Security Incident Response Trust Framework for Federated Identity (Sirtfi)
Compliance is expressed in metadata and gives a transparent view of those organizations willing to engage in collaborative, efficient, and effective incident response.
For research and education institutions:
Sirtfi compliance opens doors globally for your user community to access critical research and education resources, as more and more service providers choose to enable authentication based on this enhanced trust.
For service providers supporting the research and education community:
Sirtfi compliance strengthens your security practices and expands your services to users whose organizations only allow authentication of Sirtfi-compliant services.
A globally recognized trust framework
To be Sirtfi compliant, your organization must assert that they follow certain best practices in operational security, incident response, and traceability. Your organization must also have a published Acceptable Use Policy (AUP) and a process to ensure that all users are aware of and accept the requirement to abide by the AUP. A designated Sirtfi contact must also be identified and published in your organization’s metadata. You must also operate the latest version of Identity Provider software that is not known to have security vulnerabilities.
How comprehensively or thoroughly each asserted capability should be implemented across an organization’s information system assets is not specified. The investment in mitigating a risk should be commensurate with the degree of its potential impact and the likelihood of its occurrence, and this determination can only be made within each organization.
Learn more about Sirtfi from the REFEDS working group: https://refeds.org/sirtfi
Apply for Sirtfi Compliance
To apply for Sirtfi compliance, please complete this application:
The application must be completed by your organization’s designated Canadian Access Federation (CAF) Signing Authority, Primary Business Contact, or Primary Technical Contact.
Once our team has received your submission, we will contact you within five (5) business days with next steps. If you have any questions, please contact us at email@example.com.