Site Search

Roadmap - Home PDF Version Executive Summary 1. Concepts/Terms 2. The Need for Change2.1. The Change Itself 3. Develop your Plan for Change 3.1. Define the Problem 3.2. Define the Guiding Principles3.3. Inventory your Campus 3.4. Develop your Direction 4. Implement Change 4.1. Policy, Business Process and Technology4.2. Develop Policy Framework 4.3. Develop Business Processes 4.4. Develop Technology Infrastructure 4.5. Migrate to Production 5. Resources

<< previous | next >>

4.2. Develop Policy Framework

• Policy Development Tips

Since the authentication service is so tightly bound to identity and access management, you should use your IT governance structure to cast the policy framework for the authentication project and incorporate it into your overall identity management and security policy framework.

Specifically, authentication policy should include the following:

• Identification – What requirements will be imposed to ensure sufficient proof that the person is who they say they are? What credentials are required to confirm their employment, student status, or other affiliation relationship to the institution? If identity data is derived from existing directory or user account databases, how will legacy information be verified? What are the requirements to support the chosen LoAs?
  
  
• Electronic credentials – What rules determine the form of the credential? How will requirements or standards affecting this be identified? How will legacy architectures be able to make use of the electronic credential? What encryption standard will be required? What does the anticipated lifecycle of credentials look like? Can they be changed, retired or reused? What are the LoA requirements for the credentials?
  
  
• Registration – How is information about the individual obtained? Does it come from payroll or student databases? How are affiliates, such as applicants, alumni, and contractors added? How will electronic credential information be linked to information about the individual? What relationships or dependencies are required for the enterprise directory, patron directories, or other similar services? Are appropriate protections in place to ensure the privacy of information about individuals? What are the LoA requirements for registration?
  


• Service providers – What requirements will be imposed on service providers to ensure the privacy of identity information whether on your premises or offsite? What standards are required to ensure protection of the credential during transmission? What level of assurance of the authentication credential is necessary for access to which service? Is multi-factor authentication required for some services?

Case Study (PDF) – University of Wisconsin-Madison Steve Devoti and Mairéad Martin describe authentication at the University of Wisconsin-Madison. Of note is a recent password policy.

Case Study (PDF ) – New York University Gary Chapman describes the context for and provides New York University's approach to authentication and identity policy.

For further examples, see Cornell University's Authentication of Information Technologies Resources Interim Policy, the SANS Security Policy Project, or Rodney Petersen's A Framework for IT Policy Development, EDUCAUSE Review, March/April 2004 for examples. For additional institutional examples, visit the Association of College and University Policy Administrators (ACUPA).

Policy Development Tips

Below are a few policy development tips:

• Identify the short term, interim policies that you can develop and implement while the longer-term versions are being developed. You can publish them as interim and include a link to the draft permanent versions. This helps to ensure that critical issues, whether technological or process-based, are addressed as early as possible as the project proceeds. Examples include the Guiding Principles you developed earlier and Cornell's Authentication of Information Technology Resources Interim Policy above.
  
  
• Ensure that the technical- and process-oriented individuals are passing along the policy issues they discover in their work and that a feedback loop is established. For example, as a password reset mechanism is being being developed, a typical question includes "how many secrets should we require users to establish to reset their password"? The answer to this question relates back to the identified requirements, LoA, and identity proofing and may be in effect more of an interpretation of policy than a technical question.
  
  
• If you don't have one, start laying the groundwork to establish a governance structure and assemble an ongoing oversight/management group to help guide policy development in the future. You may be able to ask those involved at these initial stages to serve a bit longer to get a process up and running and provide continuity. For information on starting a formal governance structure, visit the IT Governance Institute.
  
  
• E-Authentication Initiative's Password Credential Assessment Profile provides overall guidance on the operations, processes, and structures needed to adequately support your authentication system and related identity-management infrastructures. If you intend to have your constituencies use electronic services provided by the Federal Government, it would be prudent to be consistent with these processes and practices as you develop your policy framework as outlined in the Drivers for Change section.

Click [next] below to start developing your business processes.

<< previous | next >>