith, Office Physical Plant Neal Vines, College of Ag Sciences Overview: As a sub-group of the Identity and Access Management (IAM) Committee, the Vetting, Proofing and Registration Authority Focus Group was charged with identifying the elements of the processes needed to facilitate the proper registration, vetting and digital credentialing (VPC) of our constituency for the purpose of properly supporting computerbased applications. To that end of identifying the elements of the processes involved, a continuum of elements was identified. The table representing this continuum is presented in the Appendix. This is, by no means, an all-inclusive list of the possible actions or elements of a set of processes for end-user credentialing. In so creating this continuum, we did get to the point where we felt that we were going beyond what we believed was our charter of developing a common language and roadmap for the future of IAM at Penn State. For posterity and future consideration, we include here what was discussed during the meetings. In identifying the overall process and elements of VPC, it was necessary to develop a set of working definitions and a set of recommendations to facilitate institutional identity and access management. Definitions Overall Process: The complete set of processes used to manage, create and support the assertion of one s digital identity. This encompasses the data collection, data validation, proofing, and credentialing with regards to various authentication mechanisms. Re-vetting, re-proofing and re-credentialing have a place is the overall process for digital identity and access management. (See Appendix A)

Affiliate: A person who has an identified, official standing with the university. One who is attached to the university in some way. Vetting: The process by which data is acquired on an affiliate and, to the extent possible, the data is validated and/or verified for authenticity. Re-vetting: The process of re-acquiring and/or acquiring new data for an affiliate and/or validating and/or revalidating the new or previously acquired data for that affiliate. Proofing: The act of aligning someone s previously recorded data to the actual person, most notably at the time of issuance of credentials. Re-proofing: The act of proofing again. Credentialing: The act of issuing the token that will be used to establish the digital identity of someone. Re-credentialing: The act of reissuing a token to a previously credentialed individual. A password reset is an example of re-credentialing. A password change by the end-user is not. Registration Authority: The organization or individual that applies and executes the policies and procedures established by the institution to affect the collection and validation of end-user data and the issuance of credentials and/or authentication tokens to end-users. Root Registration Authority (RootRA): The identified Penn State organization that owns the overall responsibility for the vetting, proofing and credentialing of end-users. The RootRA also owns the responsibility for vetting, certifying and auditing of Delegated RAs. The RootRA will have the overall Authorization to Operate the Digital Identity Management System. Delegated Registration Authority (DRA): Individuals appropriately authorized by the root RA to perform the duties of the RA to collect and validate information and issue credentials. A delegated RA can only issue credentials to an LOA that they are authorized. Person Registry: A single, authoritative system of record that defines all affiliates of the university/enterprise, and also serves as a data store of all of the information that is held to define the digital profile of the affiliate.

Recommendations 1. Streamline Vetting, Proofing and Credentialing Processes: In order to improve the effectiveness and timeliness and to mitigate frustration when credentialing and re-credentialing end-users, we should streamline our processes for vetting, proofing and credential issuance, along with provisioning. Rapid Issuance of Digital Credentials: With the ever-increasing need for one s digital credentials before being able to do many things at Penn State, much faster credentialing needs to be accomplished. Consideration should be given to establishing, within reason, goals for rapid credential issuances. The group discussed 2 hours as being a reasonable goal for the issuance of a credential. Person Registry Information: In order to facilitate more timely digital credentialing, real-time updates of relevant information should be a goal. Employing principles of Service Oriented Architectures (SOA) makes sense for helping to attain this goal. A central Person Registry maintained with real-time or near real-time updates is an example of a component in expediting the process. Review Signature Stations: The current signature station process takes too much time to complete, has weaknesses that allow for circumvention of the intended purpose of proofing an individual, and does not employ adequate technology for capturing a good facsimile of an end-user s signature. The role of signature stations should be reviewed o To remove non-essential elements that have been added to signature station processing o To determine if the most current technology is being used o To insure process compliance o To improve by making more efficient and simplifying the current process o To determine if end-user signatures are still necessary Leverage existing proofing activities: Another opportunity for streamlining and significantly improving the process for proofing and credential issuance is to have an appropriately authorized person who conducts good person proofing now for other purposes be able to easily issue the digital credential at the same time. Otherwise, it is a missed opportunity to capitalize on that moment of (good) proofing. This will also keep the end-user from having to do it again for the sole purpose of obtaining the digital credential. Self-service Re-credentialing: It is felt that the lack of a reliable method for selfservice password resets creates an undue burden on our constituency and, also, promotes an inconsistent application of procedures for password resets around the university. The recommendation is to provide such a self-service password reset

