Canadian Access Federation (CAF) SIRTFI Application

This application is for current Canadian Access Federation (CAF) participants who have implemented Federated Identity Management Identity Provider (FIM IdP) and would like to add Security Incident Response Trust Framework for Federated Identity (SIRTFI) compliance.

Not a CAF Participant? Learn more about becoming one here.

Already a CAF Participant, but lacking FIM IdP? Submit a Service Amendment request.

Questions? Email the CAF Program.

Please complete the following fields:

Organization Name*

Applicant Information*

First NameLast Name

Applicant Job Title*

Applicant Email Address*

Authorized Contacts

All CAF Participants have established authorized contacts for the CAF Program. If you are not part of the authorized contact list, or if you are on the list but are not authorized to make service requests, we will share your application with the designated authorized contact to confirm this request.

Organization Type - please select:*

Canadian post-secondary institutionGovernment department/agencyCanadian municipality, or public venue (e.g. a hospital, library, airport, museum, transit authority, arena, etc.) seeking to broadcast eduroamPrivate-sector organization supporting the Canadian research and education communityNon-profit organization supporting the Canadian research and education communityOther

Please share your Primary Web Domain*

(e.g., universityname.ca)

For which of your organization’s entity IDs (Identity Provider and/or service(s)) would you like to assert SIRTFI compliance? (max. of 500 characters)*

Example: https://idp.XX.net/idp/shibboleth

Please identify your Identity Provider (IdP) and version:*

For example: Shibboleth v.4.3.3.

The goal of Operational Security (OS) is to manage access to information resources, maintain their availability and integrity, and maintain confidentiality of sensitive information.

Please confirm that your organization's CAF Identity Provider and/or Service(s) comply with the SIRTFI Operational Security requirements by checking all applicable statements.

Security patches in operating systems and application software are applied in a timely manner.*

YesNo

A process is used to manage vulnerabilities in software operated by the organization.*

YesNo

Mechanisms are deployed to detect possible intrusions and protect information systems from significant and immediate threats.*

YesNo

A user’s access rights can be suspended, modified, or terminated in a timely manner.*

YesNo

Users and Service Owners (as defined by the Information Technology Infrastructure Library) within the organization can be contacted.*

YesNo

Find the glossary of Information Technology Infrastructure Library term here.

A security incident response capability exists within the organization with sufficient authority to mitigate, contain the spread of, and remediate the effects of a security incident.*

YesNo

An Incident Response Assertion assumes that a security incident response capability exists within the organization. This section’s assertions describe your organization's interactions with other organizations participating in the SIRTFI trust framework.

Please confirm that your CAF Entity will conform to the following Incident Response Assertions by checking all applicable statements.

The organization shall provide security incident response contact information as may be requested by CANARIE.*

YesNo

The organization shall respond to requests for assistance with a security incident from other organizations participating in the SIRTFI trust framework in a timely manner.*

YesNo

The organization shall be able and willing to collaborate in the management of a security incident with affected organizations that participate in the SIRTFI trust framework.*

YesNo

The organization shall follow security incident response procedures established for the organization.*

YesNo

The organization shall respect user privacy as determined by the organization's policies or legal counsel.*

YesNo

The organization shall respect and use the Traffic Light Protocol (TLP) information disclosure policy.*

YesNo

Please find the Traffic Light Protocol (TLP) information disclosure policy here.

Security Incident Response Staff Information

Please provide the contact information for the individual responsible for your organization's security incident response. It is your organization's responsibility to ensure that this contact information is kept current.

Security Incident Response Staff Name*

First NameLast Name

Security Incident Response Staff Job Title*

Security Incident Response Staff Email*

example@example.com

Security Incident Response Staff Number*

Area CodePhone Number. Include extension, if applicable.

Traceability (TR) is the ability to answer the basic questions "who, what, where, and when" concerning a security incident. It requires retaining relevant system-generated information, including accurate timestamps and identifiers of system components and actors, for a period of time.

As a CAF Entity, please confirm that your organization complies with the SIRTFI Traceability requirements by checking all applicable statements.

Relevant system-generated information, including accurate timestamps and identifiers of system components and actors, are retained and available for use in security incident response procedures.*

YesNo

Information attested to in the previous statement is retained in conformance with the organization’s security incident response policy or practices.*

YesNo

Participant Responsibilities [PR]: All participants (Identity Providers and Service Providers) in the Canadian Access Federation need to rely on appropriate behaviour.

Please provide the link to your organization's "Acceptable Use Policy (AUP)".*

Acceptable Use Policy (AUP): A documented policy that stipulates constraints and practices that a user must abide by in order to access the organization's IT network and services.

Is there a process/mechanism in place to ensure that all users are aware of and accept the requirement to abide by the AUP (ie. during a registration or renewal process)?*

YesNo

Please describe this process (max. of 500 characters):*

0/500

Next Steps

The CAF Program Team will review your application and respond in approximately 1 week with next steps.

To follow up on the status of your application, please email canops@canarie.ca.

Canadian Access Federation - Security Incident Response Trust Framework for Federated Identity Application

SIRTFI Attestation Requirements

Defining Your Security Protocols and Procedures