Embed Size (px)
Citation preview
IDESG TFTM Committee 1
TFTM Deliverable 01-06
2014 Trustmark and Conformance Program
Discussion Deck
TFTM CommitteeMay 07, 2014
5-07-2014
IDESG TFTM Committee 2
• 2014 Goal• Meeting Objectives• Approach• Assumptions• Conformance Assessment/Assertion Comparison
• Self-Attestation• Self-Certification• 3rd Party Certification• Overview
• Next Steps
5-07-2014
Meeting Agenda
IDESG TFTM Committee 3
• Develop and establish an initial IDESG Trustmark and conformance program for the IDESG IE Framework by the end of 2014.
5-07-2014
2014 TFTM Sub-Committee 01-06 Goal
IDESG TFTM Committee 4
• Discuss and compare the approach for current industry conformance programs for applicability to the IDESG’s needs.
• Three approaches for discussion today:• Self Attestation• Self Certification • 3rd Party Certification
• Peer-to-Peer• Independent Assessors• IDESG Assessment
5-07-2014
Meeting Objectives
IDESG TFTM Committee 5
• Programs will be compared based upon four primary factors:• Resource Burden- The resources required to implement and operate the
conformance program• Implementation Time- Time needed to establish and implement• Cost- The cost to both the IDESG and organizations seeking conformance
assertion• Assurance- Assurance that participants are operating in conformance with
rules/framework• Express each factor on a 3-point scale: High, Moderate, or Low• This is not intended to be an exhaustive analysis, but a high level
discussion of existing conformance program types and the relative applicability to the IDESG in 2014
5-07-2014
Format for Comparison of Conformance Programs
IDESG TFTM Committee 6
• Initial Version of the Identity Ecosystem Framework will be complete by the end of 2014 and key dependencies for conformance program implementation will be met• Functional Model (Security Committee deliverable)• Initial Requirements Catalog (TFTM 01-04) -- committees will create and
plenary will approve requirements; • Conformance program rules established (policy, process --TFTM 01-07)
• Recommend approach for 2014 IDESG conformance recognition (e.g., trustmark, trust list, white list, etc.) as supporting/complementary activity (TFTM 01-06)
• 2014 Program should be open to all IE service providers – e.g., relying parties, credential providers, attribute providers, etc.— regardless of size
5-07-2014
Assumptions
IDESG TFTM Committee 7
• Participants in a self-attestation framework assert their own conformance with a specified set of rules or requirements
• Written and signed document to confirm that assertions made are true and accurate based on the best knowledge and belief
• No specific assessments required for attestation • Enforcement relies on community awareness and reporting with potential
action through FTC • IDESG could take minimal action, including removal from the white list or
revocation of a TM
• Examples:• InCommon Bronze• Payment Card Industry merchant self-assessment and compliance attestation• CMS Compliance self-attestation to EHR utilization criteria (aka “meaningful
use” standards
5-07-2014
Self Attestation
IDESG TFTM Committee 85-07-2014
Self Attestation
Resource Burden LOW
• Resources required to implement a self attestation program are low• Minimal administrative capability/burden required to confirm bona fides of applicants and process
applications• Minimum operational capacity required to determine acceptability of applicant bona fides• Resource burden on applicants would be limited to those required to complete the application and
provide any new services/controls not currently provided
Implementation Time LOW
• Minimum resource and operational requirements would allow a self-attestation program to be stood up relative quickly (months rather than years)
Cost LOW• Cost to the IDESG would be low, only requiring those items needed to stand up the limited
administrative and operational process (e.g., application process, communications, file submission/maintenance, certification) —which could potentially be handled by existing resources (secretariat, MC, board, committees, etc.)
• Cost to participants should be low, covering the application/renewal processes• Additional SP costs may be necessary to meet requirements not currently provided
Assurance LOW• Low assurance that participants are operating in compliance with IEF rules/requirements.
IDESG TFTM Committee 9
• Similar to a self-attestation framework, participants would assert their own compliance with a specified set of rules or requirements based on internal review of documentation/operations
• Written and signed document to certify that results from internal review are true and accurate based results of internal review/other assessments
• Participants may also have to meet periodic internal assessment requirements and may need to provide assessment results or other documentation • Assessment guide/process would need to be created or established
• Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list)
• Examples:• Federal FedRamp self-attestation for cloud service security - http://www.FedRAMP.gov• Department of Commerce EU/US Safe Harbor Program - http://export.gov/safeharbor• Types of PCI self-assessment compliance attestation
5-07-2014
Self Certification
IDESG TFTM Committee 105-07-2014
Self Certification
Resource Burden Low to Moderate
• Resource burdens on the IDESG would be low to moderate, depending on the degree of validation required (e.g., submission of internal review documents or other documentation), additional administrative burden for supporting the application and maintenance processes.
• Resource burden on applicants would be moderate, requiring periodic internal assessments, potentially new documents and the establishment of internal processes to support these assessments
Implementation Time Low
• Development or adoption of assessment standards would increase implementation time, however leveraging existing frameworks and practices could expedite implementation (6 months-1 year)
Cost Moderate• Cost to the IDESG would be moderate, especially if some degree of validation would be performed.• Cost to participants could be higher depending upon existing internal assessment/audit capabilities;
organizations with existing structures could leverage these to limit cost while others may need to stand them up from scratch (small relying parties, etc.)
• Some SPs may incur higher costs in order to meet requirements/documentation not currently provided.
