Site Search

Roadmap - Home PDF Version Executive Summary 1. Concepts/Terms 2. The Need for Change2.1. The Change Itself 3. Develop your Plan for Change 3.1. Define the Problem 3.2. Define the Guiding Principles3.3. Inventory your Campus 3.4. Develop your Direction 4. Implement Change 4.1. Policy, Business Process and Technology4.2. Develop Policy Framework 4.3. Develop Business Processes 4.4. Develop Technology Infrastructure 4.5. Migrate to Production 5. Resources

<< previous | next >>

4.3. Develop Business Processes

• Specific Processes to Consider
• Using the Password Credential Assessment Profile

In conjunction with the policy and technology development, the business process work must support the policies that govern your authentication service. Key to successful and efficient business process change is the education of all the affected parties and an ongoing review channel for reporting issues and problems with the new procedures. Managers and policy makers need to understand the basics of authentication technology and implementation decision points, and this process also ensures that a variety of viewpoints and sufficient data inform the decisions about authentication.

Specific Processes to Consider

Below are the specific processes and requirements relating to the identification, credentialing and re-credentialing, as well as account management processes that you should have in place:

• Identification and registration includes on- and off-campus identity vetting and other processes that may have to be considered if parts of the population cannot comply with vetting policies, such as exception procedures for dealing with constituencies who need access, but fall outside the identified local populations (e.g., "guests" or remote users).
• Electronic credentials includes creation of self-service or other password change mechanisms; password-reset exception processes; and procedures involving password sharing or compromise. Use the NIST Password Entropy tool to determine policy and LoA compliance.
• Account management includes provisioning and de-provisioning accounts, how these are done and when, and status and affiliation change management.
• Support includes help desk and related support personnel's responsibilities. Matt Smith from the University of Connecticut did an informal survey on help desk and password reset issues.
• Security and compliance includes auditing and process debugging and security monitoring and compliance. Refer to Log Management for the University of California: Issues and Recommendations for an example of some of the issues associated with security and compliance.
• Staff training includes educating staff about new processes and responsibilities and changes in those already existing.

Below are additional points which you should consider, but are not necessarily germane to an initial implementation:

• Alternative plans and procedures when normal operations cannot be followed, such as when the system is not working properly or is functioning at an alternate location during a disaster or abnormal conditions.
• Flexibility to allow a variety of services to leverage the authentication system, without compromising the intent of the policies and intent. Also consider any processes that need to be ADA compliant.
• Identification and documentation of how changes are made in a longer-term, shorter-term, and emergency contexts.

Remember, your processes must be documented and auditable This is critical if your institution decides to leverage the authentication (and identity management) infrastructure to use an external on-line service or participate in external partnerships. A central document repository is useful for both review of the service provider to establish trust and for auditing to verify it.

Using the Password Credential Assessment Profile

The next step is to consider the expected information flow for creation, provisioning, and de-provisioning of user credentials for the communities you identified in the Develop the Plan section. (You may or may not have done this in your gap analysis.)

The E-Authentication Initiative's Password Credential Assessment Profile provides overall guidance on the operations, processes, and structures needed to adequately support your authentication system and related identity-management infrastructures.

Assurance Level 1 outlined on page 8 lists requirements for proving formal incorporation of the organization, managing and transmitting authentication credentials, and maintaining a record of their status and ensuring their timely revocation when appropriate.

While reviewing Assurance Level 1 is important, it is recommended that those working on the business processes go on to review Assurance Level 2 and, in particular, the Organization Maturity, Registration and Identity Proofing, and Delivery Confirmation sections. These offer guidance regarding specific processes to address and implement on your campus.

Case Study (PDF) – University of California Password Resets Karl Heins, the UC Director of Information Technology Audit Services, explains why mandatory password changes may not be effective.

Case Study (PDF) – Penn State's Password Practices Renee Shuey provides an overview of Penn State's password practices.

Case Study (PDF) – Rice University Barry Ribbeck discusses authentication at Rice University with an emphasis on their password practices and levels of assurance.

Click [next] below to read about developing your technology infrastructure.

<< previous | next >>