Enabling a coordinated response to security incidents for identity federations.

The AAF is requesting all organisations assert compliance with SIRTFI with respect to their Identity provider and all of the federated services in operation. Once your organisation has made the assertion, there a few simple steps to implement SIRTFI for individual services within an organisation.

1. Ensure your service is compliant

SIRTFI identifies four areas shown in the graphic below for compliance each of which are described in detail in the The SIRTFI Framework (https://refeds.org/sirtfi).zz

2. Adding SIRTFI Security Contact information to your Service

Your organisation will have registered its security contacts. Contacts will be found in the AAF Federation registry at the organisational level. These contacts will automatically be used by the AAF for your service. You can add additional security contact for your service by recording them in the Federation Registry. Note: you will require administrative access in FR to manage these contact details, contact support@aaf.edu.au to step up your administrators.

Steps to Add, Modify and Remove contacts within the AAF Federation Registry:

  • Log into the Federation Registry: https://manager.aaf.edu.au/federationregistry/
  • Or Test: https://manager.test.aaf.edu.au/federationregistry/
  • Select your service from ones listed under “My Service Providers”. If  unlisted you will need to contact support@aaf.edu.au to request administrative access.
  • Click on “Contacts Tab” to list the current contacts.
  • Click “Add Contact” and enter the search criteria. If your contact appears you can add them by clicking the “Add” button, if not select the “Create Contact” to add a new contact to the list. Note: After creating a new Contact you must go back to search and add the contact.
  • Select the contact type from the drop down list, chose “Security”.

Who to include as the security contact?

Your security contact may receive security related emails from time to time. You must select an appropriate person or group who can respond to such emails.

  • An appropriate security contact, such as an individual or generic contact, with existing security responsibility within an organisation or for your particular service
  • Existing incident response structures, including CERTs, may be leveraged where available
  • This contact will:
  • Use and respect the Traffic Light Protocol (TLP) during all incident response correspondence
  • Promptly acknowledge receipt of a security incident report
  • As soon as circumstances allow, investigate incident reports regarding resources, services, or identities for which they are responsible

Correspondence sent to your security contacts must not be publicly archived.