Assurance of a user’s identity in an electronic system is required for many University business processes to function efficiently and effectively. As the risk associated with an electronic system increases, the required level of assurance in the identity of the user of the system also increases. The level of assurance is the product of identity administration processes (e.g. identity proofing, credential issuance, etc.) and electronic authentication processes (e.g. password-based authentication, two-factor authentication, etc.).
The Identity Assurance Framework (IAF) describes a new level of assurance system along with a risk assessment process that University departments can use to learn which authentication options are appropriate for their systems. The appropriate authentication option for an online system can be determined by using the three-step process explained in the IAF and outlined below.
- Step 1: Assess risks
- Step 2: Determine required level of assurance
- Step 3: Select an appropriate authentication option
Step 1: Assess Risk
System owner rates the risk level associated to an authentication failure when a user is able to authenticate as another user in their system within each of the six risk areas below.
- Inconvenience, distress, or damage to University standing or reputation
- Financial loss or University liability
- Harm to University programs or public interests
- Unauthorized release of sensitive or confidential information
- Personal safety
- Civil or criminal violations
The overall risk level of an authentication failure depends on the potential severity of harm posed by the risk and the likelihood that the risk will occur. It is possible that a risk area may not be applicable to a system or application.
Step 2: Determine required level of assurance
The overall risk levels determined in Step 1 are mapped by risk area to specific levels of assurance. The highest level of assurance identified in the mapping for a particular system determines the overall level of assurance required by that system.
Step 3: Select an appropriate authentication option
There are various centralized authentication options offered by the Identity and Access Management (IAM) Team that satisfy the requirements for each level of assurance. System owner selects the appropriate authentication option for their system and can request the integration from the IAM Team.
The IAM Team has developed the Identity Assurance Risk Assessment Questionnaire to assist University departments in completing the risk assessment process and determine the required assurance level for their system along with the respective authentications options. Please follow the link to get started with the Identity Assurance Risk Assessment Questionnaire.
More detailed information regarding the IAF can be found on this document.