Embed Size (px)
Citation preview
UNCLASSIFIED
COMMERCIAL SERVICE
PROVIDER
ASSURANCE FRAMEWORKFinal Draft September 2012
1 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
ContentsEXECUTIVE SUMMARY..............................................................................................................................................................3
1. Introduction....................................................................................................................................................................4
2. Purpose and Principles....................................................................................................................................................6
3. Compliance Checklist......................................................................................................................................................7
Data Vault/Mailbox Requirements......................................................................................................................................7
Authentication Requirements............................................................................................................................................11
Data Verification Service Requirements.............................................................................................................................13
4. Assurance Framework...................................................................................................................................................14
Risk Management..............................................................................................................................................................14
Security Risk Management.................................................................................................................................................16
Commercial Providers........................................................................................................................................................20
Privacy...........................................................................................................................................................................20
Security.........................................................................................................................................................................21
Authentication Services.....................................................................................................................................................24
Privacy...........................................................................................................................................................................24
Security.........................................................................................................................................................................25
Data Verification Services..................................................................................................................................................25
Privacy...........................................................................................................................................................................26
Security.........................................................................................................................................................................26
Legal..............................................................................................................................................................................26
Conformity Assessment.....................................................................................................................................................26
Information Assurance – Capability Maturity....................................................................................................................28
5. Technical Standards......................................................................................................................................................29
Department of Human Services WebServices (DHS WS) Profiles.......................................................................................29
Standards used in the DHS WS-Profiles..............................................................................................................................30
Taxonomy..........................................................................................................................................................................31
Authentication protocol.....................................................................................................................................................31
Standards used in the Authentication Protocol.................................................................................................................32
6. Governance...................................................................................................................................................................33
7. ICT Procurement..........................................................................................................................................................34
8. Future NTIF related Activities........................................................................................................................................35
Attachment 1..........................................................................................................................................................................36
Attachment 2..........................................................................................................................................................................38
Attachment 3..........................................................................................................................................................................39
Attachment 4..........................................................................................................................................................................40
2 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
3 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
EXECUTIVE SUMMARYThere is an emerging commercial provider market for a range of on-line services such as personal data vaults, digital mailboxes, data verification and authentication services. These services have been developed and marketed in what amounts to a caveat emptor (buyer beware) market.
This Assurance Framework therefore provides:
guidance for agencies to determine the Level of Assurance required to be demonstrated by Providers (Section 4); and
the criteria to be satisfied by Providers to deliver the required Level of Assurance (Section 3)
The underlying premise of the Framework is that, based on an understanding of Provider assurance levels, individuals will be able to choose to utilise services offered by commercial service providers in order to access online government services. Equally, individuals should not be forced to hold multiple credentials to access the range of required government services.
In the longer term, the government is exploring the viability of an Australia-wide/overarching National Trusted Identities Framework (NTIF). The Assurance Framework identifies potential additional streams of work that will need to be completed within an NTIF context. By applying consistent standards for all participants in this market, an NTIF could allow a digital identity that is trusted by one participant (such as a bank) to be trusted by another (such as a government agency).
Development of the Assurance Framework is underpinned by existing Australian Government security frameworks and informed by existing national identity management policy frameworks.
The value of an individual’s personal information must be recognised by Providers and reflected in the development of privacy and risk based security controls that meet agency requirements. The Assurance Framework addresses each of these concerns.
Consistent with Australian and international government policies, the Framework establishes four Assurance levels for the provision of broadly defined data management and authentication services by commercial providers. For each level of assurance the Framework specifies performance outcomes and standards to be achieved by Providers. As appropriate, and particularly for higher assurance services, the Framework specifies particular conformity assessment requirements that must be met.
The Framework also flags the potential application of commercial security standards such as the Payment Card Industry Data Security Standard (PCI-DSS) in circumstances where Providers support storage of such information.
The Framework is also cognizant of other related policy initiatives within government, in particular cloud computing and data centre policies and emerging policy in relation to storage and processing of government information. Although not specifically concerned with the provision of identity management services, the principles and strategies inherent in these policies and programs provide valuable input in terms of implementation of the Assurance Framework.
4 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
1. Introduction
Individuals and organisations are increasingly required to “prove who they are” by providing personal and confidential information to multiple organisations to obtain desired services or products. This is in addition to the large volume of personal information that is shared by individuals through social media sites. The outcome is that personal information is transmitted, stored and shared/sold across the globe, often without the knowledge or consent of the “owner” or subject of that information.
However, the rapid rate of technological change and commercialisation in using personal data has the very real potential to undermine end user confidence and trust. Concerns about the misuse of personal data, and lack of adequate security standards by government and business continue to grow. Fundamental questions about privacy, property, global governance, human rights – essentially around who should benefit from the products and services built upon personal data – are major uncertainties. (World Economic Forum 2010 Personal Data: The Emergence of a New Asset Class. See http://www.weforum.org/reports/personal-data-emergence-new-asset-class).
There is no cohesive, nationally recognised framework for managing or coordinating individual digital identities in Australia. While Government has traditionally played a central role there is evidence that the market has matured to the point where commercial providers are offering identity related solutions, for example:
digital mailbox providers (such as Australia Post and Digital Post Australia) which will enable people to receive correspondence from participating organisations in a single in-box;
personal identity management (or authentication) providers who provide people with credentials (eg a user name and pass word) to enable access to a variety of services;
online verification services (such as GreenID), which enable people to verify their identity online; and
personal data management or data vault services, which enable people to store and retrieve their personal data electronically, including personal records like birth certificates.
This Framework is an initial, practical response to the need identified in the Reliance Framework to develop an Assurance Framework that will facilitate the exchange of people’s personal data with commercial operators of authentication, secure mail or data management (data vault) services.
5 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
“Personal data is the new oil of the Internet and the new currency of the digital
world.”
Meglena Kuneva, EuropeanConsumer Commissioner,
March 2009
UNCLASSIFIED
Development of the Assurance Framework is:
underpinned by existing Australian Government security frameworks – the Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM) as well as current and planned privacy legislation ; and
informed by existing policy frameworks such as the National e-Authentication Framework, the Gatekeeper Public Key Infrastructure (PKI) Framework, the National Identity Security Strategy and activities currently underway in relation to matters such as data sovereignty, cloud computing and Data-Centres-as-a-Service (DCaaS).
The government is exploring the viability of an Australia-wide/overarching National Trusted Identities Framework (NTIF). This Framework will help to inform the viability study of an NTIF. If implemented, an NTIF would create an Australia-wide framework which would support the development of an innovative and competitive private-sector led identity market — allowing better and easier links between citizens, organisations, businesses and governments.
Definitions
Digital Mailbox
A digital mailbox is effectively a third-party email address that individuals can use to receive electronic communications (eg from businesses and government). Mailboxes may have additional storage capacity where individuals can choose to store important information – these are often referred to as data vaults.
Data Vault
A data vault is a third-party secure storage capability that individuals can use to store sensitive information. It is often, but not always associated with a digital mailbox.
Data Verification
Data verification is a process wherein data is checked for accuracy and authenticity. In the context of this Assurance Framework it means verifying with an authoritative source that personal information (eg name, date of birth) submitted by an individual is correct.
Identity Provider
The Organization for the Advancement of Structured Information Standards (OASIS) defines an Identity Provider (IdP) as “A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.” (see https://www.oasis-open.org/org)
6 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
2. Purpose and Principles
The purpose of the Assurance Framework is to guide commercial service providers (Providers) and government agencies on the various policies and standards that apply, within a risk management context, to the provision of digital mailbox, data management and authentication services to Government. The Framework identifies those policies and standards with which compliance is mandatory as well as mechanisms for demonstrating such compliance.
The Framework provides:
guidance for agencies to determine the Level of Assurance required to be demonstrated by Providers; and
the criteria to be satisfied by Providers to deliver the required Level of Assurance.
This Assurance Framework has regard to:
technical and performance standards, with the objective that people can choose Providers who are able to demonstrate compliance with such standards in order to access Government services;
the need to demonstrate compliance with privacy legislation and maintain risk-managed levels of security in relation to people’s personal data;
advice concerning procurement options with reference to the Commonwealth Procurement Rules and liability policy; and
the need for any advice to consumers in relation to Provider service offerings.
