action

Read through the following resource and then return to the course and proceed to the next resource: Step by Step Guide for asserting Sirtfi compliance.


“What does it mean to be Sirtfi compliant?


1)    All Entities should assert Sirtfi compliance in the metadata.
2)    Security contact element should be included in every Entity that asserts Sirtfi compliance.”

Expressing compliance

Security contact expectations


Framework requirements

  • Use and respect the Traffic Light Protocol (TLP) during all incident response correspondence
  • Promptly acknowledge receipt of a security incident report
  • As soon as circumstances allow, investigate incident reports regarding resources, services, or identities for which they are responsible


framework requirements


Security contact details


Who to choose? 

  • Individual/group who will perform Sirtfi requirements on behalf of the entity (entity = federated identity-provider/service-provider)
  • Can leverage CERTs or external teams


What to include?

  • Mandatory Given Name and Email Address
  • Can add additional telephone numbers and email addresses if desired, e.g. a well known individual on a security team
  • This contact information should be added to your organisation’s metadata following you Federation’s procedures.


Security contact details


links

If you are a federation operator needing to know details of the steps involved in supporting Sirtfi adoption, please see the REFEDS Sirtfi wiki: https://wiki.refeds.org/display/SIRTFI/Guide+for+Federation+Operators 


links

If you are an IdP or an SP and you would like to adopt Sirtfi, please contact your federation. You can also visit the REFEDS wiki for detailed steps involved in becoming Sirtfi compliant: https://wiki.refeds.org/display/SIRTFI/Guide+for+Federation+Participants



Last modified: Wednesday, 7 August 2019, 12:34 PM