18
TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014 IDESG TFTM Committee 1

TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

Embed Size (px)

Citation preview

Page 1: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 1

TFTM Deliverable 01-06

2014 Trustmark and Conformance Program

Discussion Deck

TFTM CommitteeMay 07, 2014

5-07-2014

Page 2: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 2

• 2014 Goal• Meeting Objectives• Approach• Assumptions• Conformance Assessment/Assertion Comparison

• Self-Attestation• Self-Certification• 3rd Party Certification• Overview

• Next Steps

5-07-2014

Meeting Agenda

Page 3: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 3

• Develop and establish an initial IDESG Trustmark and conformance program for the IDESG IE Framework by the end of 2014.

5-07-2014

2014 TFTM Sub-Committee 01-06 Goal

Page 4: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 4

• Discuss and compare the approach for current industry conformance programs for applicability to the IDESG’s needs.

• Three approaches for discussion today:• Self Attestation• Self Certification • 3rd Party Certification

• Peer-to-Peer• Independent Assessors• IDESG Assessment

5-07-2014

Meeting Objectives

Page 5: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 5

• Programs will be compared based upon four primary factors:• Resource Burden- The resources required to implement and operate the

conformance program• Implementation Time- Time needed to establish and implement• Cost- The cost to both the IDESG and organizations seeking conformance

assertion• Assurance- Assurance that participants are operating in conformance with

rules/framework• Express each factor on a 3-point scale: High, Moderate, or Low• This is not intended to be an exhaustive analysis, but a high level

discussion of existing conformance program types and the relative applicability to the IDESG in 2014

5-07-2014

Format for Comparison of Conformance Programs

Page 6: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 6

• Initial Version of the Identity Ecosystem Framework will be complete by the end of 2014 and key dependencies for conformance program implementation will be met• Functional Model (Security Committee deliverable)• Initial Requirements Catalog (TFTM 01-04) -- committees will create and

plenary will approve requirements; • Conformance program rules established (policy, process --TFTM 01-07)

• Recommend approach for 2014 IDESG conformance recognition (e.g., trustmark, trust list, white list, etc.) as supporting/complementary activity (TFTM 01-06)

• 2014 Program should be open to all IE service providers – e.g., relying parties, credential providers, attribute providers, etc.— regardless of size

5-07-2014

Assumptions

Page 7: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 7

• Participants in a self-attestation framework assert their own conformance with a specified set of rules or requirements

• Written and signed document to confirm that assertions made are true and accurate based on the best knowledge and belief

• No specific assessments required for attestation • Enforcement relies on community awareness and reporting with potential

action through FTC • IDESG could take minimal action, including removal from the white list or

revocation of a TM

• Examples:• InCommon Bronze• Payment Card Industry merchant self-assessment and compliance attestation• CMS Compliance self-attestation to EHR utilization criteria (aka “meaningful

use” standards

5-07-2014

Self Attestation

Page 8: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 85-07-2014

Self Attestation

Resource Burden LOW

• Resources required to implement a self attestation program are low• Minimal administrative capability/burden required to confirm bona fides of applicants and process

applications• Minimum operational capacity required to determine acceptability of applicant bona fides• Resource burden on applicants would be limited to those required to complete the application and

provide any new services/controls not currently provided

Implementation Time LOW

• Minimum resource and operational requirements would allow a self-attestation program to be stood up relative quickly (months rather than years)

Cost LOW• Cost to the IDESG would be low, only requiring those items needed to stand up the limited

administrative and operational process (e.g., application process, communications, file submission/maintenance, certification) —which could potentially be handled by existing resources (secretariat, MC, board, committees, etc.)

• Cost to participants should be low, covering the application/renewal processes• Additional SP costs may be necessary to meet requirements not currently provided

Assurance LOW• Low assurance that participants are operating in compliance with IEF rules/requirements.

Page 9: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 9

• Similar to a self-attestation framework, participants would assert their own compliance with a specified set of rules or requirements based on internal review of documentation/operations

• Written and signed document to certify that results from internal review are true and accurate based results of internal review/other assessments

• Participants may also have to meet periodic internal assessment requirements and may need to provide assessment results or other documentation • Assessment guide/process would need to be created or established

• Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list)

• Examples:• Federal FedRamp self-attestation for cloud service security - http://www.FedRAMP.gov• Department of Commerce EU/US Safe Harbor Program - http://export.gov/safeharbor• Types of PCI self-assessment compliance attestation

5-07-2014

Self Certification

Page 10: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 105-07-2014

Self Certification

Resource Burden Low to Moderate

• Resource burdens on the IDESG would be low to moderate, depending on the degree of validation required (e.g., submission of internal review documents or other documentation), additional administrative burden for supporting the application and maintenance processes.

• Resource burden on applicants would be moderate, requiring periodic internal assessments, potentially new documents and the establishment of internal processes to support these assessments

Implementation Time Low

• Development or adoption of assessment standards would increase implementation time, however leveraging existing frameworks and practices could expedite implementation (6 months-1 year)

Cost Moderate• Cost to the IDESG would be moderate, especially if some degree of validation would be performed.• Cost to participants could be higher depending upon existing internal assessment/audit capabilities;

organizations with existing structures could leverage these to limit cost while others may need to stand them up from scratch (small relying parties, etc.)

• Some SPs may incur higher costs in order to meet requirements/documentation not currently provided.

