This document provides some guidance on how an IDP can meet the audit requirements for the GSA profile as certified through OIX. OVERVIEW
Task 1: Select an Assessor
Pick an assessor and agree on an approximate price. One assessor you might use is John Steensen (email@example.com). The price will vary depending on how much information you can provide including similar industry assessments. The lowest price would be around $3-$5k USD.
Task 2: Document how you meet the certification requirements
Prepare the information required by Appendix B (which is a pointer to Tables 2, 3, and 7) of the OIX US ICAM TFP application and send that information to the assessor. You will find more details on this step in Appendix A below.
Task 3: Schedule interview call with the Assessor
If you provide that information, the assessor should need to schedule only one phone call to:
a) ask any clarifying questions about any of the documentation you provided him (directly or via pointers) or he has reviewed
b) ask you (or a security compliance expert at your company) any other questions that Tables 2/3/7 say the assessor is supposed to interview you about. The call need not be long or involved.
Task 4: Fill out the OIX forms
In parallel with the assessment, you should have your legal team review and sign the OIX Member Agreement & Application form. You will find more details on filling out the forms in Appendix B below. You will also need to work with the OIX organization to establish a purchase order to pay your OIX fees, assuming you pass your assessment.
Appendix A - Task 2: Document how you meet the certification requirements
a1,2,4-If you are a public company, you can usually refer to your investor relations site, e.g. http://investor.google.com/.
a3,5-Provide a signed copy of the OIX Member Agreement & Application form.
a6,7,8-Provide a SAS70 or similar certification if they are available, e.g. http://www.google.com/support/a/bin/answer.py?hl=en&answer=138340. Most large companies have a central security and/or SOX/compliance team who will know what certifications the company has already passes. Those certifications can be shared under NDA with the assessor. The assessor will not need to share those certifications with the OIX, it is just their job to confirm that your company has met those requirements.
a,b,d-The assessor can normally test the IDP endpoint directly. It also helps to provide public documentation of how your IDP operates, e.g. http://code.google.com/apis/accounts/docs/OpenID.html#gsa as well as the more general API description at http://code.google.com/apis/accounts/docs/OpenID.html.
For both tables a & b, the assessor can normally test the IDP endpoint directly to evaluate many of the requirements. It also helps to provide public documentation of how your IDP operates, e.g. http://code.google.com/apis/accounts/docs/OpenID.html#gsa as well as the more general API description at http://code.google.com/apis/accounts/docs/OpenID.html.
You also need to affirmatively state that your company protects against brute force password guessing by following industry guidelines. Specify some of the techniques from those guidelines that you use, and/or assert that you implement similar techniques.
2-Assert your use of HTTPS in logins, account creation, and OpenID, and that your other certifications show that you provide reasonable physical/logical security.
3,5-Assert you follow industry best practices for account registration flows such as storing a salted hash of the passwords of users, providing guidance to users on password quality, and optionally verifying a user’s email address by sending a one-time URL to the email address which they must click.
4-Assert you follow industry best practices for handling forgotten passwords. In particular, do you avoid emailing the user a clear-text copy of their current/new password and instead require the user to visit the IDP directly to verify their identity, and then specify a new password. One common industry practice is sending a one-time URL to the email address that was used to register the account. For IDPs who are email providers, password recovery is normally handled using online knowledge questionnaires or help desks.
1-Assert your use of HTTPS in OpenID
2-Refer to any work your company does to reduce phishing, whether through user-education or automated tools
3-Refer to your previous statement on protecting against brute force password guessing
1,2-Refer to the same certifications used for Table2 questions a6,7,8.
1-Refer to your previous statement on protecting against brute force password guessing
2,3,4-Assert your use of OpenID 2 and optionally refer to your OpenID API documentation
1-Refer to your previous statement on protecting against brute force password guessing and assert that you meet the Level1 authentication scheme
Appending B - Task 4: Fill out the OIX forms
The primary form that requires any detail is Appendix B of the Membership Form. As an IDP, you only need to fill out section 1A. Below is an example of how you might fill it out.
Part IA: OIX Listing Information
LISTED MEMBERSHIP SELECTION
Selected OIX Listed Trust Framework:
GSA OpenID Profile
Selected Levels of Assurance:
Selected Levels of Protection:
Selected Technical Profiles:
Selected OIX Listed Assessor:
John Steensen, MBA, CISA
Spatial Dynamics Corporation
LISTED MEMBERSHIP CONTACT(S)
Select at least one of the checkboxes below (you may check as many as desired):
X Listed Membership Contact
LISTED MEMBERSHIP CONTACT INFORMATION
Fill in this section only if you checked “Listed Membership Contact” above.
Name: Eric Sachs
Title: Product Manager
Email Addresses: firstname.lastname@example.org
Telephone Numbers: 650-253-5986
Mailing Addresses: 1600 Amphitheatre Parkway, Mountain View, CA