logo 01
lefttab2
Introduction
 righttab lefttab2
Manager
 righttab lefttab2 righttab lefttab2 Policy Maker righttab lefttab2 Auditor righttab lefttab2 Link
 righttab lefttab2 Link righttab lefttab2 Link righttab

symbol

   Policy and Governance:

  Business Drivers

  Risk Assessment

  Legal Requirements

  Constituent
  Requirements

  Governance

  Policies

  Framework-pdf

  
policy

Policy and Governance

Note to the Reader: This draft paper is being authored by Andrea Beesing at Cornell University. Please send comments and suggestions to authnframework-comments


Decisions regarding the way an institution manages identification, registration, authentication, and authorization can have far-reaching effects on the security of resources and data. It is preferable to make well-informed decisions, weighing the benefits against the security risks for all options, than to make decisions based on what is expedient at the moment. Once made, a decision, particularly one that represents an exception to an established standard, is extremely difficult to undo, or deny to the next requestor.

Policy Requirements

Policies are generally an institutional statement about drivers and requirements. These come from external sources such as legal requirements as well as constituent requirements. The business drivers and considerations are then compiled and used to determine the policy and governance structure.

Some general standards and practices governing identity management infrastructures are so important that you will want to establish institutional policies to ensure they are understood and followed. Examples include:
- Confidentiality of passwords
- Constituencies eligible for institutional credentials
- Separation of authentication from authorization

Consider whether a single policy or series of policies is required. For example, you may want to establish a policy for identification, authentication, and authorization which states authentication strengths available, but doesn’t address how specific types of data are to be protected. Prescribing authentication strengths for specific types of data may be best addressed in a policy that covers data security. Since the development of policy in this area will often lead back to the question “What data is being protected?” be sure to include data stewards in the formulation of policy. See the Authentication Policies section for more information.

Governance Model and Stakeholder Identification

To assist in determining directions, making decisions, and formulating policy, develop a governance model that fits your institution. For example, if you have an IT governance board in place in a highly decentralized institution, you may opt to form an advisory group to develop recommendations for submission to the governance board for a decision. The advisory group could consist of representatives from key stakeholder groups who have practical knowledge of how identification, authentication, and authorization work in your environment. The members would constitute a working group charged with:

- Assessing the benefits vs. security risks associated with a particular Identity Management decision, based on the input of other staff in their areas
- Presenting findings to the governance board with a recommendation
- Communicating decisions back to stakeholder groups responsible for implementing them
- Assisting in identifying the standards and practices to be included in a policy and those which should be promoted through the publishing of best practices documentation.

Identifying the key stakeholders who should be involved in the governance process is important. Consider including representatives from the following areas, if they play a role in managing identification, authentication, and authorization at your institution:

  • Offices representing constituents groups
    - HR
    - Registrar
    - Alumni Affairs
    - Library
  • Office executing agreements for constituent groups such as affiliates and subsidiaries
    - Account management groups (staff who issue credentials and provision authorization)
    - Security Office
    - IT Policy Office
    - Counsel’s Office
    - Auditor

If you have colleges, schools, departments or units with unique Identity Management requirements, consider representation from them as well. A good example would be a medical college within a large university. A simpler governance model where key executives make decisions may be suitable for an institution that is highly centralized.

While maintaining the security of information and resources is critical, positioning the governing body as an enabler of business processes is important for ongoing acceptance. See the Governance section for more information.

Revision 1.0, December 12, 2004