UCTrust Basic certification audits - Proposal to the ITLC, March 2010

Recent discussions within UCITPS and the UCTrust Work Group have highlighted the fact that a number of campuses are currently due for the audits of identity management practice, as required by UCTrust's Basic level of assurance.  These campuses are:

• UC Davis
• UC Irvine
• UC Los Angeles
• UC Merced
• UC Riverside
• UC San Diego

By the end of 2010, all UC locations but UCSF,  UCSB, and LBNL will be due for audits.

Additionally,

• These will be the first UCTrust audits.  Because identity management processes overlap other University processes, such as employee hiring and student admission, it will be important to establish a common framework for the audits.  Even though the requirements for UCtrust are well-documented, time and effort will be required to do this.
• InCommon will soon launch its Silver assurance level.  InCommon Silver's requirements are very similar to UCTrust Basic's, except that InCommon Silver requires an initial audit before certification.  InCommon's audit framework is complete, although has not been utilized yet.
• NIH and NSF plan to integrate their research administration applications with InCommon Silver later this year.  For this reason, we believe all campuses will plan to certify for InCommon Silver.

The UCTrust Work Group and UCITPS propose that the UCTrust audit requirement be deferred until an assessment of the applicability of InCommon Silver's audit requirements to UCTrust can be made.  The Berkeley and Davis campuses tentatively plan to perform their InCommon Silver audits during the 2010 calendar year, after which the UCTrust Work Group will convene a group of UCTrust and UCITPS representatives to recommend a certification plan for both UCTrust Basic and InCommon Silver, with the goal of minimizing or eliminating a separate UCTrust Basic certification process.