The Framework establishes the following core principles:
Agencies will specify their requirements in relation to data integrity, security and identity assurance levels;
People will eventually be able to choose from a range of Providers in order to access a suite of Government services;
Providers will adopt robust risk management approaches that consider risks of aggregated personal information to deliver the levels of privacy and security required by agencies in relation to people’s personal data;
Agencies may: o choose to engage directly with Providers for the delivery of specific services in which
case accountability for the performance of the service or function and responsibility for outcomes remains with the agency;
o act as a relying party in which case accountability for the performance of the service or function and responsibility for outcomes remains with the Provider.
7 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
3. Compliance Checklist
Data Vault/Mailbox Requirements
Levels of Assurance – Data Management Services (data vaults, mailboxes etc)
Minimal assurance Low assurance Moderate assurance
High assurance
Level 1 Level 2 Level 3 Level 4 Minimal confidence in the services offered
Low confidence in the services provided
Moderate confidence in the services provided
High confidence in the services provided.
ImportantAchieving LoA 4 Assurance requires completion of the requirements for LOA1 – LoA 3.
Where the Provider supports storage of digital copies of government issued credentials (eg passports or motor vehicle licences) these credentials remain the property of the issuing agency.
Where the Provider supports storage of financial data such as credit card details, compliance with the Payment Card Industry Data Security Standard (PCI-DSS) will apply (see https://www.pcisecuritystandards.org).
Where a Provider utilises secure data storage services from a third party the security and privacy controls must clearly identify the respective roles and responsibilities of both the Provider and third party.
Note
Providers must specify the physical location of data centres used to store personal information. Where a Provider utilises services outside Australia to store, backup, process, transmit, manage or otherwise support its Australian operations these must be clearly identified and included in the Provider’s security and privacy documentation. Agencies will apply a risk assessment process in making decisions to rely on data or credentials known to be stored by an individual outside Australia.
REQUIREMENT
LOA 1 LOA 2 LOA 3 LOA 4
Organisation Services
Fully operational legal entity compliant with all relevant legal requirements including agency specific legislation and policies (self assessed).
Published Liability Policy Financial situation sufficient for liability exposure (self assessed).
Annual service management audit (external) – see ASAE 3402: Assurance Reports on Controls at a Service Organisation Audit records maintained for 36 months
Financial situation sufficient for liability exposure (independent assessment by a qualified accountant who is a member of a professional accounting body)
Privacy Independent Privacy Impact Assessment (PIA) – see http://www.oaic.gov.au/publications/guidelines/Privacy_Impact_Assessment_Guide.html for further information. Demonstrated compliance with all
8 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT
LOA 1 LOA 2 LOA 3 LOA 4
National Privacy Principles (NPPs), the Information Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s) should the 2012 Amendment Bill become law. Destroy an individual’s stored data within a reasonable time of the person terminating their relationship with the Provider Provide a means for subscribers to securely amend their stored information
Information Security Management System
Requires specification of relevant technical and security standards.
Documented Security Risk Management Plan (SRMP) including DSD Mitigation Strategies (see http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm) Appropriate operator access controls and data protection mechanisms (at rest and in motion) are implemented
Defined managerial responsibility for all security policies ISMS complies with ISO/IEC 27001 (self assessment) Documented incident management plan addressing in particular security and privacy breach management Effective personnel security controls are in place Adequate Physical Security controls are in place to protect premises and information resources. 2 yearly security audit by an IRAP assessor to ensure documented security controls are being effectively implemented and remain adequate for the services provided A secure log of all relevant security events is maintained Shared secrets appropriately
An independent protective security risk review (PSRR) is performed at least annually by an IRAP assessor
DR plan tested and reviewed annually ISMS has been certified by JAS-ANZ accredited certification body to ISO/IEC 27001 and is subject to annual audit – see http://www.jas-anz.com.au/ for further information
9 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT
LOA 1 LOA 2 LOA 3 LOA 4
secured (physical and logical)
Storage and electronic transmission of personal information
Use an encryption product that implements a DACA as per ISM requirements Where practical, cryptographic products must provide a means of data recovery Use an encryption product that implements a DACP to communicate sensitive information over public network infrastructure – see http://www.dsd.gov.au/infosec/ism/index.htm for further information1
Use an Evaluation Assurance Level (EAL) 2 encryption product from DSD’s Evaluated Products List (EPL) that has completed a DCE – see http://www.dsd.gov.au/infosec/ism/index.htm for further information. Data centres used to store personal information must be located in Australia.
Physical security Demonstrate an appropriate physical security environment for the protection of business assets and processes Documented Physical Security Policy as part of overall SRMP
Compliance with the PSPF Physical Security Protocol at http://www.protectivesecurity.gov.au/physicalsecurity/Pages/Protocol.aspx
Physical security arrangements certified by Gatekeeper Authorised Physical Security Evaluator – see http://www.finance.gov.au/e-government/security-and-authentication/gatekeeper/physical-security-evaluation-panel.html
Personnel Security Compliance with PERSEC 1 in the PSPF (self assessment).
Documented Personnel Security Management Plan including: verification of qualifications, police records check, referee checks, identity verification.
Vetting of personnel and contractors in Positions of Trust in accordance with AS4811-2006: Employment Screening including appropriate personnel security aftercare arrangements
1 Providers should note that the use of encryption may introduce challenges to meet data availability requirements 10 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT
LOA 1 LOA 2 LOA 3 LOA 4
PCI-DSS requirements for storage of payment card data
Not allowed Not allowed Completion of the Attestation of Compliance with the Payment Card Industry Data Security Standard (PCI DSS).by a Qualified Security Assessor (QSA).
11 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Authentication Requirements
National e-Authentication Framework (NeAF) Levels of Assurance – Identity/Attributes
Minimal assurance Low assurance Moderate assurance High assurance
Level 1 Level 2 Level 3 Level 4 Minimal confidence in the identity assertion / credential.
Low confidence in the identity assertion / credential.
Moderate confidence in the identity assertion / credential.
High confidence in the identity assertion / credential.
ImportantAchieving LoA 4 Assurance requires completion of the requirements for LOA1 – LoA 3.
Note
Given the sensitivity of the personal information collected and stored, Providers of authentication services at LOA 2 and above must satisfy the security and privacy requirements for mailbox/data vault Providers (above) to a minimum of LOA 3.
12 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT LOA 1 LOA 2 LOA 3 LOA 4 Identity Proofing
(Providers to demonstrate completion of NeAF assessment [reflected in Identity and Credential Policies] and implementation of provisions of ISO/IEC 29115)
Ensure that each applicant‘s identity record is unique within the service‘s community of subjects and uniquely associable with tokens and/or credentials issued to that identity Accept a self-assertion of identity Accept self-attestation of evidence. Accept pseudonyms – self asserted, socially validated
Perform all identity proofing strictly in accordance with its published Identity Proofing Policy Applicant provides name, DOB, address, email/phone (to be verified with issuing institutions as appropriate) Maintain appropriate Identity and Verification Records in accordance with the Archives Act
Optional ID proofing: Known customer (see Gatekeeper EOI Policy and AS4860—2007. Knowledge-based identity authentication—Recognizing Known. Customers) 3rd party verification (authorised referee)
Electronic verification where possible (DVS2 or other authorised data verification service provider – see below) of presented documents with the specified issuing authority to corroborate date of birth, current address of record, and other personal information. The Primary document must be a Government issued credential with a biometric GSEF processes may be considered on a risk basis
Optional ID Proofing: Known Customer
Only face-to-face identity proofing. GSEF processes applyApplicant presents: secondary Government Picture ID (not the same as the primary document) or credential issued by a regulated financial institution OR two items confirming name, and address or email address, such as: utility bill, professional license or membership, or other evidence of equivalent standing (see Gatekeeper EOI Policy) All presented credentials and information are where possible electronically verified with relevant issuing authority
REQUIREMENT LOA 1 LOA 2 LOA 3 LOA 4Credentials Account for the
following system threats and apply appropriate controls: the introduction of malicious code; compromised authentication arising from insider action; out-of-band attacks by other users and system operators (e.g., the ubiquitous shoulder-surfing); spoofing of system elements/applications malfeasance on the part of subscribers and subjects. Single factor authentication solutions acceptable
Published Credential Policy and Practices Statement approved by internal Policy Management Authority Strong passwords as per ISM Non-PKI multi-factor authentication protocols required
Cryptographic technology deployed through a Public Key Infrastructure – “soft” certificates
Cryptographic technology deployed through a Public Key Infrastructure deployed on hardware tokens protected by password or biometric controls
Privacy Demonstrated Amendment of Successful 2 Private sector access to the DVS has yet to be finalised
13 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT LOA 1 LOA 2 LOA 3 LOA 4Credential Management
User choice of UserID that is verified to be unique within the service‘s community of subjects and bound to a single identity record. Permit users to change their PINs/passwords Revocation User may submit a request for revocation to the Credential Issuer Issuer to implement appropriate security and verification processes
Documented Credential Management Policies and Practices as part of KMP and consistent with Privacy Policy and Security Risk Management Plan.