Assurance Low• Assurance depends on the degree of validation, but would likely not exceed low assurance even with

internal review and/or other documentation submission requirements.

Page 11: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 11

• Participant’s compliance with a set of rules or requirements is confirmed through assessment by an independent 3rd party

• Requires the development of a comprehensive certification and assessment framework • e.g., requirements for service providers and for assessors in performing assessments

• May require the development of an accreditation program to qualify assessors for assessment requirements

• More complex legal arrangements to support roles/responsibilities of the assessors, assessed service providers, certifying body

• Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list)

• Examples:• Kantara Initiative – http://kantarainitiative.org/tag/certification/• FICAM TFS - http://info.idmanagement.gov/2014/03/ficam-tfs-approval-process

• FICAM TFPAP

5-07-2014

3rd Party Certification

Page 12: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 12

• Peer-to-Peer- Participating organizations are assessed for compliance by other framework participants.• This is typically done on behalf of the certifying body who would make actual

certification decisions based on the assessment• Ex. – AICPA typically uses peer review to maintain CPA certification status

• Independent Assessors- Service providers are assessed for compliance by entities whose sole purpose within the framework is compliance assessment; supports independence and objectivity in the assessment process• May require an accreditation program for assessors• This is typically done on behalf of the certifying body who would make actual

certification decisions based on the assessment• Ex. –Kantara Initiative - https://kantarainitiative.org/confluence/display/certification,

InCommon Silver

• Certifying Body (IDESG) Assessment- Participating organizations are assessed for compliance directly by the certifying body (e.g., the IDESG)• FICAM PKI,

5-07-2014

3rd Party Certification: Types

Page 13: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 135-07-2014

3rd Party Certification: Peer Review

Resource Burden MODERATE

• IDESG would need to establish a comprehensive assessment framework and associated processes to support peer review, and support administrative and operational requirements to support applications and certification processes, IDESG would validate

• Participating organizations would need to support assessment by peer review, probably onsite and support services/documentation that are not currently provided.

Implementation Time MODERATE

• Development of an assessment framework and associated processes would require more time to develop/implement than a self-attestation or self-certification framework (1-2 years)

Cost HIGH• Cost to the IDESG would be moderate and primarily focused around assessment framework

development and support for the administrative costs of application/certification processes.• Cost to participants would be high, requiring the capability to conduct assessments on other members

of the ecosystem; legal complications and establishing mechanisms for external assessments could be costly

Assurance MODERATE• The possibility of conflicts of interest in conformance assessments (e.g. market partners or

competitors as assessors) could negatively impact assurance• Lack of professional assessors may limit testing and conformance capabilities

Page 14: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 145-07-2014

3rd Party Certification: Independent Assessment

Resource Burden MODERATE

• IDESG would need to establish a comprehensive assessment framework and accreditation program; external assessors would limit steady-state resource requirements, but stand up needs would be high

• Participating organizations would need to support assessment by third parties—overall resource requirements would likely depend on ecosystem function and existing capabilities

Implementation Time HIGH

• Development of an assessment framework and accreditation program as well as associated processes would require significant time (2-3 years)

Cost MODERATE• Cost to the IDESG would be moderate and primarily focused around assessment framework

development and accreditation program development and maintenance• Cost to participants would be moderate and primarily focused around preparation for assessments

and hiring of an assessor

Assurance HIGH• Independent assessments by qualified and accredited entities should provide high levels of assurance

that participants are operating according to established rules and requirements

Page 15: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 155-07-2014

3rd Party Certification: Certifying Body Assessment

Resource Burden HIGH

• Establishment of assessment framework and operational/personnel capacity to conduct assessments would require significant resources for IDESG; assessments would likely need to be conducted at the SP increasing administrative burden and costs.

• Participating organizations would need to establish necessary documentation and processes to support assessment by third parties and share or bear the costs of assessment.

Implementation Time HIGH

• Development of an assessment framework and standing up necessary operational capabilities would take a significant period of time (2+ years)

Cost HIGH• Cost to the IDESG would high, requiring significant staff for assessments, administration, and

operational requirements• Cost to participants would be moderate and primarily focused around preparation for assessments

and paying any assessment fees

Assurance HIGH• If operated properly, this should provide a high degree of assurance that participants/SPs are

operating in accordance with applicable rules and requirements

Page 16: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 165-07-2014

Overview

Type Resource Burden

Implementation Time

Cost Assurance

Self-Attest LOW LOW LOW LOW

Self-Certification MODERATE LOW MODERATE LOW

Peer-to-Peer MODERATE MODERATE HIGH MODERATE

Independent Assessment

MODERATE HIGH MODERATE HIGH

Certifying Party (IDESG) Assessment

HIGH HIGH HIGH HIGH

Page 17: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 17

1. Other factors for additional evaluation?2. What can realistically be implemented in 2014 to establish a foundation to

build from? 3. What can/should be the target for 2015 and 2016?4. What are risks to IDESG?5. Would other forms of certification increase the level of assurance for any

of these approaches?• TFPs, ISO 9000/001, ISO 27001, CompTIA, BBBonline, etc.

5-07-2014

Discussion Considerations

Page 18: TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, 2014 5-07-2014IDESG TFTM Committee1

IDESG TFTM Committee 18

1. Develop recommendation for 2014 conformance program approach (self attest, self cert, etc.) and discuss with full TFTM

2. Prepare recommendations paper for plenary on the 2014 Trustmark and Compliance Program

5-07-2014

Next Steps Summary