From:     David Walker <DHWalker@UCDAVIS.EDU>
To:     UCIDMGMT-L@LISTSERV.UCOP.EDU <UCIDMGMT-L@LISTSERV.UCOP.EDU>
Subject:     Audit requirements for UCTrust Basic and InCommon Silver
Date:     03/02/2010 10:22:58 AM

Everyone,

As mentioned earlier, Arlene Allen, Bob Ono, Karl Heins, Albert Wu, Eric Goodman, and I have been working to produce a proposed approach to the audit requirements for UCTrust Basic and InCommon Silver.  That proposal follows at the end of this meeting.

Please look it over and send comments to the list by Monday, March 8.  We are also asking for feedback from UCITPS.  Assuming there are no showstoppers, we'll plan to forward the proposal to the ITLC, as UCTrust's governing body, later that week.

David

Recent discussions within UCITPS and the UCTrust Work Group have highlighted the fact that a number of campuses are currently due for the audits of identity management practice, as required by UCTrust's Basic level of assurance.  These campuses are:

• UC Davis
• UC Irvine
• UC Los Angeles
• UC Merced
• UC Riverside
• UC San Diego

By the end of 2010, all UC locations but UCSF,  UCSB, and LBNL will be due for audits.

Additionally,

• These will be the first UCTrust audits.  Because identity management processes overlap other University processes, such as employee hiring and student admission, it will be important to establish a common framework for the audits.  Even though the requirements for UCtrust are well-documented, time and effort will be required to do this.
•  InCommon will soon launch its Silver assurance level.  InCommon Silver's requirements are very similar to UCTrust Basic's, except that InCommon Silver requires an initial audit before certification.  InCommon's audit framework is complete, although has not been utilized yet.
• NIH and NSF plan to integrate their research administration applications with InCommon Silver later this year.  For this reason, we believe all campuses will plan to certify for InCommon Silver.

The UCTrust Work Group and UCITPS propose that the UCTrust audit requirement be deferred until an assessment of the applicability of InCommon Silver's audit requirements to UCTrust can be made.  The Berkeley and Davis campuses tentatively plan to perform their InCommon Silver audits during the 2010 calendar year, after which the UCTrust Work Group will convene a group of UCTrust and UCITPS representatives to recommend a certification plan for both UCTrust Basic and InCommon Silver, with the goal of minimizing or eliminating a separate UCTrust Basic certification process.