Incommon Participant Operational Practices (POP)

InCommon Participant Operational Practices information below is for StarRez, Inc.

1. Federation Participant Information

1.1 The InCommon Participant Operational Practices information below is for StarRez, Inc. and is accurate as of February 9, 2016.

1.2 Identity Management and/or Privacy information
Additional information about the Participant’s identity management practices and/or privacy policy regarding personal information can be found on-line at the following location(s).

URL(s) https://www.starrez.com/privacy-policy/

1.3 Contact information

The following person or office can answer questions about the Participant’s identity management system or resource access management policy or practice.

Name: Joe Lindwall
Title or role: Vice President
Email address: joel@starrez.com
Phone: +1 303 996 8399

2. Identity Provider Information

StarRez Inc. is a Service Provider.

3. Service Provider Information

Service Providers are trusted to ask for only the information necessary to make an appropriate access control decision, and to not misuse information provided to them by Identity Providers. Service Providers must describe the basis on which access to resources is managed and their practices with respect to attribute information they receive from other Participants.

3.1 What attribute information about an individual do you require in order to manage access to resources you make available to other Participants? Describe separately for each resource ProviderID that you have registered.

For StarRez Inc. service offerings (StarRez Web, Portal), at the very minimum, we need:

  • Primary identification such as id or e-mail address
    In some cases, to provide a fine-grained authorization functionality we might require:
  • Affiliation (e.g. student, staff, alumni)
    In order to create a user account in one of our systems we might also require:
  • First and Last name

3.2 What use do you make of attribute information that you receive in addition to basic access control decisions? For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?

Additional attribute information could be used to create a new user account in the database which one of our products uses.
As per StarRez Inc. privacy policy, StarRez Inc. does not share any data beyond the provision of required customer services.

3.3 What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)? For example, is this information encrypted?

Only directory information will be stored. No personal attribute information is stored. Directory information is not stored in an encrypted database.

3.4 Describe the human and technical controls that are in place on the management of super-user and other privileged accounts that might have the authority to grant access to personally identifiable information.

StarRez Inc staff access to client services and systems is managed centrally by StarRez Inc’s Shibboleth and LDAP authentication services. All file exchanges (internally or with clients) use sFTP, VPN or other approved encrypting technologies. Clear text transactions are not permitted. All endpoints (StarRez Inc’s and clients’) must maintain current certificates. Application log files are securely retained to provide forensic evidence if needed for executive review of staff access.

All staff must agree to follow the credentialing requirements:

  • Maximum password age (days): 180
  • Minimum password length: 7
  • Length of password history maintained: 24

The StarRez Inc. Employee Handbook must be signed before employment begins includes a Confidentiality Agreement:

Information that pertains to StarRez Inc’s business, including all nonpublic information concerning the Company, its vendors and suppliers, is strictly confidential and must not be given to people who are not employed by StarRez Inc. Violation of these policies is grounds for dismissal.
Staff access to client services of all types ends immediately upon termination of employment with StarRez Inc.

Click here for a complete listing of members.

More StarRez InCommon Info

For more information on the StarRez InCommon Membership and how you can leverage the industry’s leading identity solution, please contact us.