InCommon Federation: Participant Operational Practices for Berkeley Lab

1.1a

The InCommon Participant Operational Practices information below is for:

Lawrence Berkeley National Laboratory     

1.1b

The InCommon Participant Operational Practices Document is current as of:

December 13, 2007     

1.2

Identity Management and/or Privacy information

Additional information about the Participant’s identity management practices and/or privacy policy regarding personal information can be found on-line at:

http://www.lbl.gov/CIO/Privacy/privacy-practices.html

1.3

Contact Information for IDM, Resource Access Policy or Practice

Information Technology Division: Identity, Cybersecurity, and Email Office

Email: idm@lbl.gov

2.1

Who is eligible to receive an identity and who may approve an exception?

Only LBNL Staff and LBNL Participating Guests (a defined category of formal participating collaborator) are eligible to receive an identity.  Any exception to this policy must be approved by the Computer Protection Program Manager.     

2.2

Who is asserted to be a “Member of Community”

LBNL Staff and LBNL Participating Guests are members of the community.  LBNL Former Staff (X-Staff) are not members of the community in the sense of Incommon participation, though they are listed in the LBNL Directory.     

2.3

How is an electronic identity created and what is the office of record for this?

Human Resources is the office of record for identity creation.  All records are created through this office, and are vetted through this office.  Identification is required during both initial identity creation and during credential issuance or reissuance.  The central IT organization is responsible for populating the identity management system from this data.

2.4

What types of identity credentials are issued?

Within the scope of our participation in Incommon, only username/password pairs are issued.  All members of the community are eligible to receive these.

2.5

What security measures are in place to protect passwords?

Cleartext passwords have been forbidden by policy at LBL for quite some time.  Cleartext passwords are monitored for, and action is taken in response to any service accepting cleartext passwords.  The identity system itself is protected by a number of layered defenses and the system is Certified and Accredited per NIST 800-37.  The Certification and Accreditation process includes formal risk assessment, self-assessment, and external assessment.  The systems in question are continuously monitored for security issues and are subject to strong security policies.

2.6

How is Single Sign On Utilized and Protected?

SSO is implemented via CAS as mediated by an enterprise portal for some enterprise applications.  The current timeout is ten hours, however, the portal to Shib will not utilize this SSO route. Users may terminate the session through logout.  Authentication against CAS is restricted to approved services.

2.7

Are identifiers unique?  Are they reused?

Identifiers are not reused. 

2.8

How is identity information updated and managed?

Identity information is fed from authoritative HR databases.  Changes to HR systems are carefully controlled and logged.  Users can only change inconsequential parts of their identity records (telephone number, office location).

2.9

What information is public?

The following pieces of information are publicly accessible via the LBL Directory, however, their use for commercial and other purposes is restricted:

Name, Office Location, Office Phone, Division, Staff Type, Office Fax, Email.  The following may also be public at the discretion of the individual: Web Site, Cellular Phone, Alternate Phones.

2.10

How are identity credentials utilized?

Identity credentials are used for typical enterprise business and collaboration applications such as email and calendar.

2.11

How reliable are our attribute assertions?

We consider our attribute assertions sufficient to:

[ X ]  control access to on-line information databases licensed to our organization.

[ X ]  be used to purchase goods or services for your organization, subject to purchasing rules.

[ X ] enable access to personal information such as student loan status.

2.12

What restrictions do we place on the use of attribute information that you might provide to other Federation participants?

Use of attribute information must not be retained for commercial purposes outside the narrow scope of the transaction between the provider and the member.  Attribute information remains the property of the University of California.

2.12

What policies govern the use of attribute information?

Attribute information is not subject to any restrictions unless it is combined with protected personally identifiable information as defined in California SB 1386.  Attribute information alone does not contain this restricted information.

4.1

What technical standards and versions are utilized?

Shibboleth 1.X SAML 1.X

4.2

What else should be considered?

In the case of any security-significant event which might reasonably endanger the security of the user’s personal information or the integrity of their system or authenticator, notify cppm@lbl.gov immediately.