IDENTITY AND ACCESS MANAGEMENT - GOVERNANCE AND POLICY FOCUS GROUP
POLICY GAP ANALYSIS
Issue
Policy Reviewed: AD24 – ID Cards for Students, Faculty/Staff, Affiliates and Retirees
Governance
Oversight Body
Scope of Policy
ID Card Committee
University Wide
Life Cycle-Affiliations
Definition of identity (may be
an electronic identity that is
used by people to access
services or just an identity in
a Penn State system).
Definition of relationship.
Policy for the creation of a
new relationship category
(who can create a new
category or disable an
existing one?) and assigning
stewardship.
Policy for assigning
individuals to specific
relationship categories (who
can make new assignments,
deactivate assignments and
reactivate -- in some
instances these may be
automated).
Policy for preservation of an
individual's relationship
history (what relationships at
what time intervals).
Policy for the creation of an
identity and assigning it
Five types of IDs for Students, Faculty/Staff, Faculty/Staff/Students, Retirees, and Affiliates
Definitions of each of the 5 types of cards; affiliate group is loose can include “Other individuals having some
legitimate affiliation with the University and to the privileges the Photo ID provides.”
ID-Card issuing office is the entity who can create a new category – (Section entitled Types of Cards)
HR office in the area in which the individual is working begins the process of creation of an authorization form for the
ID; unclear who is responsible for status changes.
Not Addressed
Only authorized University ID Office are permitted to produce and issue ID+ cards
(could be to non-Penn Staters).
Policy for acceptance of nonPenn State identities (Think
Partially Addressed; need policies to deal with affiliates such as personnel at Mt.Nittany Medical Center, visiting
scholars, research Park affiliates, Village at Penn State residents, etc.
Federation or other forms of
Page 1 of 4
IDENTITY AND ACCESS MANAGEMENT - GOVERNANCE AND POLICY FOCUS GROUP
POLICY GAP ANALYSIS
Issue
Policy Reviewed: AD24 – ID Cards for Students, Faculty/Staff, Affiliates and Retirees
trust).
Synchronization of Systems
Not Addressed
Pre-ID – giving access before Not Addressed
official documentation
completed
Vetting, Proofing and Registration
Credential Issuance:
Policy states, “An individual may possess only one active University id+ card at a time
Registration
Issuance
Classes of Identification
Required – by Trust Level
Individual Accountability
Uniqueness of User IDs
Trusted Credential
Requirements
Not addressed
Mandatory adherence
Authentication
Not addressed
User Selected PIN
Password (entropy)
Soft Token
One-time Password
Device token
Hard Token
Information must be
encrypted (storage and
transmission)
Management:
Re-Certification
Revocation
Auditing
Reassigning authentication
Registration Authorities
Certification & Training
Nothing in policy detailing re-certification; ID can be revoked if someone else presents the ID or if the card is involved
in inappropriate or illegal use (Use of Card section)
Nothing about training; only ID+ office or Hershey Medical Center Security Dept. can issue card
Levels of Assurance
Trust Level
Additional security controls
Trust Classifications
Need to come in person and present ID
Not addressed
Not addressed
Page 2 of 4
IDENTITY AND ACCESS MANAGEMENT - GOVERNANCE AND POLICY FOCUS GROUP
POLICY GAP ANALYSIS
Issue
Data Classification
Policy Reviewed: AD24 – ID Cards for Students, Faculty/Staff, Affiliates and Retirees
Not Addressed
Risk Assessment
Risk of Authentication Errors
Impact
Likelihood
Information Owner’
Assessment of risk
Trust level Determination as
required by regulation,
affiliation, law, or internal
policy
Law and other requirements
Could be high impact
Not addressed
“All id+ cares remain the property of The Pennsylvania State University and are non-transferable. Nothing refers to
any laws.
Not addressed
-PCI DSS
-HIPAA
-FERPA
-GLBA
-NCAA, Big Ten)
Risk related to identity
control
Risk control by access logging
requirements
Lack of Compliance
-internal consequences
-external requirements
Access Control through
account termination
-Normal course of business
-Immediate action required
by law or regulation
New business process or
system implementation
-Pre-planning security and
risk assessment process
-Ongoing life cycle security
and risk assessment
Not Addressed
No immediate action taken by law. “Fraudulent use of card will result in disciplinary action” but not legal action (Use
of Card section)
Not Addressed
Page 3 of 4
IDENTITY AND ACCESS MANAGEMENT - GOVERNANCE AND POLICY FOCUS GROUP
POLICY GAP ANALYSIS
Issue
Incident Response
Incident identification
Incident response plan
implementation
Notification requirements
Federated responses
Policy Reviewed: AD24 – ID Cards for Students, Faculty/Staff, Affiliates and Retirees
Minor incidence response plan; “contact the ID+ office immediately” in the Card Issuance section
Federations
ID assertion to outside
entities
Penn State ID recognized
Other
End-user Policy
Accountability
Sanctions
Enforcement
Management Policy
Contracts for nonworkforce members?
Auditing and Logging
Retention Policies
Sanctions spelled out; enforcement vague
Not Addressed
Not Addressed
Not Addressed
Page 4 of 4