Canadian Access Federation (CAF) SIRTFI Application
Language
  • English (Canada)
  • French (Canada)

  • Canadian Access Federation - Security Incident Response Trust Framework for Federated Identity Application

  • This application is for current Canadian Access Federation (CAF) participants who have implemented Federated Identity Management Identity Provider (FIM IdP) and would like to add Security Incident Response Trust Framework for Federated Identity (SIRTFI) compliance.

    Not a CAF Participant? Learn more about becoming one here.

    Already a CAF Participant, but lacking FIM IdP? Submit a Service Amendment request. 

    Questions? Email the CAF Program.

  • Please complete the following fields:

  • Authorized Contacts

    All CAF Participants have established authorized contacts for the CAF Program. If you are not part of the authorized contact list, or if you are on the list but are not authorized to make service requests, we will share your application with the designated authorized contact to confirm this request.

  • Organization Type - please select:*

  • SIRTFI Attestation Requirements

  • Defining Your Security Protocols and Procedures

  • The goal of Operational Security (OS) is to manage access to information resources, maintain their availability and integrity, and maintain confidentiality of sensitive information.

    Please confirm that your organization's CAF Identity Provider and/or Service(s) comply with the SIRTFI Operational Security requirements by checking all applicable statements.

  • Security patches in operating systems and application software are applied in a timely manner.*
  • A process is used to manage vulnerabilities in software operated by the organization.*
  • Mechanisms are deployed to detect possible intrusions and protect information systems from significant and immediate threats.*
  • A user’s access rights can be suspended, modified, or terminated in a timely manner.*
  • Users and Service Owners (as defined by the Information Technology Infrastructure Library) within the organization can be contacted.*

  • Find the glossary of Information Technology Infrastructure Library term here.  

     

  • A security incident response capability exists within the organization with sufficient authority to mitigate, contain the spread of, and remediate the effects of a security incident.*

  • An Incident Response Assertion assumes that a security incident response capability exists within the organization. This section’s assertions describe your organization's interactions with other organizations participating in the SIRTFI trust framework.

    Please confirm that your CAF Entity will conform to the following Incident Response Assertions by checking all applicable statements.

  • The organization shall provide security incident response contact information as may be requested by CANARIE.*
  • The organization shall respond to requests for assistance with a security incident from other organizations participating in the SIRTFI trust framework in a timely manner.*
  • The organization shall be able and willing to collaborate in the management of a security incident with affected organizations that participate in the SIRTFI trust framework.*
  • The organization shall follow security incident response procedures established for the organization.*
  • The organization shall respect user privacy as determined by the organization's policies or legal counsel.*
  • The organization shall respect and use the Traffic Light Protocol (TLP) information disclosure policy.*

  • Please find the Traffic Light Protocol (TLP) information disclosure policy here. 

  • Security Incident Response Staff Information

    Please provide the contact information for the individual responsible for your organization's security incident response. It is your organization's responsibility to ensure that this contact information is kept current.

  •  -

  • Traceability (TR) is the ability to answer the basic questions "who, what, where, and when" concerning a security incident. It requires retaining relevant system-generated information, including accurate timestamps and identifiers of system components and actors, for a period of time.

    As a CAF Entity, please confirm that your organization complies with the SIRTFI Traceability requirements by checking all applicable statements.

  • Relevant system-generated information, including accurate timestamps and identifiers of system components and actors, are retained and available for use in security incident response procedures.*
  • Information attested to in the previous statement is retained in conformance with the organization’s security incident response policy or practices.*

  • Participant Responsibilities [PR]: All participants (Identity Providers and Service Providers) in the Canadian Access Federation need to rely on appropriate behaviour.

  • Acceptable Use Policy (AUP): A documented policy that stipulates constraints and practices that a user must abide by in order to access the organization's IT network and services.

  • Is there a process/mechanism in place to ensure that all users are aware of and accept the requirement to abide by the AUP (ie. during a registration or renewal process)?*
  • 0/500

  • Next Steps

    The CAF Program Team will review your application and respond in approximately 1 week with next steps. 

    To follow up on the status of your application, please email canops@canarie.ca. 

  • Should be Empty: