Subject Re: draft charge, refeds working group on attribute release
From Ingrid Melve <ingrid.melve@xxxxxxxxxx>
Date Tue, 05 Jul 2011 22:40:40 +0200

On 05.07.2011 15:42, Rhys Smith wrote:
> On 5 Jul 2011, at 08:58, RL 'Bob' Morgan wrote:
>> they'll say sure, all of that is good enough to support our organization's business anyway.  But then if you show them LoA2 requirements that formalize all those things, cries of pain arise, and $100K compliance projects are drawn up. So we all generally do the right thing, we figure, but we faint when someone says "prove it".

This sounds oh so familiar.

Is there any way we can lower the price of the compliance projects? The
cries of pain we can live with, but the price and complexity of
compliance projects is hard. For IT security policy Uninett is running a
self-audit for universities, and this is working out pretty well

> +1.
> I think many universities/colleges generally already do most of LOA2 for their "normal" 95% of users (standard staff/students), but meeting every single requirement in a demonstrable (to auditors) manner is where things get expensive.

Except where they are saving money by putting up self service
registration portals, or just decide to do stuff differently. Self
registration is a big thing, it seems to breed together with portals.
And then there are an increasing number of online students who never
turn up at campus.

My favorite binding-person-to-user-account story is from a small college
who said "they phone us, and then we realize that we know them or their
family", and we looked into the situation, where the statement turned
out to be true. If you speak Sami, you can have an account, because they
know who you are (or at least what family you come from). Does not
fulfill the letter of LoA2, but personal validation nevertheless.

> And beyond that, when you start adding in the remaining 5% of users that most places have in their IDM/directories (a professor's visiting colleague from another institution who needed an account so we gave them one based on the say-so of the prof without checking their passport)... then life starts getting complicated and expensive.

We have found that the 5% of users who are corner cases make up 30-70%
of the user population before cleaning up campus IdM, and 25-40% after
spring cleaning is done. It never ceases to amaze me how seriously the
university take their responsibilities to include local enterprises (and
their staff), how many collaboration projects with foreign universities
there are, and how many students are floaters.