Full Gatekeeper accreditation
Gatekeeper High Assurance accreditation. Specifications for hardware tokens from EPL
Data Verification Service Requirements
REQUIREMENT LOA 1 LOA 2 LOA 3 LOA 4Data verification services (these services apply only at authentication assurance LOA3 and above)
Independent Privacy Impact Assessment completed Published Privacy Policy Demonstrated compliance with all National Privacy Principles (NPPs), the Information Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s) should the 2012 Amendment Bill become law. Appropriate contractual arrangements established with issuing authorities If personal information is retained satisfy the requirements for mailbox/data vault providers at LOA3
14 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
4. Assurance Framework In accordance with the Protective Security Policy Framework, when an agency contracts services to a third party, accountability for the performance of the service or function and responsibility for outcomes remains with the agency requesting the service. This agency responsibility includes the management of risks to any assets (personnel, physical or information) the agency entrusts to the Provider. Assets need to be considered individually and in aggregate.
In the case of the Assurance Framework these assets may include:
o government issued documents or credentials o sensitive personal information o sensitive correspondence to and from agencies
In addition Providers may also support storage of other information including:
o financial information eg credit card detailso routine transactions with non-government service providers such as utilities and
telecommunications companies.
Agencies should therefore establish service level agreements with Providers that, at a minimum specify assurance requirements as set out in Section 3. Such agreements should clearly specify the nature of the services to be provided and the compliance requirements that must be demonstrated for the particular service offering.
The nature and extent of data storage supported by the Provider will provide a necessary input into an agency’s risk assessment. This is because the quantity and sensitivity of stored information will increase the attractiveness of the service as a target for cyber-criminals, and therefore the potential for compromise to agency operations.
Risk Management
Agencies must undertake a protective security risk assessment to determine the required level of assurance that Providers must demonstrate in order for the agency to rely on the services offered.
The PSPF states:
“Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management.” (see http://www.protectivesecurity.gov.au/pspf/Documents/Protective%20Security%20Policy%20Framework.pdf )
15 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Implementation of this Assurance Framework will require:
Agencies intending to rely on services provided by commercial operators to undertake a
thorough risk assessment (as per the PSPF) to determine the level of assurance required to
be demonstrated by Providers.
o The outcome of the risk assessment including all protective security measures and
resultant residual risks must be signed-off by the agency head.
Note that some services, such as the ability of individuals to store personal information and copies of documents may not be directly applicable to an agency’s engagement with a Provider.
For example an individual may choose to store a digital copy of their Passport in their mailbox. The fact that the individual has a copy of their passport stored in the mailbox may have no bearing on their interaction with a given agency. However, the fact that the Passport remains the property of the issuing agency will have implications for the security controls implemented by the Provider.
The risk assessment should focus on the possible threats to the agency arising from reliance on the services to be offered by the Provider on which the agency intends to rely and consider:
Mailbox/vault services
the potential type and quantity of information that an individual may choose to store in their vault (eg electronic copies of personal documents, digital credentials, answers to shared secrets etc) as well as the aggregate volume of such data holdings
Authentication services
the type and volume of personal information/documentation that is collected and stored in order to issue an authentication credential (individual and aggregate), whether such data is verified and if so whether the verification outcomes are also stored.
Data verification services
the type and volume of personal information/documentation that is collected and stored
The risk assessment should include:
(i) a protective security risk review
GOV-6: Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management. See
16 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
http://www.protectivesecurity.gov.au/informationsecurity/Documents/information%20security%20management%20protocol.pdf
(ii) a National e-Authentication Framework (NeAF) assessment as appropriate.
The NeAF provides agencies with a methodology to undertake identity-risk assessments and thereby determine the level of authentication assurance required for a particular online transaction (or set of similar transactions). See http://www.finance.gov.au/e-government/security-and-authentication/authentication-framework.html.
The Australian Government Business Impact Levels (BILs)3 form a part of the PSPF. They provide agencies with common set of rules that leads to a consistent approach to assessing business impact from an Australian Government perspective. BILs will vary greatly between agencies, based on their functions and size. BILs in themselves do not measure the size of the risk associated with the information.
Security Risk Management
Risk can be identified and analysed in terms of:
What could happen? How could resources and activities central to the operation of an agency be affected?
How would it happen? What weaknesses could be exploited to make this happen? What security controls are already in place? Are they adequate?
How likely is it to happen? Is there opportunity and intent? How frequent is it likely to be? What would the consequence be? What possible effect could it have on an agency’s operations, services or credibility
3http://www.ag.gov.au/Documents/Australian%20Government%20protective%20security%20governance %20management%20guidelines%20-%20Australian%20Government%20Business%20impact%20levels.pdf. See Annex 6 (Background Material) for details.
17 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
Possible Threat vectors – internal / external
Facility security breach (physical) Software / hardware failures / compromise D/DOS attacks System overloads due to business traffic Eavesdropping / Spoofing Configuration errors Malicious use (internal – privileged users) Operator negligence Hacking / Malicious code injections / Social engineering of administrative
staff Criminal User – identity fraud Data spill / breach others
UNCLASSIFIED
Risk Assessment Framework
A sample security risk assessment framework for considering Provider mailbox/data vault services may look like the following:
LIKELIHOOD DescriptionAlmost Certain An attempt will inevitably be made to effect the threat Likely Will probably occur in most circumstances Possible Might not occur, but on balance more likely to occur at some time Unlikely Not generally expected to occur at some time Rare May occur only in exceptional circumstances
Figure 1 : Threat likelihood ratings
1 (LOW) 2 (MEDIUM) 3 (HIGH) 4 (VERY HIGH) 5 (EXTREME) 6 (CATASTROPHIC) Could be expected to harm government agency operations, commercial entities or members of the public
Could be expected to cause limited damage to national security, government agency operations, commercial entities or members of the public
Could be expected to damage government agency operations, commercial entities or members of the public
Could be expected to damage national security
Could be expected to seriously damage national security
Could be expected to cause exceptionally grave damage to national security
Figure 2 : Summary PSPF Business Impact Levels 4
Rare Unlikely Possible Likely Almost Certain
Catastrophic Moderate Moderate High High High
Extreme Moderate Moderate Moderate High High
Very High Low Low Low Moderate Moderate
High Minimal Minimal Minimal Low Low
Medium Minimal Minimal Minimal Low Low
Low Nil Nil Nil Nil Nil
Figure 3 : Sample Risk Ratings
4 Further detail is available at http://www.protectivesecurity.gov.au/governance/Documents/Business%20impact%20levels.pdf Note: An alternative approach is set out in ISO/IEC 31000:2009 Risk Management Principles and Guidelines
18 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
The outcome of this risk assessment can be broadly mapped to assurance requirements for mailbox/data vault Providers in Section 3:
In very general terms:
High residual risk would warrant LoA 4 Moderate risk would warrant LoA 3 Low risk would warrant LoA 2 Minimal risk would warrant LoA 1
NeAF Assessment
The second of the risk assessments that agencies may need to undertake relates to the provision of authentication services. The NeAF assessment will determine the Level of Assurance required for any authentication credentials issued by Providers that will be relied on by agencies to access services.
A NeAF assessment involves the following broad steps to determine assurance level requirements.
The first step involves a comprehensive and multi-dimensional assessment of the type and severity of identity-related threats and risks for a transaction (or transaction set). A sample of the type of threats and risks is set out below (further detail is available at http://www.finance.gov.au/e-government/security-and-authentication/authentication-framework.html).
NeAF Illustrative consequences and severity
Consequence SeverityConsequence
ratingInsignifica
ntMinor Moderate Major Severe
Risk to any party’s personal safety
No risk No risk No risk Any risk to personal safety
Threaten life directly
Release of personally or commercially sensitive data to third parties without consent
No impact Would have little impact
Measurable impact, breach of regulations or commitment to confidentiality
Release of information would have a significant impact
Would have severe consequences to a person, agency or business
Financial loss to any client of the service provider or other third party
No loss Minimal Minor Significant Substantial
Financial loss to Agency / service provider
No loss Minimal< 2% of monthly agency budget
Minor2% to < 5% of monthly agency budget
Significant5% to < 10% of monthly agency budget
Substantial≥ 10% of monthly agency budget
Impact on government finances or economic and commercial interests
No impact No impact
Cause financial loss or loss of earning potential
Work significantly against
Substantial Damage
19 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Consequence SeverityConsequence
ratingInsignifica
ntMinor Moderate Major Severe
Damage to any party’s standing or reputation
No damage No damage
Minor: short-term damage
Limited long-term damage
Substantial long-term damage
The second step involves mapping the likelihood of these occurring in order to determine overall risk levels and from there the required assurance level can be determined.
NeAF Indicative assurance level requirements based upon likelihood and consequences
ConsequencesLikelihood Insignificant Minor Moderate Major SevereAlmost certain
Nil Low Moderate High High
Likely Nil Low Moderate High HighPossible Nil Minimal Low Moderat
eHigh
Unlikely Nil Minimal Low Moderate
Moderate
Rare Nil Minimal Low Moderate
Moderate
Note
The threats and likelihood ratings above and those in the NeAF documents are indicative only and agencies must apply the principles set out in the NeAF in the context of their own business and risk environment.
The outcomes of this NeAF assessment may be seen to broadly translate to the assurance levels required to be demonstrated by Providers as set out in Section 3:
In very general terms:
High residual risk would warrant LoA 4 Moderate risk would warrant LoA 3 Low risk would warrant LoA 2 Minimal risk would warrant LoA 1
20 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Commercial Providers
Privacy
The Privacy Act 1988 (Cth) (Privacy Act) applies to government and private sector entities that handle personal information as part of their participation in this Assurance Framework. The new Australian Privacy Principles (APPs) will apply after the commencement of the amendments in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
Providers must demonstrate their compliance with the National Privacy Principles (NPPs) and , as applicable, the Information Privacy Principles (IPPs)in the Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583).
When entering a Commonwealth contract, section 95B of the Privacy Act requires an agency to take contractual measures to ensure that a ‘contracted service provider’ (CSP) for the contract does not do an act, or engage in a practice, that would breach an Information Privacy Principle (IPP) if done by the agency.
Termination of Services
NPP 4.2 states – ‘An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed...’
Similarly, APP 11.2 states:
If:
(a) an APP entity holds personal information about an individual; and
(b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
(c) the information is not contained in a Commonwealth record; and
(d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;
21 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
At a minimum, Providers MUST:
Demonstrated compliance with all National Privacy Principles (NPPs), the Information Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s) should the 2012 Amendment Bill become law.
Providers must destroy an individual’s stored data within a reasonable time of the person terminating their relationship with the Provider.
UNCLASSIFIED
the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
Cross border disclosure
APP 8 states:
Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
(a) who is not in Australia or an external Territory; and
(b) who is not the entity or the individual;
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
Exceptions to this requirement include where an individual is informed and consents to the transfer of the data.
Where an agency enters into a contract with a Provider that may send personal information offshore, the agency must ensure that the Provider complies with APP 8.
Anonymity and pseudonymity
The Privacy Act and the Amendment Bill require that individuals be given the opportunity to not identify themselves when entering into transactions. Specifically, National Privacy Principle (NPP) 8 states:
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
Similarly, Australian Privacy Principle (APP) 2.1 states:
Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.
APP 2.1 does not apply if the individual is required by law to identify themselves or if it is impracticable to deal with an individual who has not identified themselves.
Mailbox/data vault Providers should consider offering individuals the option to use their services anonymously or under a pseudonym where practicable.
Security
The provisions of the Australian Government Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM) establish the over-arching requirements to be satisfied by Providers under this Framework.
22 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Security is a combination of physical, logical (ICT) and personnel security measures designed and implemented to provide “defence in depth” appropriate to the perceived threats/risks to the assets being secured.
Physical Security
Providers must layer physical Zones working in from public access areas and increasing the level of protection with each new Zone. Multiple layers will give Providers a greater delay to allow response to any unauthorised entry. Such layering will give the Provider greater time to respond before unauthorised access to the inner-most Zone (where the most sensitive information is stored).
Further information is available at http://www.protectivesecurity.gov.au/physicalsecurity/Pages/Supporting-Guidelines.aspx
Information Security
Providers must establish information security controls to ensure (to an acceptable level of residual risk) the confidentiality, integrity and/or availability of information.
Providers SHOULD, as part of the development and implementation of their Security Risk Management Plan (SRMP), consider the Top 4 Strategies to Mitigate Targeted Cyber Intrusions5 produced by the Defence Signals Directorate (DSD):
Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker
Personnel Security
Providers must ensure (to an acceptable level of residual risk) that their personnel and the personnel of any sub-contractors are suitable to have access to sensitive information.
Access to system information must be managed through appropriate access controls, restricting system access to authorised and successfully authenticated users. Authorisation is two-fold. Firstly, an individual 5 Further information on DSD Mitigation Strategies is available at http://www.dsd.gov.au/publications/Top_35_Mitigations.pdf
23 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
At a minimum, Providers MUST:
Have a documented Security Risk Management Plan (SRMP) including as appropriate implementation of DSD Mitigation Strategies.
UNCLASSIFIED
needs to be authorised to have access to a system, and secondly they need to be authorised to access specific applications, databases or information resources on a system.
Authentication Services
These criteria apply to Providers that generate and issue authentication credentials to individuals.
Credentials enable authentication to occur. Issued credentials are only as good as the weakest link associated with their issue, use, management, and revocation.
This includes:
The credential creation process including protection of any data which may compromise a credential.
The registration and management processes employed by (or on behalf of) the credential issuer.
The environment in which the credential is being used and the risks associated with that environment.
The way the user protects their credential.
Authentication credentials are generally classified as one (or more) of the following:
Something the user knows – e.g. Username, PIN, passwords and pass-phrases, shared secrets etc;
Something the user has – e.g. Physical devices such as tokens and smart cards etc; Something the user is – e.g. Biometric record of a physical attribute e.g. fingerprint6.
Privacy
Providers must demonstrate their compliance with the National Privacy Principles (NPPs) in the Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583). If Providers are contracted service providers under the Privacy Act, they MUST also demonstrate their compliance with the Information Privacy Principles.
6 More recently a new type – “something the user does” (eg gait patterns, keystroke behaviour) – has come under active consideration as a means of authenticating individuals in certain applications.
24 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
At a minimum, Providers MUST:
Have undertaken an identity risk assessment process in accordance with the National e-Authentication Framework (NeAF) to establish the level of assurance associated with the issued credential.
UNCLASSIFIED
Security
Providers MUST demonstrate a risk-based approach to security that combines physical, logical (ICT) and personnel security measures to provide “defence in depth” appropriate to the perceived threats/risks to the assets being secured.
Data Verification Services
In the context of this Assurance Framework the ability to verify the authenticity of documentation or personal information submitted by an individual assists in providing increased assurance that “the individual is who they say they are”. There are a number of government and commercial data verification services available. Where agencies or commercial providers contemplate use of such services, they should ensure that the particular service satisfies the compliance requirements set out in Section 3.
Given the structure of the Assurance Framework the use of data verification services will only be required (where possible) for authentication services operating at LOA3 and above.
Document Verification Service
The national Document Verification Service (DVS) is part of the Australian Government’s commitment to protecting the identity of Australians7. The DVS is a tool to verify the accuracy and validity of key Australian identity credentials provided at enrolment into a high value system. It is a secure, on-line system used to check, in real time, whether the information on a credential (such as document number, name and date of birth) ‘matches’ information held by the issuing agency. The DVS does not store any
7 Note that the DVS is, at this stage, only available to government agencies.25 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
At a minimum, providers MUST:
Demonstrated compliance with all National Privacy Principles (NPPs), the Information Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s) should the 2012 Amendment Bill become law and in particular the IPPs and NPPS (and APPs) in relation to collection, use and disclosure of personal information:
o IPPs 1-3; NPP 1 (APP3, APP 4 and APP 5)o IPPs 10-11; NPP 2, 10 (APP 6)o NPP 9 (APP 8)o IPP 4; NPP 4 (APP 11)
At a minimum, Providers MUST:
Have a documented Security Risk Management Plan (SRMP) including as appropriate implementation of DSD Mitigation Strategies.
UNCLASSIFIED
personal information. Requests to verify a document are encrypted and sent via a secure communications pathway to the document issuing agency. No personal data is transferred from the document-issuing agency.
Privacy
Providers MUST demonstrate their compliance with the National Privacy Principles (NPPs) in the Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583). If Providers are contracted service providers under the Privacy Act, they must also demonstrate their compliance with the Information Privacy Principles.
Security
Providers MUST demonstrate a risk-based approach to security that combines physical, logical (ICT) and personnel security measures to provide “defence in depth” appropriate to the perceived threats/risks to the assets being secured.
Legal
Providers MUST demonstrate that appropriate contractual arrangements have been established with credential or document issuing authorities that are used in their verification processes.
Conformity Assessment
Conformity assessment is the 'demonstration that specific requirements relating to a product, process, system, person or body are fulfilled. Conformity assessment procedures, such as testing, inspection and certification, offer assurance that products fulfil the requirements specified in regulations and standards (Source: ISO/IEC 17000 Conformity Assessment - Vocabulary and General Principles).
26 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
At a minimum Providers MUST:
Demonstrated compliance with all National Privacy Principles (NPPs), the Information Privacy Principles (IPP’s as applicable) and all Australian Privacy Principles (APP’s should the 2012 Amendment Bill become law) and in particular the IPPs and NPPS (and APPs) in relation to collection, use and disclosure of personal information:
o IPPs 1-3; NPP 1 (APP3, APP 4 and APP 5)o IPPs 10-11; NPP 2, 10 (APP 6)o NPP 9 (APP 8)o IPP 4; NPP 4 (APP 11)
Providers MUST demonstrate that:
o Requests to verify a document are encrypted and sent via a secure communications pathway to the document issuing agency; and
o No personal data is transferred from the document-issuing agency.
UNCLASSIFIED
In circumstances where Providers offer individuals data storage / management / communication and associated authentication services that purport to be adequate for reliance by government agencies delivering services and benefits to individuals it is expected that such services will meet at a minimum baseline ICT security management standards.
From an information assurance perspective the nature of the conformity assessment process would be directly proportional to the level of assurance offered/required for such services8.
ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements requires that management:
Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
Info-Sec Registered Assessor Program (I-RAP)
The DSD Information Security Registered Assessor program (IRAP) provides Australian Government agencies with a pool of registered Australian IT security professionals who can be engaged to perform information security assessments on systems and networks.
Audit requirements
Any conformity assessment program is a point-in-time evaluation of a Provider’s capabilities. Incorporating an external audit requirement would provide an ongoing independent assessment that a service organisation, is continuing deliver services in a manner that is fit for purpose and to disclose their activities and processes to customers in a uniform manner.
In Australia the Auditing and Assurance Standards Board (AUASB) is developing a new standard on controls engagement. It will address engagements to report on financial reporting, compliance or operational controls at the entity and compliance or operational controls at a service organisation. This new standard should be available in December 2012.
Information Assurance – Capability Maturity 8 This is the approach adopted in the US for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
27 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
Mailbox/data vault Providers operating at LoA 4 will be required to:
Have an Information Security Management System (ISMS) that has been certified by a JAS-ANZ accredited certification body for compliance with ISO/IEC 27001 and which is also subject to annual audit for ongoing compliance.
UNCLASSIFIED
An important component of any trust framework aimed at facilitating provision of services to Government by commercial entities is an understanding of the capability maturity of participating entities (ie developing a measure of how capable the organisation is in terms of its delivery of specific services). Where such services involve the storage and/or transmission of personal information, objective measures of maturity will assist agencies in terms of their reliance on such services.
A Maturity Model (see Attachment 3) is:
A framework to measure and support the Information Assurance maturity of an organisation.
A tool for organisations to use to progress the maturity of Information Assurance processes. A means of facilitating Provider participation in the Assurance Framework as they move
through the maturity process. A way of measuring how well developed enterprise capabilities are. As organisations learn
and grow they transition through maturity levels. At each maturity level there are increased controls and therefore reduced risk.
28 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
5. Technical Standards
The objective of this section is to provide a brief overview of the architectural approach for the integration and authentication tiers of the Reliance Framework, and the set of WS-Profiles to be used.9
Compliance with these standards will be required for Providers under this Assurance Framework.
The ability for data and messages to be shared between organisations in a timely, secure, reliable manner is a key capability for the Assurance Framework. Given the diverse nature of the infrastructure of the participating organisations the integration layer must be vendor- and host-system- neutral. In order to ensure interoperability and ease of integration for participating organisations and individuals it must be based on widely used open industry standards. The industry standards by themselves are not enough to ensure interoperability; detailed profiles must be used that specify not only which standards must be used, but how they must be used, to a sufficient level of detail.
Some key enabling factors include:
Use of open industry standards.
Establishment of detailed Web Service Profiles.
Strong architectural governance.
Establishment of a certification process to ensure interoperability.
Implementation of these will serve to maximise the ease of integration with multiple third-part providers. This in turn provides pathways for citizen choice, improves portability, and avoids the establishment or perception of a single consumer database, as well as supporting innovation and development in emerging commercial markets.
Department of Human Services WebServices (DHS WS) Profiles
A Profile is a set of guidelines for the use of WebServices specifications beyond the core protocols. These guidelines are necessary because the specifications are designed for general-purpose and they are not always enough to satisfy enterprise level requirements. Interoperability Profiles also resolve ambiguities in areas where the WebServices specifications are not clear enough to ensure that all implementations process SOAP messages in the same way.
The DHS WS-Profiles are a critical tool in establishing interoperability between participating organisations in the Reliance Framework.
9 Full detail on the DHS WS-Profiles is contained in the DHS External Web Services Profile document. Full detail on the Authentication protocol is contained in the Australian Government Authentication Hub Protocol - v2.0 document
29 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Some key features of the DHS Web Service Profiles include:
Standards based: Wherever possible and appropriate, industry web services standards are adopted.
Interoperability: The profiles are designed to maximise interoperability across different technology platforms.
Support Delegated Trust Model: The security profiles support inclusion of user attributes in the Web Service requests that can be used by the Web Service provider to perform authorisations based on a delegated trust model.
Support for Integrated Audit: Inclusion of user attributes in the Web Service requests to support audit requirements including the ability to correlate audit events across the portfolio systems.
Extensible: The security profiles cater both for the use of internal web services being used to access in-confidence portfolio data and the configuration of additional security mechanisms for access to more sensitive data, or access by trusted external consumers.
The set of DHS WS-Profiles contains multiple profiles to address different integration requirements, including:
DHS Basic Profile 1.0: This profile is a set of basic standards needed for every web service transaction. At its core is the WS-I Basic Profile 1.0, with some enhancements to support more recent standards such as SOAP 1.2 and WSDL 1.1, and some DHS-specific conventions where required to cover areas not addressed by the WS-I Basic Profile.
DHS SOAP Attachment Profile 1.0: This profile is a set of standards needed for services with attachment requirements.
WS-Security Profile 1.0: This profile is a set of standards needed to secure the WebSevice message using Oasis specification WS-Security profile 1.0.
TLS Profile 1.0: This profile is a set of standards needed to secure the web service transport layer using IETF RFC2246 specification TLS security profile.
DHS Signature Profile 1.0: This profile is a set of standards needed to create digital signature. This profile specifies the digital signature syntax and w3c processing recommendations.
Standards used in the DHS WS-Profiles
The standards used in the DHS WS-Profiles include (but are not limited to).
XML
XSD
SOAP 1.1, 1.230 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
HTTP 1.0, 1.1
WS-Addressing
WSDL 1.1
WS-Security 1.1
WS-Policy 1.5
WS-Policy Attachment
MTOM
XOP
PKI
ATS5820
Taxonomy
Business information is encoded into a web service message using XML. The information is broken into data elements within the XML stream with each element given an appropriate, identifying name. The Standard Business Reporting AU (definitional) Taxonomy (SBR Taxonomy) will be the primary reference for naming of XML elements used to pass business information within a web service message10. Reliance Framework Taxonomy will be established based on the SBR Taxonomy and will be added to, where required, to meet the specific needs of the Reliance Framework. Agency-specific taxonomies will only be used where the SBR and Reliance Framework Taxonomy is acknowledged to omit a suitable definition for the information to be encoded.
Authentication protocol
This protocol details the Web SSO and account linking messages that are exchanged between the Authentication Hub and participating Agencies. It provides an outline of the architecture of the Authentication Hub in order to provide the broad system context for the Authentication Hub protocol. Further the protocols specify the responsibilities and requirements for an Agency to use the Authentication Hub, i.e. to implement the Authentication Hub Protocol
The key features of the Authentication Hub Protocol are:
Standards based. The Authentication hub protocol is based on the SAML 2.0 standard for identity federation.
Minimise changes for Agencies. The protocol does not require changes to existing application architectures, online services, or security policies.
Ease of adoption. The Authentication Hub is designed to lower the barriers of entry for an Agency without compromising security. It uses well-defined and accepted standards for authentication and leverages existing Agency process for registration.
10 See http://www.sbr.gov.au/about-sbr/what-is-sbr/sbr-taxonomy for further information.31 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Privacy Enhancing. The Authentication Hub will use anonymous identifiers to link Agency identities, and will not store or use any confidential personal data or Agency-specific identity data including Agency program identifiers.
Extensibility. The Authentication Hub architecture is designed to support extension in the future to support new authentication credentials and registration business processes.
Supports NeAF. The Authentication Hub protocol supports the principles of National e-Authentication Framework by providing information about the credentials used by a user during the authentication process to the Agency.
The Authentication Hub Protocol utilises various SAML 2.0 profiles to address different requirements, including:
Web Browser SSO Profile: The Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a web browser user.
Name Identifier Management Profile: This is a simple request-response exchange that can originate at either the identity provider or the service provider and is used as part of the Account Unlinking elements of the Authentication Hub Protocol.
Only a subset of the SAML v2 authentication protocols have been configured for use. Additional protocol support can be adopted to:
Enhance usability for SSO interactions
Support for access via mobile devices
Additional credential verification services may be required to support authentication and account linking interactions. These services will use the SAMLv2 standards where possible, but the standard may not support some of these interactions. In this case, interfaces will be defined, adopted as standards, and exposed as in accordance with DHS WS-Profiles.
Other authentication protocols such as OpenID and OAuth can be looked at in the future to support interoperability with service providers and identity providers in accordance with the architectural principles outlined.
Standards used in the Authentication Protocol
The standards used in the Authentication Protocol include (but are not limited to):
SAML v2.0
SSL 3.0/ TLS 1.0
All other standards will be based as per the standards from DHS WS Profiles.
32 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
6. Governance
Governance authority and responsibility for this Assurance Framework will be vested in the
Secretaries ICT Governance Board (SIGB).
The SIGB will consult with the Authentication Governance Committee (AGIMO) and the Reliance Framework Board (DHS) including with respect to:
standardising the interpretation and application of the non-specific measurement statements in Section 3 of the Framework (e.g. appropriate, effective, where possible, etc); and
development of conformity assessment management regimes as required.
The governance of other technical standards (e.g. those used for data exchange etc.) used in the Reliance Framework will initially be managed by the Reliance Framework Board.
Agencies and Providers should be aware that the Office of the Australian Information Commissioner (OAIC) is the national privacy regulator.
On a day to day basis policy and operational support will be provided by the:
Department of Finance and Deregulation (AGIMO), Attorney-General’s Department (policy and operational support for AGD policies and
services e.g. PSPF, NISS and DVS); and Defence Signals Directorate.
Development of a business case to establish the viability of an NTIF will address the issue of longer term governance arrangements.
33 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
7. ICT Procurement
The Commonwealth Procurement Rules (CPRs) represent the Government Policy Framework under which agencies govern and undertake their own procurement and combine both Australia's international obligations and good practice. Together, these enable agencies to design processes that are robust, transparent and instil confidence in the Australian Government's procurement.
Further detail is available at http://www.finance.gov.au/procurement/procurement-policy-and-guidance/commonwealth-procurement-rules/index.html
Limiting Supplier Liability in ICT Contracts with Australian Government Agencies
The Australian Government’s ICT liability policy recognises that requiring unlimited liability and inappropriately high levels of insurance can be a significant impediment to companies wishing to bid for Australian Government contracts. This is particularly the case for small and medium sized ICT firms.
A Guide to Limiting Supplier Liability in Information and Communications Technology (ICT) Contracts with Australian Government Agencies, was issued in May 2010 (second Edition) by the Department of Industry, Innovation, Science, Research and Tertiary Education. This policy relates to Government agencies subject to the Financial Management and Accountability Act 1997 (the FMA Act) and requires that the liability of ICT suppliers contracting with agencies, in most cases, be capped or limited at appropriate levels based on the outcomes of a risk assessment. http://www.innovation.gov.au/Industry/InformationandCommunicationsTechnologies/Documents/LimitingLiabilityReport.pdf
The ICT liability policy is stated in Finance Circular 2006/03 Limited Liability in Information and Communications Technology Contracts. Procurement related Finance Circulars are located at http://www.finance.gov.au/publications/finance-circulars/procurement.html and 2003/02 - Guidelines for Issuing and Managing Indemnities, Guarantees, Warranties and Letters of Comfort
Additional Resources
Finance Circulars link is http://www.finance.gov.au/publications/finance-circulars/index.html
34 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
8. Future NTIF related Activities
There is a substantial body of work required to give operational effect to the Assurance Framework.
The development of a business case to establish the viability of an NTIF will consider how to enable this work, including:
o Access to the DVS by Providers
o Development of an integrated and robust conformity assessment program for Providers of mailbox/data-vault and authentication services
o Consideration of claim/assertion based authentication.
o Is there in all cases an agency procurement process or do they simply act as a relying party on data / credentials stored and produced by a third party.
o The nature and extent of consumer / agency advice that may be required in relation to 3rd party service providers.
o Proposals for centralised storage of personal information, use of offshore clouds or the use of people’s personal information for marketing purposes.
o Development of appropriate capability maturity models for commercial providers of identity management services.
o Clarify the obligations under the Privacy Act and the proposed obligations under the Amendment Bill with respect to anonymous and pseudonymous transactions.
o Development of appropriate long term governance models including but not limited to responsibilities for conformity assessment, provider service standards, on-going support, upgrade/release/change processes etc.
35 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Attachment 1
Joint Accreditation System of Australia and New Zealand (JAS-ANZ)
The Joint Accreditation System of Australia and New Zealand (JAS-ANZ) was established by Treaty in 1991 by the Australian and New Zealand governments to strengthen the trading relationship between the two countries and with other countries.
The JAS-ANZ Treaty established the Governing Board, Technical Advisory Council and Accreditation Review Board. The Treaty requires JAS-ANZ to operate a joint accreditation system and to deliver on the following four goals:
Integrity and Confidence: To maintain a joint accreditation system that will give users confidence that goods and services certified by accredited bodies meet established standards.
Trade Support: To obtain and maintain acceptance by Australia’s and New Zealand’s trading partners of domestic management systems and exported goods and services.
Linkages: To link with relevant bodies which establish or recognise standards for goods and services or which provide conformity assessment. Through these linkages, JAS-ANZ can influence outcomes in international and national standards and guidance on conformity assessment so that Australian and New Zealand interests are not disadvantaged.
International Acceptance: To obtain mutual recognition and acceptance of conformity assessment with relevant bodies in other countries. Mutual Recognition Arrangements/Agreements (MRAs) and Multilateral Recognition Arrangements (MLAs) deliver a systematic framework for acceptance of conformity assessment results between trading nations.
Structure and Governance
JAS-ANZ operates on a not-for-profit basis. Under the formal direction of a Governing Board, the Technical Advisory Council and Accreditation Review Board support the development and implementation of policies and principles that underpin the operation of the joint accreditation system.
Through a network of international ties JAS-ANZ is subject to periodic peer review. JAS-ANZ has a secretariat of 20 to assist the Governing Board fulfil its obligations.
Operations
JAS-ANZ activities are structured around five distinct disciplines or programs: management systems certification, product certification, personnel certification, inspection, and greenhouse gas validation and verification.
