...
- Do you use a level of assurance? Which one?
- Is the LoA self-asserted?
- Is everything documented?
- If not documented: which costs would that be?
- Internal audits?
- External audits?
- If no audits: costs for that?
- How many users need a (higher) level of assurance?
- Identity Management Practise Statement?
Results
Survey
Insights
- Nick Roy: At Iowa, at one point, I had estimated about USD 2 million and 2,000 hours of staff time across pretty much all of IT to get rid of NTLMv2, and at the time, it would have broken things like printers and network-connected storage with no good replacement solution. Warren Curry got pretty far down the authentication remediation road and I think had to back out due to some of the issues above. I think U. Chicago is still working on achieving Silver, but with a second factor. To date, only Virginia Tech (Mary Dunker) has achieved Silver, and only because they already had multi-factor hardware cryptographic tokens deployed.
- Tom Barton: 1 year to get an auditor knowing about identity management