mechanism. It is recognized that utilizing such a mechanism might lower one s LOA One authentication domain: To help eliminate the confusion generated by FPS and Access Accounts, merge the two authentication domains into one and better utilize appropriate authorization for access to all applications once the identity of an individual is established by whatever means available. 2. Protect and Secure Penn State Digital Credentials: To insure the integrity and security of the Penn State Authentication domain, consideration should be given addressing a number of issues that we believe potentially compromise the domain. Authentication Name Space: Establish a policy that places restrictions on the use of Access Account userids by external (out-sourced) service providers such that they can only authenticate via the PSU password store. It is often the case when departments outsource application services that the decision is made to use a local (to the application) authentication mechanism and use Penn State Access Account userids. It is felt that there is a likelihood that most people will use the same password with that userid as they do for real Access Accounts, thus affectively compromising the security and integrity of the PSU authentication domain. (The foreign entity/company will have the full clear-text credential (userid and password) in their possession.) The policy should stipulate that if the foreign service provider cannot or will not use a secure authentication method that does not expose the password to them, such as our websso or an identity federating technology, then they should be forbidden from using the Penn State Access Account ID/Namespace. Multiple Passwords: Multiple accounts and passwords inadvertently lead to users writing down this information in potentially accessible places (sticky notes on computer monitors). This creates undue security risks. We should eliminate the use of multiple authentication domains for Penn State applications. In addition to Access Account passwords, one might typically have separate passwords for IBIS/ISIS, Warehouse, local applications, etc.. We should seek to eliminate this multiple password situation to the extent possible. Domain Authentication Tokens: All authentication tokens or credentials that pertain to the overall Penn State Identity and Access Management System should fall under the purview of the Root Registration Authority for the proper application of policies and procedures. RSA SecureID tokens and Public Key Infrastructure are examples of authentication tokens that should be administered by the Root RA. 3. Delegated RAs:

To insure the integrity and security of the overall digital identity management system, new training, certification, auditing and governance strategies should be considered and employed. Certification of DRAs: A training and certification program should be developed for Delegated RAs (DRA) to ensure their understanding and sensitivity to the importance of compliance with and for the policies and procedures associated with being an RA. They should get certified only to a level (LOA) that is necessary and only for specific affiliates that is necessary for their respective constituency. There should be real consequences for non-compliance with the established policies and procedures. We propose, at a minimum, the loss of the authorization to operate as a DRA. Automatic management of DRA Role: It is recommended that a DRA s authorization to operate be maintained by a central role so that their privilege is quickly revoked if necessary, such as would probably result from a job or position change. DRA Justification: We should develop specific criteria along with a process for the justification of having a DRA in or for a given area of the university. Review current DRAs: All people with authorization to perform RA functions now should be reviewed and, in many cases revoked, as soon as possible to close exposures in policy and procedure administration that we believe to be occurring. Limit number of DRAs: A closely maintained limit on the number of people with RA privileges should be considered.

Appendix A: Basic VPC Process (Vetting) Collection Validation (or not) In-person Proofing (or not) Credential Issuance Digital Identity Established Re-Vetting Re-Proofing Re-Credentialling Appendix B: VPC Continuum Vetting Proofing Credential Issuance Acquisition Validation Local Self-service - immediate issuance Name Birth In person Issued via USMAIL by Certificate Delegated RA after non-in-person vetting and proofing Address Test Scores Driver s License Via phone after sufficient verbal proofing Email Email Response Military ID Via phone after sufficient proofing - Password Reset/ Re-credentialling Self-service w/o proofing Self-service w/o validation of some data. Via phone after sufficient verbal proofing

call back via the phone number of record - forced password reset before use to assure that it had not been intercept Phone Call Back Passport After phone proofing, USMail token - forced password reset SSN SSN Card Forced password reset at the time of in-person proofing (current practice) Driver s US Driver s License License # Place of I9 Birth Passport # US Visa Military ID School ID Foreign Driver s License Distance Faxed ID Q/A of personal info - Challenge-Response Authentication US Visa 3 rd Party In-Person Proofing (Notary/Other trusted person)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information