Under these five programs, JAS-ANZ recognises 125 public and proprietary schemes that have been developed by or in conjunction with public authorities and industry groups. The schemes provide a level of confidence to support exchange of products and services across a wide range of industry sectors.
36 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Over 90 certification and inspection bodies are accredited, with the largest number concentrated in management systems. Over 70,000 accredited certificates are issued in over 80 countries to address the need for authoritative attestations of conformity.
A high proportion of JAS-ANZ’s effort centres on five areas of economic and social activity:
Business Processes and Innovation;
Health and Human Services;
Food and Biological Systems;
Product Performance and Safety; and
Environmental Management.
JAS-ANZ’s operations also extend to providing technical support for the development of infrastructure capabilities in developing nations; current projects involve Laos and Cambodia.
International engagement
A key role for JAS-ANZ is establishing international arrangements with other countries to accept one another’s certificates and inspection reports so removing a technical barrier to trade. An important mechanism for this is membership in international organisations which provide the framework of multilateral agreements (MLAs) under which signatories will recognise one another’s accredited certificates and inspection reports.
JAS-ANZ is an active member of the key accreditation organisations including the International Accreditation Forum (IAF), the Pacific Accreditation Cooperation (PAC), and the Asia Pacific Laboratory Accreditation Cooperation (APLAC).
JAS-ANZ is also a member of the Multilateral Cooperative Accreditation Arrangement (MCAA), a collaborative arrangement between a number of international accreditation bodies that facilitates the sharing of information relating to signatory accredited bodies and cooperation in the servicing of these bodies.
Contact details
Tel: +61 2 6232 2000Fax: +61 2 6262 7980Postal Address: GPO BOX 170, Canberra ACT 2601Email: [email protected]
www.jas-anz.org
37 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Attachment 2
Kantara Initiative Identity Assurance Levels: Snapshot View
Assurance Level Example
Assessment Criteria-Organization
Assessment Criteria-Identity Proofing
Assessment Criteria-Credential Management
AL 1 Registration to a news website
Minimal Organizational criteria
Minimal criteria – Self assertion PIN and Password
AL 2Change of address of record by a beneficiary
Moderate organizational criteria
Moderate criteria – Attestation of Govt ID
Single factor; prove control of token through authentication protocol
AL 3 Access to an online brokerage account
Stringent organizational criteria
Stringent criteria – stronger attestation and verification of records
Multi-factor auth: cryptographic protocol; “soft”, “hard”, or “OTP” tokens
AL 4Dispensation of a controlled drug or $1M bank wire
Stringent organizational criteria
More stringent criteria – stronger attestation and verification
Multi-factor auth w/ hard tokens only; crypto protocol w/ keys bound to auth process
Source: http://kantarainitiative.org/idassurance/
38 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Attachment 3
HMG Information Assurance Maturity Model
CRITERIA L1Initial
L2 Established
L3 Business Enabling
L4 Quantitatively
Managed
L5 Optimised
Leadership and Governance.
R/A/G R/A/G R/A/G R/A/G R/A/G
Training, Education and Awareness
R/A/G R/A/G R/A/G R/A/G R/A/G
Information Risk Management
R/A/G R/A/G R/A/G R/A/G R/A/G
Through-Life IA Measures
R/A/G R/A/G R/A/G R/A/G R/A/G
Assured Information Sharing
R/A/G R/A/G R/A/G R/A/G R/A/G
Compliance R/A/G R/A/G R/A/G R/A/G R/A/G
RED – There are crucial deficiencies against the performance required at this level. Major elements of the business Information Risk Management and Information Assurance processes have yet to be addressed.RED/AMBER – There are major deficiencies against the performance required at this level. Major elements of the business Information Risk Management and Information Assurance processes are not being addressed, and there are no credible plans to address the situation.AMBER – There are significant deficiencies against the performance required at this level. Some elements of the business Information Risk Management and Information Assurance processes are not being addressed, or whatever plans exist they have not been formally endorsed by the business.GREEN / AMBER – There are only minor deficiencies against the Business Information Risk Management and Information Assurance processes required at this level. Credible progress is being made against plans endorsed by the business.GREEN – There are negligible deficiencies against the performance required at this level. Business Information Risk Management and Information Assurance processes are fully met.
Levels (cumulative)
1 Initial – awareness of weaknesses and policies established to guide improvement2 Established – information assurance processes are institutionalised, strategic approach
adopted, program of targeted education and awareness raising3 Business Enabling – measured improvement at all levels of the organisation including
commercial suppliers 4 Quantitatively Managed– staff attitudes to information assurance are aligned to business
needs, metrics are established to support risk management5 Optimised – information assurance fully integrated as normal business and regarded at
all levels as a business enabler
39 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
The Capability Maturity Model set out above is drawn from the UK Government (see www.cesg.gov.uk/products_services/iacs/iamm/media/iamm-assessment-framework_v2.pdf) Further examples of such models may be found at http://www.eurim.org.uk/activities/ig/voi/information.php.
Attachment 4
National Identity Security Strategy
(See www.ag.gov.au/identitysecurity)
Commonwealth, State and Territory Governments agreed to a National Identity Security Strategy (NISS) in 2007. The NISS provides a framework for inter-governmental cooperation to enhance identification and verification processes, combat identity theft and prevent the misuse of stolen identities. The NISS was reviewed and revised during 2012 to ensure it remain responsive to the rapidly evolving nature of identity crime and misuse.
In seeking to engage commercial providers agencies should have regard for the following guiding principles contained in the NISS 201211:
Protecting the identity information of Australians is a shared responsibility
The community’s confidence in business and public trust in government is supported by identity security
To deter crime and foster national security, identity security must be based on a risk management approach
Commonly accepted identity credentials must be supported by strong security measures, and
Identity security needs to be a core feature of standard business processes and systems.
Enrolment
The Gold Standard Enrolment Framework (GSEF) is a key outcome of the National Identity Security Strategy (NISS). The GSEF was developed for government agencies issuing physical identity credentials.
The GSEF details a ‘gold standard’ that gives agencies confidence in the identity of an individual. It reduces the risk in registrations due to the use of false identities as well as minimising multiple enrolments for fraudulent purposes. The GSEF specifies that agencies should verify the validity of identity credentials presented at enrolment. The DVS is a tool that can be used to ‘match’ the information on the credential with information held by the issuing agency.
For level 4 assurance authentication solutions the GSEF processes must be adopted by commercial providers. For lower level assurance, GSEF processes should be considered on a risk basis. It is
11 COAG endorsement of the NISS 2012 is anticipated in late 2012.40 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
important that the identities of persons accessing government services, benefits, official documents and positions of trust are verified to a level of assurance appropriate for the service requested.
Data integrity
(See www.ag.gov.au/identitysecurity)
Noting agency obligations to maintain the integrity of their own data holdings, commercial providers of authentication services must:
o Ensure that each applicant‘s identity record is unique within the service‘s community of subjects and uniquely associable with tokens and/or credentials issued to that identity
Multiple, incorrect or fraudulent registrations undermine the ability of governments to allocate entitlements, collect revenue, provide services effectively and efficiently and comply with privacy obligations. Poor data integrity also undermines the effectiveness of the DVS. Data cleansing (single-agency focused) and data matching (multi-agency focused) are two tools for improving the integrity of data.
When third parties are establishing identity records they should have regard for the Attorney-General’s Department’s Recording of a name to establish identity – Better practice guidelines for Commonwealth agencies. It provides guidance on consistency and uniformity in use of name policy, procedures and naming conventions. The guidelines are designed as a best practice reference guide for collecting and recording identity information as well as for ongoing management, including amendments to identity information.
National e-Authentication Framework
(See http://www.finance.gov.au/e-government/security-and-authentication/authentication-framework.html)
The National e-Authentication Framework12 (NeAF) provides agencies with a methodology to undertake identity-risk assessments and thereby determine the level of authentication assurance required for a particular online transaction (or set of similar transactions).
The authentication process provides assurance that a credential was issued to a specified individual. It does not address:
o Whether on subsequent presentation of that credential the individual to whom it was issued remains in control of the credential
o What access rights or authority the individual has to obtain information from an agency
o What services an individual may be entitled to receive from an agency
12 See http://www.finance.gov.au/e-government/security-and-authentication/authentication-framework.html 41 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
These processes remain within the control of the relying party (ie the agency from whom the individual is seeking services).
