Security Incident Response Trust Framework for Federated Identity (Sirtfi)

Compliance is expressed in metadata and gives a transparent view of those organizations willing to engage in collaborative, efficient, and effective incident response.

A globally recognized trust framework

The Sirtfi framework is defined by GÉANT, the pan-European Research and Education Network, through its Research and Education Federations (REFEDS) Sirtfi working group.

Compliance Requirements

To be Sirtfi compliant, your organization must assert that they follow certain best practices in operational security, incident response, and traceability. Your organization must also have a published Acceptable Use Policy (AUP) and a process to ensure that all users are aware of and accept the requirement to abide by the AUP. A designated Sirtfi contact must also be identified and published in your organization’s metadata. You must also operate the latest version of Identity Provider software that is not known to have security vulnerabilities.

How comprehensively or thoroughly each asserted capability should be implemented across an organization’s information system assets is not specified. The investment in mitigating a risk should be commensurate with the degree of its potential impact and the likelihood of its occurrence, and this determination can only be made within each organization.

Learn more about Sirtfi from the REFEDS working group: https://refeds.org/sirtfi

Apply for Sirtfi Compliance

To apply for Sirtfi compliance, please complete this application:

The application must be completed by your organization’s designated Canadian Access Federation (CAF) Signing Authority, Primary Business Contact, or Primary Technical Contact.

Once our team has received your submission, we will contact you within five (5) business days with next steps. If you have any questions, please contact us at canops@canarie.ca.