Identity and Access Management
About IAM
The IAM Focus Groups described below are modeled after the NMI-EDIT Consortium's (part of the NSF Middleware Initiative - NMI) document, available in the Resources section of this Web site.
The goal of this group is to define the many affiliations (customers, employees, etc) the University currently has and that can be envisioned in the future. The affiliations can range from those that are tenured faculty to adult learners that are taking a training course and need access to the network. This group will also make recommendations regarding when each affiliation officially begins and ends; identifying the various stages of the life cycle, as well as the current processes for creating identities, along with recommendations on process improvement.
Members:
Chris Brown
Sean Costella
Frank Miller
Marta Miquel
Tom Moore
Cheryl Seybold
Vince Timbers
Jim Vuccolo
Michelle Weaver
Identity Vetting is the process used to establish the identity of the individual to whom the credential was issued [OMB M-04-04 E-Authentication Guidance for Federal Agencies]. This is typically done at the Registration stage. Penn State has many registration authorities each with its own set of processes to assure the identity of the individual. This group will identify all registration authorities, evaluate the current processes, and make recommendations to align the processes with recommendations of the federal government's guidelines for levels of assurance while adding value to the business processes of the University.
Members:
Masume Assaf
Tom Irwin
Cindy Kellerman
Linda Klimczyk
Jerry Mihaly
Steve Selfe
Jim Smith
Neal Vines
Level of Assurance (LoA) describes the degree of certainty that the user has presented an identifier (a credential in this context) that refers to his or her identity. In this context, assurance is defined as:
A variety of application factors are examined to determine the minimum strength of the credential provided to an application. This determination is made through a risk assessment of each type of transaction that the application supports, identifying each risk and the likelihood of its occurrence, including:
This group will make recommendations for various levels within the Penn State community, aligning these levels with the federal government guidelines where appropriate.
Members:
Masume Assaf
Jackie Babcock
Scott Bitner
Steve Kellogg
Marta Miguel
Cheryl Seybold
Steve Shelow
Vince Timbers
Risk-level Assessment is a management technique used to determine the level of exposure associated with unauthorized use of a resource. In the security area, risk-level assessments have a broader use associated with relative priorities and mitigation plans for protecting an institution's information assets. This group will work closely with the data classification and IPAS group to make recommendations on using levels of assurance, vetting and proofing, etc. to recommend the process for assessing risk associated with transactions and data.
Members:
Jeffrey Campbell
John Gorman
Gary Grgurich
Kathy Kimball
Lorraina Miles
Steve Shala
This group will evaluate current policies related to identity and access management at Penn State making recommendations to changes or creation of policy and/or governance. More information is found via the Policy Framework section of the NMI Edit Enterprise Authentication Implementation Roadmap Web site, available in the Resources section of this Web site.
The consideration of required educational efforts will need to be included to ensure that the user community is educated and informed about the goals and deliverables of the IAM project--preparing them for a change that will affect the way they interact with the institution's systems.
Managers and policy makers, in particular, will need to understand the basics of Penn State's centralized authentication service and its implications for their respective departments. End-users will need to understand their responsibilities, roles, and the importance of maintaining secure credentials. Education and awareness methods could be in the form of presentations from key stakeholders or project staff, informational Web sites, online Q&A forums, blogs, or e-mail lists.
Members:
Lisa German
John Gorman
Kathy Kimball
Janice Pearce
Karen Schultz
Matt Weber
