Versions Compared

Old Version 17

changes.mady.by.user David Walker (internet2.edu)

Saved on

compared with

New Version 18

changes.mady.by.user David Walker (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 14
Info
titleDeprecated

This page has been deprecated. Please see Security Incident Handling for current information.

Info
titleSIRTFI

Note that this page contains general information about federated incident response. See Security Incident Response Trust Framework for Federated Identity (SIRTFI) Category for specific criteria for certification under the SIRTFI program (highly recommended).

Federated identity introduces new challenges for security incident response. Federation participants should consider the impact of federated identity in their incident response practices and treat federated identity partners impacted by a security incident in a similar manner as they would local parties.

Tip
titleRecommended Practice
  • Publish federated incident response contact information for your federated services and identity providers.
  • Implement a log retention policy for federated services and identity providers.
  • Document and advertise your procedure for responding to a federated security incident.
Table of Contents

Incident Response Policy

Goal of this Policy

...

  1. A security incident is the act of violating an explicit or implied security policy (for example, as documented in an acceptable use policy)
  2. A Service Provider is expected to define and provide a service. The expected behavior of a service provider is defined by its service description, InCommon's Participation Agreement and the documents it references, their Participant Operational Practices and possibly other policies and laws. In particular, all All SPs are expected to comply with any restrictions on the use of identity information they obtain of attributes contained in the Participant Operating Practices of any Identity Provider partners from which they accept identity information. Evidence of behavior by a Service Provider service provider that violates those policies is considered a security incident.
  3. Identity Providers are expected to represent user identities (identifiers and/or attributes) to the degree of authority and accuracy specified in InCommon's Participation Agreement and the documents it referencestheir Participant Operating Practices. Evidence of failure of an Identity Provider to do so, e.g. impersonation of a user by another party, is considered a security incident.

...