Security Incident Response Trust Framework for Federated Identity (Sirtfi)

The goal of Security Incident Response Trust Framework for Federated Identity (Sirtfi) compliance is to coordinate incident response across organizations that participate in identity federations like Canadian Access Federation (CAF). This assurance framework consists of a list of assertions to which organization can attest, to be declared Sirtfi compliant.

Sirtfi raises the bar in operational security by acting as an identifier to mark trusted partners within eduGAIN.

Compliance is expressed in metadata and gives a transparent view of those organizations willing to engage in collaborative, efficient, and effective incident response.

For research and education institutions:

Sirtfi compliance opens doors globally for your user community to access critical research and education resources, as more and more service providers choose to enable authentication based on this enhanced trust.

For service providers supporting the research and education community:

Sirtfi compliance strengthens your security practices and expands your services to users whose organizations only allow authentication of Sirtfi-compliant services.

A globally recognized trust framework

The Sirtfi framework is defined by GÉANT, the pan-European Research and Education Network, through its Research and Education Federations (REFEDS) Sirtfi working group.

Compliance Requirements

To be Sirtfi compliant, your organization must assert that they follow certain best practices in operational security, incident response, and traceability. Your organization must also have a published Acceptable Use Policy (AUP) and a process to ensure that all users are aware of and accept the requirement to abide by the AUP. A designated Sirtfi contact must also be identified and published in your organization’s metadata. You must also operate the latest version of Identity Provider software that is not known to have security vulnerabilities.

How comprehensively or thoroughly each asserted capability should be implemented across an organization’s information system assets is not specified. The investment in mitigating a risk should be commensurate with the degree of its potential impact and the likelihood of its occurrence, and this determination can only be made within each organization.

Learn more about Sirtfi from the REFEDS working group:

Apply for Sirtfi Compliance

To apply for Sirtfi compliance, please complete this application:

The application must be completed by your organization’s designated Canadian Access Federation (CAF) Signing Authority, Primary Business Contact, or Primary Technical Contact.

Once our team has received your submission, we will contact you within five (5) business days with next steps. If you have any questions, please contact us at [email protected].

Program News

October 23, 2017

Canadian students on the move rely on eduroam one million times a day

Read More

September 30, 2016

Let’s Talk About our Trust Issues

Read More

September 16, 2016

Canadian students, staff and faculty staying connected wherever they roam

Read More