The SWAMID Incident Management Procedures should be followed when a suspected security incident at a Federation Participant is expected to affect other Federation Participants. More specifically, the procedures applies to all suspected federated security incidents unless their extent is known, contained within the Federation Participant and cannot affect any other party. In addition to federated identities, threats to federated entities such as Identity Providers, Service Providers, Attribute Authorities and federation infrastructure such as Metadata repositories are also in scope.
Federation Participants and the Federation Operator are mutually responsible for diagnosing and resolving the ongoing security incident by ensuring that it is contained, coordinating the response between the affected parties, tracking the progress of the incident response process, disseminating information, and providing expertise and guidance. In case of a security incident suspected to affect other federations or their participants, their security procedures should be respected.
The Federation Operator and any affected Interfederation Operators’ security function (for example the eduGAIN Security Team for the interfederation eduGAIN) are expected to marshal concerned Federation Participants and Federation Operators to participate in the response to a security incident.
Federation Participants report in-scope incidents to their Federation Operator, and the Federation Operator reports in-scope incidents to the Interfederation Operators’ security function. Centralising incident awareness in this manner improves the chance that other affected parties can be identified and alerted sooner than might otherwise occur, much as a University CSIRT would wish departments within the University to notify them rather than silently resolve just that portion of the incident visible within their department.
The incident management procedures use the Traffic Light Protocol (TLP, https://www.first.org/tlp/), as defined by REFEDS Sirtfi, to mark information being shared according to its sensitivity and the audience with whom it may be shared. Specified TLP rules have to be strictly abided during any communication.
Security Incident Response Procedures
All ongoing suspected security incidents posing a risk to any Federation Participants within or outside the SWAMID Identity Federation is subject to these procedures.
The SWAMID Incident Management Procedures (including additional information) are described in a PDF-document and must be read and followed for a suspected security incident.
The diagram below shows the correlation between all steps and involved parties for when a suspected security incident is in progress.