...
https://aaf.edu.au/wp-content/uploads/2015/04/AAF_example_org_report.pdf
aaf.edu.au/wp-content/uploads/2015/04/AAF_example_sum_report.pdf
- Assurance: understand requirements, aware of identity proofing
- Technical: attribute filtering, high availability configuration, deployment, responsibility for operation, monitoring, version of IdP software, version of Java JDK
- User Interface: help desk, recover passwords, terms of use
- Security: old versions, vulnerabilities, SHA1 in metadata, web server and server configuration, open ports
ISO 27k
relevant: annex 9 ISO 27k1 and chapter 9 ISO 27k2
...
Identity/account concept: unique id, not reasigned, individual accounts, registration, proof of identity, processes for new users
- Authentication and authorization: authentication itself, authorization (roles/groups), quality of data (correctness, completeness), change management for data, life cycle of an account and user rights, closing accounts, rules for passwords (and enforcement of quality)
- Policies, processes and procedures: password policy, security policy, how often FIM updated, policies updated and monitored, privacy, access control policy
- Security: awareness, audits, IDS/intrusion tests, data protection, logfiles, monitoring, reports, updates, availability, up-to-date metadata
from AARC:
- Accounts belong to a known individual (i.e. no shared accounts)
- Persistent identifiers (i.e. are not re-assigned)
- Documented identity vetting (not necessarily F2F)
- Password authN (with some good practices)
- Departing user’s account closes/ePA changes promptly
- Self-assessment (supported with specific guidelines)