The NeAF is equally applicable to commercial providers of authentication services.
The NeAF defines 5 levels of assurance as follows:
No assurance Minimal assurance
Low assurance Moderate assurance
High assurance
Level 0 Level 1 Level 2 Level 3 Level 4 No confidence is required in the identity assertion.
Minimal confidence is required in the identity assertion.
Low confidence is required in the identity assertion.
Moderate confidence is required in the identity assertion.
High confidence is required in the identity assertion.
By extension the NeAF also allows an assessment of the level of assurance associated with authentication credentials issued by commercial providers (assuming there is a level of transparency associated with registration and enrolment processes and credential management practices).
Noting that identity risks are a subset of an agency’s wider risk environment, application of the NeAF principles should occur in the context of a provider’s overall risk management processes.
The Gatekeeper PKI Framework recognises that, unlike lower assurance authentication credentials (such as username/passwords) public-key digital certificates have specific characteristics that warrant both a policy framework for their use within Government and an accreditation program for providers of such credentials (see www.gatekeeper.gov.au)
The requirements for obtaining Gatekeeper accreditation (including compliance with the ISM and PSPF) apply to commercial and government providers.
ISO/IEC 29115 Entity Authentication Assurance
Draft ISO Standard 29115 Entity Authentication Assurance13 states:
Assurance ..... refers to the confidence placed in all of the processes, management activities, and technologies used to establish and manage the identity of an entity for use in authentication transactions.
The Standard specifies four Levels of Assurance (LoA) where LoA is a function of the processes, management activities, and technical controls that have been implemented by the provider:
Level Description1 – Low Little or no confidence in the claimed or asserted identity2 – Medium Some confidence in the claimed or asserted identity3 – High High confidence in the claimed or asserted identity4 – Very high Very high confidence in the claimed or asserted identity
13 Note that the standard is still at the Final Draft stage.42 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Given that all elements of a provider’s operations impact the level of assurance associated with a credential, integrated service offerings such as mailboxes, data vaults and/or data management services need to be assessed on a holistic rather than compartmental basis.
As such, consideration of a service provider’s security (physical, logical and personnel) become relevant in addition to controls that are implemented to ensure the privacy of information.
Note that the draft ISO standard links authentication to identity. While the NeAF also makes such a link it also explicitly recognises that authentication applies to any assertion – be it an attribute of identity (eg date of birth) or non-identity attributes (eg a street address).
o To more fully understand the scope of authentication services it is necessary to consider the definition of identity and the extent to which that is both necessary and sufficient in relation to this Assurance Framework.
Storage and processing of Australian Government information in offshore arrangements
New ICT business models such as cloud computing coupled with the ever increasing speed and volume of transactions - while providing significant opportunities - have highlighted additional risks to the control of Government information in outsourced and offshore arrangements. There is additional complexity when Government information transits multiple jurisdictions, including the application of other jurisdictions’ laws and the use of foreign-flagged companies. These additional complexities increase the difficulty in assessing the risk to the storing and processing of Government information outside Australia.
In addition, foreign-owned ICT service providers operating in Australia may also be subject to other laws such as a foreign government’s lawful access to information controlled by the service provider.
APS agencies currently make a risked-based decision on the location and hosting of government information based on the Protective Security Policy Framework, the Information Security Manual and the Privacy Act 1988. The Defence Signals Directorate recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available. DSD strongly encourages agencies to choose either a locally-owned vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australia. Current government policy, as outlined in the Cloud Computing Strategy and supporting documents, is to not store sensitive or personal information in the public cloud.
In the context of people being able to choose to use (as opposed to agencies procuring) commercial data vault or authentication services the responsibility shifts away from agencies (other than as a relying party) to the individual concerned. In such circumstances the Assurance Framework will specify criteria against which agencies can assess such service offerings. Such criteria must be consistent with existing policy frameworks such as the PSPF/ISM and the cloud strategy. Agencies will apply a risk assessment process in making decisions to rely on data or credentials known to be stored by an individual outside Australia.
43 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Cloud Service Provider – Security assurance
(See http://www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html)
By its very global nature, cloud services, particularly the public cloud, offer numerous potential benefits in terms of cost benefits, efficiency and flexibility. However, it is recognised that in transitioning government services to the cloud, a degree of agency control over the operational environment would be removed. Certain characteristics of cloud – such as resource pooling and its global infrastructure – differentiate its risk profile from that of traditional outsourced arrangements.
Traditional out-sourcing arrangements enables an agency to have a formal contract and service level agreement which establishes the security, operational and governance controls necessary to provide it with the required level of assurance or comfort.
This may not always be the case with cloud services. Cloud services therefore present new challenges, specifically around governance, risk management, standards, security, information management including data portability and interoperability, and service management.
These are issues that need to be considered in any arrangement for mailbox or vault providers.
Data Centre Strategy
See http://www.finance.gov.au/e-government/infrastructure/data-centres.html)
The Australian Government Data Centre Strategy 2010-2025 enables scope for the range of assurance options. Through the Data Centre Facilities Panel, agencies can source data centre facilities. For the highest level of assurance, agencies can securely house their ICT assets in these facilities. The operators of the data centre facilities available through the panel have committed to specific security and audit measures.
Agencies must operate the ICT systems in the data centre facilities. The data centre facilities operator will manage physical environment only. A suitably qualified external service provider might also be able to manage the ICT services.
At the other extreme for data centre sourcing is the ‘cloud services’ contract. While the ICT service is created using ICT systems based in a data centre, the contract is for a specific ICT service, such as e-mail or data vault. These data centres will usually not be on the Data Centre Panel, even though located in Australia.
DCaaS providers may offer commercial services such as mailbox and data vaults to individual citizens. The security and privacy standards that must be met as a result of being a DCaaS provider may or may not be adequate to support the provision of such additional services.
44 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Mobile Strategy
There is a global trend toward the use of mobile technology. Smartphones, tablet computers and app stores are part of a global market worth an estimated AUD$300 billion in 2011. Australian citizens are also increasingly using mobile services.
The Australian Government is developing a strategy to encourage agencies to exploit this trend to increase the effectiveness of their service delivery, and to increase staff productivity. However, this mobile technology trend is fuelled by consumers. As a consequence, privacy and security have been designed more toward the commercial than government considerations.
As identified earlier in this paper the Assurance Framework must be technology and platform agnostic.
Other Policies
The applicability of other government and some market based policies will be dependent on the types of data that individuals intend to store in their “vault” or transactional information stored in their inbox.
The nature of such information will have a clear impact on the level and type of security controls that providers will necessarily have to implement. If providers do not limit the types of information that can be stored then by default, security requirements will have to be set at the highest level of assurance.
For example:
storage of financial data is likely to require provider compliance with Payment Card Industry (PCI) rules
o see https://www.pcisecuritystandards.org/ storage of health data will require compliance with relevant health legislation storage of digital (or digitised) credentials (eg passport or licence images) will necessarily
require more stringent security arrangements as documents such as licences and passports remain the property of the issuing Government authority.
Consideration may also need to be given to the requirements of the US Sarbanes-Oxley Act of 2002 (SOX) which ushered in a new era of business rules regarding the storage and management of corporate financial data. SOX holds many publicly held companies and all Registered Public Accounting Firms to a rigorous set of standards. These rules set guidelines for how data should be stored, accessed, and retrieved.
45 | P a g eFinal Draft Assurance Framework September 2012
UNCLASSIFIED
![[PPT]COMMERCIAL LAWxa.yimg.com/.../name/Commercial+Law+power+point.ppt · Web viewCOMMERCIAL LAW](https://img.pdfslide.us/doc/110x75/5b001ea07f8b9a6a2e8c2ea2/pptcommercial-lawxayimgcomnamecommerciallawpowerpointpptweb-viewcommercial.jpg)
![Roxar Flow Measurement Topside Flow Assurance …...[File Name or Event] Emerson Confidential 27-Jun-01, Slide 5 Integrated Flow Assurance Monitoring Systems Roxar is a provider of](https://img.pdfslide.us/doc/110x75/5e7c3a321d42e16c5001ee85/roxar-flow-measurement-topside-flow-assurance-file-name-or-event-emerson-confidential.jpg)