Assurance Low• Assurance depends on the degree of validation, but would likely not exceed low assurance even with
internal review and/or other documentation submission requirements.
IDESG TFTM Committee 11
• Participant’s compliance with a set of rules or requirements is confirmed through assessment by an independent 3rd party
• Requires the development of a comprehensive certification and assessment framework • e.g., requirements for service providers and for assessors in performing assessments
• May require the development of an accreditation program to qualify assessors for assessment requirements
• More complex legal arrangements to support roles/responsibilities of the assessors, assessed service providers, certifying body
• Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list)
• Examples:• Kantara Initiative – http://kantarainitiative.org/tag/certification/• FICAM TFS - http://info.idmanagement.gov/2014/03/ficam-tfs-approval-process
• FICAM TFPAP
5-07-2014
3rd Party Certification
IDESG TFTM Committee 12
• Peer-to-Peer- Participating organizations are assessed for compliance by other framework participants.• This is typically done on behalf of the certifying body who would make actual
certification decisions based on the assessment• Ex. – AICPA typically uses peer review to maintain CPA certification status
• Independent Assessors- Service providers are assessed for compliance by entities whose sole purpose within the framework is compliance assessment; supports independence and objectivity in the assessment process• May require an accreditation program for assessors• This is typically done on behalf of the certifying body who would make actual
certification decisions based on the assessment• Ex. –Kantara Initiative - https://kantarainitiative.org/confluence/display/certification,
InCommon Silver
• Certifying Body (IDESG) Assessment- Participating organizations are assessed for compliance directly by the certifying body (e.g., the IDESG)• FICAM PKI,
5-07-2014
3rd Party Certification: Types
IDESG TFTM Committee 135-07-2014
3rd Party Certification: Peer Review
Resource Burden MODERATE
• IDESG would need to establish a comprehensive assessment framework and associated processes to support peer review, and support administrative and operational requirements to support applications and certification processes, IDESG would validate
• Participating organizations would need to support assessment by peer review, probably onsite and support services/documentation that are not currently provided.
Implementation Time MODERATE
• Development of an assessment framework and associated processes would require more time to develop/implement than a self-attestation or self-certification framework (1-2 years)
Cost HIGH• Cost to the IDESG would be moderate and primarily focused around assessment framework
development and support for the administrative costs of application/certification processes.• Cost to participants would be high, requiring the capability to conduct assessments on other members
of the ecosystem; legal complications and establishing mechanisms for external assessments could be costly
Assurance MODERATE• The possibility of conflicts of interest in conformance assessments (e.g. market partners or
competitors as assessors) could negatively impact assurance• Lack of professional assessors may limit testing and conformance capabilities
IDESG TFTM Committee 145-07-2014
3rd Party Certification: Independent Assessment
Resource Burden MODERATE
• IDESG would need to establish a comprehensive assessment framework and accreditation program; external assessors would limit steady-state resource requirements, but stand up needs would be high
• Participating organizations would need to support assessment by third parties—overall resource requirements would likely depend on ecosystem function and existing capabilities
Implementation Time HIGH
• Development of an assessment framework and accreditation program as well as associated processes would require significant time (2-3 years)
Cost MODERATE• Cost to the IDESG would be moderate and primarily focused around assessment framework
development and accreditation program development and maintenance• Cost to participants would be moderate and primarily focused around preparation for assessments
and hiring of an assessor
Assurance HIGH• Independent assessments by qualified and accredited entities should provide high levels of assurance
that participants are operating according to established rules and requirements
IDESG TFTM Committee 155-07-2014
3rd Party Certification: Certifying Body Assessment
Resource Burden HIGH
• Establishment of assessment framework and operational/personnel capacity to conduct assessments would require significant resources for IDESG; assessments would likely need to be conducted at the SP increasing administrative burden and costs.
• Participating organizations would need to establish necessary documentation and processes to support assessment by third parties and share or bear the costs of assessment.
Implementation Time HIGH
• Development of an assessment framework and standing up necessary operational capabilities would take a significant period of time (2+ years)
Cost HIGH• Cost to the IDESG would high, requiring significant staff for assessments, administration, and
operational requirements• Cost to participants would be moderate and primarily focused around preparation for assessments
and paying any assessment fees
Assurance HIGH• If operated properly, this should provide a high degree of assurance that participants/SPs are
operating in accordance with applicable rules and requirements
IDESG TFTM Committee 165-07-2014
Overview
Type Resource Burden
Implementation Time
Cost Assurance
Self-Attest LOW LOW LOW LOW
Self-Certification MODERATE LOW MODERATE LOW
Peer-to-Peer MODERATE MODERATE HIGH MODERATE
Independent Assessment
MODERATE HIGH MODERATE HIGH
Certifying Party (IDESG) Assessment
HIGH HIGH HIGH HIGH
IDESG TFTM Committee 17
1. Other factors for additional evaluation?2. What can realistically be implemented in 2014 to establish a foundation to
build from? 3. What can/should be the target for 2015 and 2016?4. What are risks to IDESG?5. Would other forms of certification increase the level of assurance for any
of these approaches?• TFPs, ISO 9000/001, ISO 27001, CompTIA, BBBonline, etc.
5-07-2014
Discussion Considerations
IDESG TFTM Committee 18
1. Develop recommendation for 2014 conformance program approach (self attest, self cert, etc.) and discuss with full TFTM
2. Prepare recommendations paper for plenary on the 2014 Trustmark and Compliance Program
5-07-2014
Next Steps Summary
