IDESG TFTM Committee 1

TFTM Sub-Committee 01-06

What do we need for the IDESG Trust Mark Program

Discussion Deck

TFTM CommitteeApril 16, 2014

4-16-2014

IDESG TFTM Committee 2

• Used to indicate that a product or service provider has met the requirements of the Identity Ecosystem, as determined by an accreditation authority. (Source: NSTIC Strategy)

• Statement of conformance to a well-scoped set of identity trust and/or interoperability requirements. (Source: GTRI)

• Electronic labels or visual representations indicating that an e-merchant/service provider has demonstrated conformity to standards regarding, e.g., security, privacy, and business practice. (Source: European Consumers Centre Network)

• (E-commerce) An electronic commerce badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. (Source: Techopedia)

• Many more…

4-16-2014

What is a Trustmark? Definitions

IDESG TFTM Committee 3

• Means for public recognition – “statement, label, representation, badge, image, logo, indication”

• Conformance requirements – “well-scoped set of requirements, identity Ecosystem requirements, trust standards”

• Determination of conformance – “statement of conformance, demonstrated conformity, has met the requirements, shown to be trustworthy”

Implied but not as clearly stated: • Trust marks issued by 3rd-party to online service providers – “(Trust mark)

accreditation authority, issuing organization”

4-16-2014

What do these Trustmark Definitions have in common?

IDESG TFTM Committee 4

• Set of well-scoped identity management requirements At a minimum to address the NSTIC Guiding principles

• Means to determine/assert conformance to the defined requirements Requirements expressed as assessment criteria Assessment process Assessors

• Means to indicate/recognize conformance assertion• Trustmark issuing organization

4-16-2014

What does IDESG need for a Trustmark Program?

IDESG TFTM Committee 5

• Potentially all participating service providers in the Identity Ecosystem (NSTIC Strategy) IDPs CSPs Attribute Providers/Attribute Authorities Relying Parties

• Other IE participants? Identity media Transaction hubs? Trust brokers?

• Participants in Trust Frameworks but not necessarily TF Providers unless they are active participants

• Not end users/subjects

4-16-2014

Who can receive a Trustmark(s)?

IDESG TFTM Committee 6

• Start with NSTIC Guiding Principles and derived requirements Privacy/Voluntary, Secure/Resilient, Interoperable, Usability/Ease-of-Use 34 derived requirements in 4 sets

• Coordinate with committees to analyze requirements in relation to functions in functional model

Modify, add, delete • Compile and document as 4 core sets of requirements (aka, GTRI modular

trust components) TFTM Deliverable TFTM-01-04 NSTIC/IDESG Interim Requirements Catalog Could be administered as 4, or more, separate trust marks (GTRI model) Could be single NSTIC trust mark

• Determine if other requirements for specific communities/use cases should be added beyond core set

e.g., GTRI Pilot, COPPA, Patriot Act/Customer Informations Programs, HIPPA, etc.

4-16-2014

What should TFTM/IDESG do to establish requirements?

IDESG TFTM Committee 7

• Examine/analyze range of conformity assessment approaches Task under TFTM 01-06 Self-assertion, self-certification, peer-peer assessment, independent 3rd party,

audit Entities/organizations performing IDM conformance assessments today Qualified/approved assessors IDESG capability to perform assessments Recommend approaches for 2014, 2015 and beyond

• Map and assess IDESG core requirements against current TFP frameworks and conformity assessment procedures/criteria

Tasks for TFTM-01-05 and 01-06 Do current TF/TFP policies and procedures meet all IDESG requirements? Can assessments performed by external TFPs be adopted by IDESG? (FICAM

model)

4-16-2014

What should TFTM/IDESG do to assess conformance with requirements?

IDESG TFTM Committee 8

• Examine/analyze range of conformity approaches for conformance determination

Task under TFTM 01-06 Self-assertion, self-certification, peer-peer assessment, independent 3rd party,

assessor/auditor Entities/organizations performing IDM conformance assessments Qualified/approved assessors IDESG capability to perform assessments Recommend approaches for 2014, 2015 and beyond

4-16-2014

What should TFTM/IDESG do to determine/validate conformance based on assessment results?

IDESG TFTM Committee 9

• Examine/analyze trust mark issuer legal responsibilities and obligations Task under TFTM 01-06

• Explore/analyze operational and legal options for trust mark issuance Task under TFTM 01-06

• Make recommendation for IDESG trust mark issuance 2014, 2015 and beyond

4-16-2014

Should IDESG be a trust mark issuer?

IDESG TFTM Committee 10

1. Support the development and review of IDESG requirements (TFTM 01-04 & 05) Identify common, core requirements for contribution to IDESG

committees to develop requirements specific to their domains2. Identify the priority components for the Identity Ecosystem Framework

(01-03)3. Examine options and make recommendation for approach for IDESG trust

mark program conformance assessment for 2014, 2015 and beyond(TFTM 01-06)

4. Examine options and make recommendation for IDESG trust mark issuance for 2014, 2015 and beyond (TFTM 01-06)

4-16-2014

Next Steps Summary