TFTM Sub-Committee 01-06 What do we need for the IDESG Trust Mark Program Discussion Deck TFTM...
-
Upload
dwight-payne -
Category
Documents
-
view
212 -
download
0
Transcript of TFTM Sub-Committee 01-06 What do we need for the IDESG Trust Mark Program Discussion Deck TFTM...
IDESG TFTM Committee 1
TFTM Sub-Committee 01-06
What do we need for the IDESG Trust Mark Program
Discussion Deck
TFTM CommitteeApril 16, 2014
4-16-2014
IDESG TFTM Committee 2
• Used to indicate that a product or service provider has met the requirements of the Identity Ecosystem, as determined by an accreditation authority. (Source: NSTIC Strategy)
• Statement of conformance to a well-scoped set of identity trust and/or interoperability requirements. (Source: GTRI)
• Electronic labels or visual representations indicating that an e-merchant/service provider has demonstrated conformity to standards regarding, e.g., security, privacy, and business practice. (Source: European Consumers Centre Network)
• (E-commerce) An electronic commerce badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. (Source: Techopedia)
• Many more…
4-16-2014
What is a Trustmark? Definitions
IDESG TFTM Committee 3
• Means for public recognition – “statement, label, representation, badge, image, logo, indication”
• Conformance requirements – “well-scoped set of requirements, identity Ecosystem requirements, trust standards”
• Determination of conformance – “statement of conformance, demonstrated conformity, has met the requirements, shown to be trustworthy”
Implied but not as clearly stated: • Trust marks issued by 3rd-party to online service providers – “(Trust mark)
accreditation authority, issuing organization”
4-16-2014
What do these Trustmark Definitions have in common?
IDESG TFTM Committee 4
• Set of well-scoped identity management requirements At a minimum to address the NSTIC Guiding principles
• Means to determine/assert conformance to the defined requirements Requirements expressed as assessment criteria Assessment process Assessors
• Means to indicate/recognize conformance assertion• Trustmark issuing organization
4-16-2014
What does IDESG need for a Trustmark Program?
IDESG TFTM Committee 5
• Potentially all participating service providers in the Identity Ecosystem (NSTIC Strategy) IDPs CSPs Attribute Providers/Attribute Authorities Relying Parties
• Other IE participants? Identity media Transaction hubs? Trust brokers?
• Participants in Trust Frameworks but not necessarily TF Providers unless they are active participants
• Not end users/subjects
4-16-2014
Who can receive a Trustmark(s)?
IDESG TFTM Committee 6
• Start with NSTIC Guiding Principles and derived requirements Privacy/Voluntary, Secure/Resilient, Interoperable, Usability/Ease-of-Use 34 derived requirements in 4 sets
• Coordinate with committees to analyze requirements in relation to functions in functional model
Modify, add, delete • Compile and document as 4 core sets of requirements (aka, GTRI modular
trust components) TFTM Deliverable TFTM-01-04 NSTIC/IDESG Interim Requirements Catalog Could be administered as 4, or more, separate trust marks (GTRI model) Could be single NSTIC trust mark
• Determine if other requirements for specific communities/use cases should be added beyond core set
e.g., GTRI Pilot, COPPA, Patriot Act/Customer Informations Programs, HIPPA, etc.
4-16-2014
What should TFTM/IDESG do to establish requirements?
IDESG TFTM Committee 7
• Examine/analyze range of conformity assessment approaches Task under TFTM 01-06 Self-assertion, self-certification, peer-peer assessment, independent 3rd party,
audit Entities/organizations performing IDM conformance assessments today Qualified/approved assessors IDESG capability to perform assessments Recommend approaches for 2014, 2015 and beyond
• Map and assess IDESG core requirements against current TFP frameworks and conformity assessment procedures/criteria
Tasks for TFTM-01-05 and 01-06 Do current TF/TFP policies and procedures meet all IDESG requirements? Can assessments performed by external TFPs be adopted by IDESG? (FICAM
model)
4-16-2014
What should TFTM/IDESG do to assess conformance with requirements?
IDESG TFTM Committee 8
• Examine/analyze range of conformity approaches for conformance determination
Task under TFTM 01-06 Self-assertion, self-certification, peer-peer assessment, independent 3rd party,
assessor/auditor Entities/organizations performing IDM conformance assessments Qualified/approved assessors IDESG capability to perform assessments Recommend approaches for 2014, 2015 and beyond
4-16-2014
What should TFTM/IDESG do to determine/validate conformance based on assessment results?
IDESG TFTM Committee 9
• Examine/analyze trust mark issuer legal responsibilities and obligations Task under TFTM 01-06
• Explore/analyze operational and legal options for trust mark issuance Task under TFTM 01-06
• Make recommendation for IDESG trust mark issuance 2014, 2015 and beyond
4-16-2014
Should IDESG be a trust mark issuer?
IDESG TFTM Committee 10
1. Support the development and review of IDESG requirements (TFTM 01-04 & 05) Identify common, core requirements for contribution to IDESG
committees to develop requirements specific to their domains2. Identify the priority components for the Identity Ecosystem Framework
(01-03)3. Examine options and make recommendation for approach for IDESG trust
mark program conformance assessment for 2014, 2015 and beyond(TFTM 01-06)
4. Examine options and make recommendation for IDESG trust mark issuance for 2014, 2015 and beyond (TFTM 01-06)
4-16-2014
Next Steps Summary