What is SIRTFI


The Security Incident Response Trust Framework for Federated Identity (Sirtfi) aims to enable the coordination of incident response across federated organisations.  

    

The AAF is part of the international SIRTFI framework for managing information security incidents.   

   

SIRTFI organisations agree to participate in a federated incident response capability. When a security incident occurs, there is a particular process which is outlined in the SIRTFI information and relevant contact people within a particular organisation for IdP’s and SP’s to provide and receive assistance. 



SIRTFI relates to security assurance - it does not relate to identity assurance. Organisations self-assess their security incident capability across the following areas:



These are broken into the following incidents, requirements and relevant responses:




SIRTFI uses Traffic Light Protocol (TLP) to ensure security incident response information is only shared with appropriate audiences.


For more information, see the Official SIRTFI website


How do I choose a security contact?

The SIRTFI wiki contains guidance on how to choose a security contact.


SIRTFI FAQ:

To be read in conjunction with the REFEDS SIRTFI FAQ.


(for subscribers)

How to choose a security contact?

Can the contact be a group or individual?

See the REFEDS guidelines for choosing a security contact.


What are the SIRTFI contact responsibilities?

SIRTFI contacts are expected to:

  • Use and respect the Traffic Light Protocol (TLP) for all incident response correspondence.
  • Promptly acknowledge receipt of a security incident report
  • As soon as circumstances allow, investigate incident reports regarding resources, services, or identities for which they are responsible.



How do I assess SIRTFI compliance?

Compliance is self-assessed and asserted. Peer reviews and/or audits are not required.

The AAF does not verify SIRTFI compliance; we only add the appropriate elements to the entity's metadata on request.

Organisations with ISO27001 (or similar) certifications may already possess the necessary requirements for SIRTFI compliance.



How do I show that my entity follows SIRTFI?

Subscribers should be familiar with the Sirtfi v1.0 Framework before contacting AAF Support. Additional information is on the Sirtfi wiki and REFEDS Sirtfi page before contacting AAF Support.

If you meet the requirements, contact AAF Support and request the SIRTFI be added to your entity's registration.


The request MUST:

  • Include an entityID for a registered entity (or be part of a registration request). AAF provides guidance on How to verify your entityID.
  • Be requested by an authorised contact. In the case of an existing entity, this is the administrative contact for the entity or Management Contact for the organization. New registration requests must always come from an organization's Management Contact. A description of the various roles is available here.
  • Include a claim that the entity has passed a self-assessment of Sirtfi v1.0
  • Provide one or more security contacts MUST be provided. These are the point of contact to request a security incident response, and can be service functions such as "Security Operations" or email addresses for individuals. The security contact details are published in metadata. The SIRTFI wiki contains guidance on how to choose a security contact.


AAF Support will review your request. Once approved by the AAF we will add the SIRTFI entity category and security contact details to your registration in accordance with the SIRTFI Identity Assurance Certification Description.


What is the security incident response process? What assistance do I need to provide?

The SIRTFI Framework states: [IR2] Respond to requests for assistance with a security incident from other organisations participating in the SIRTFI trust framework in a timely manner.

There are no SLAs. The assistance you provide should be in-line with the current processes, turnaround times and usual business operations that your customers/subscribers are expecting to receive if a security incident occurs.


Which organisations are SIRTFI-compliant?

CERN have developed a SIRTFI compliance tool that looks for SIRTFI assertions and shows a count of SIRTFI compliant organisations.


Where can I find more information on the individual SIRTFI assertions?

See the REFEDS SIRTFI assertion FAQ


How to implement SIRTFI:


To use SIRTFI, IdPs and SPs must:

  1. Read and understand the SIRTFI framework requirements.
  2. Self-asses their organisational capability.
  3. Nominate a security contact point (individual, group or external contact sch as NREN CERT) for your entity.
    Guidance on selecting a security contact is also available.
  4. Sign and return the AAF SIRTFI compliance statement
  5. Add SIRTFI extensions to the IdP/SP metadata. See https://wiki.refeds.org/display/STAN/Security+Contact+Metadata+Extension+Schema for more information.
  6. Publish SIRTFI metadata.


Choosing a Sirtfi Contact


Who should I choose as my Sirtfi contact?

The purpose of this page is to assist you in selecting a Sirtfi contact for your entity. Your federation operators may provide valuable recommendations – be sure to liaise with them for guidance.

  • The Sirtfi contact should be  an individual or group who has agreed to perform the incident response obligations of the Sirtfi Framework on behalf of the entity.
  • Existing incident response  structures, including CERTs, may be leveraged where available.

Icon 

Correspondence sent to the Sirtfi contact must not be publicly archived.


A flow chart has been provided to describe the thought process for choosing a Sirtfi contact.




Example Sirtfi contact choices 

By liaising with your federation operators, you should be able to gauge which potential Sirtfi contact is best placed to be the initial point of contact during federated incident response. Consider the expertise, availability and mandate of candidates when making your decision. 


The table below provides some example choices of Sirtfi contact.


Model
Possible Choice

Entity in federation with centralised incident response support

External security team – Federation

Entity in e-infrastructure with centralised support

External  security team – e-Infrastructure

Entity within organisation with federation aware security team

Organisation’s security team

Mature entity with security conscious entity support

Entity’s support team or individual

Small scale entity

Individual with appropriate knowledge 



What are the expectations on the Sirtfi contact?

The Sirtfi contact will:

  • Use and respect the Traffic Light Protocol (TLP) during all incident response correspondence
  • Promptly acknowledge receipt of a security incident report
  • As soon as circumstances allow, investigate incident reports regarding resources, services, or  identities for which they are responsible


Which information is required?

The following fields are mandatory for a Sirtfi contact:

  • GivenName
  • EmailAddress


Can additional information be included?

Additional fields, such as telephone numbers or secondary email addresses, may be added if desired. Only fields from the OASIS Standard for contactType may be added.



SIRTFI – More Information

SIRTFI uses Traffic Light Protocol (TLP) to ensure security incident response information is only shared with appropriate audiences.

 

For more information, see the Official SIRTFI website

 

How do I choose a security contact?

The SIRTFI wiki contains guidance on how to choose a security contact.

 

SIRTFI FAQ:

To be read in conjunction with the REFEDS SIRTFI FAQ.

 

Which organisations are SIRTFI-compliant?

CERN have developed a SIRTFI compliance tool that looks for SIRTFI assertions and shows a count of SIRTFI compliant organisations.

 

Where can I find more information on the individual SIRTFI assertions?

See the REFEDS SIRTFI assertion FAQ