3.2. Define the Guiding Principles
• Example Guiding Principles for Authentication
Once you have your problem definition in hand and know who should be involved in the planning stages, the next step is to work with them to define a set of guiding principles or working assumptions for the authentication service to help people make decisions, understand the environment, and determine relative priorities.
A set of principles is typically written from a high-level perspective and with very few details. The intent is that they should apply for many years to come and are intended to guide policy development and enterprise and departmental application deployments and reflect the needs of major groups across campus. They may also highlight aspects of your more encompassing identity management assumptions.
Case Study (PDF) – Paul Hill provides information on MIT's guiding principles.
Example Guiding Principles for Authentication
Below are a few example guiding principles to get you started:
- Centralized authentication is preferred over distributed authentication.
- Authentication-related policies will be based on the following existing policies or existing policy framework at our institution: [you can indicate those here].
- In the interest of optimizing security, information confidentiality, and preservation of individual privacy, a minimum necessary standard will be observed with respect to the collection, handling, and use of identity information.
- Applications or systems purchased after January 2007 must be capable of utilizing the campus authentication service natively.
- The network should be considered public and unprotected.
- An attacker has the ability to attach a machine to the network and monitor traffic.
- The burden of securing an application or service is shared among the developers, contractors, system administrators, and the department that provides the basic network infrastructure.
Click [next] below for next steps gathering information about your current practices, policies, and drivers.