1 / 18

TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck

TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck . TFTM Committee May 07, 2014. Meeting Agenda. 2014 Goal Meeting Objectives Approach Assumptions Conformance Assessment/Assertion Comparison Self-Attestation Self-Certification 3 rd Party Certification

calvin
Download Presentation

TFTM Deliverable 01-06 2014 Trustmark and Conformance Program Discussion Deck

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TFTM Deliverable 01-062014 Trustmark and Conformance ProgramDiscussion Deck TFTM Committee May 07, 2014 IDESG TFTM Committee

  2. Meeting Agenda • 2014 Goal • Meeting Objectives • Approach • Assumptions • Conformance Assessment/Assertion Comparison • Self-Attestation • Self-Certification • 3rd Party Certification • Overview • Next Steps IDESG TFTM Committee

  3. 2014 TFTM Sub-Committee 01-06 Goal • Develop and establish an initial IDESG Trustmark and conformance program for the IDESG IE Framework by the end of 2014. IDESG TFTM Committee

  4. Meeting Objectives Discuss and compare the approach for current industry conformance programs for applicability to the IDESG’s needs. Three approaches for discussion today: Self Attestation Self Certification 3rd Party Certification Peer-to-Peer Independent Assessors IDESG Assessment IDESG TFTM Committee

  5. Format for Comparison of Conformance Programs Programs will be compared based upon four primary factors: Resource Burden- The resources required to implement and operate the conformance program Implementation Time- Time needed to establish and implement Cost- The cost to both the IDESG and organizations seeking conformance assertion Assurance- Assurance that participants are operating in conformance with rules/framework Express each factor on a 3-point scale: High, Moderate, or Low This is not intended to be an exhaustive analysis, but a high level discussion of existing conformance program types and the relative applicability to the IDESG in 2014 IDESG TFTM Committee

  6. Assumptions Initial Version of the Identity Ecosystem Framework will be complete by the end of 2014 and keydependencies for conformance program implementation will be met Functional Model (Security Committee deliverable) Initial Requirements Catalog (TFTM 01-04) --committees will create and plenary will approve requirements; Conformance program rules established (policy, process --TFTM 01-07) Recommend approach for 2014 IDESG conformance recognition (e.g., trustmark, trust list, white list, etc.) as supporting/complementary activity (TFTM 01-06) 2014 Program should be open to all IE service providers – e.g., relying parties, credential providers, attribute providers, etc.— regardless of size IDESG TFTM Committee

  7. Self Attestation Participants in a self-attestation framework assert their own conformance with a specified set of rules or requirements Written and signed document to confirm that assertions made are true and accurate based on the best knowledge and belief No specific assessments required for attestation Enforcement relies on community awareness and reporting with potential action through FTC IDESG could take minimal action, including removal from the white list or revocation of a TM Examples: InCommon Bronze Payment Card Industry merchant self-assessment and compliance attestation CMS Compliance self-attestation to EHR utilization criteria (aka “meaningful use” standards IDESG TFTM Committee

  8. Self Attestation IDESG TFTM Committee

  9. Self Certification Similar to a self-attestation framework, participants would assert their own compliance with a specified set of rules or requirements based on internal review of documentation/operations Written and signed document to certify that results from internal review are true and accurate based results of internal review/other assessments Participants may also have to meet periodic internal assessment requirements and may need to provide assessment results or other documentation Assessment guide/processwould need to be created or established Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list) Examples: Federal FedRamp self-attestation for cloud service security - http://www.FedRAMP.gov Department of Commerce EU/US Safe Harbor Program - http://export.gov/safeharbor Types of PCI self-assessment compliance attestation IDESG TFTM Committee

  10. Self Certification IDESG TFTM Committee

  11. 3rd Party Certification Participant’s compliance with a set of rules or requirements is confirmed through assessment by an independent 3rd party Requires the development of a comprehensive certification and assessment framework e.g., requirements for service providers and for assessors in performing assessments May require the development of an accreditation program to qualify assessors for assessment requirements More complex legal arrangements to support roles/responsibilities of the assessors, assessed service providers, certifying body Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list) Examples: Kantara Initiative – http://kantarainitiative.org/tag/certification/ FICAM TFS - http://info.idmanagement.gov/2014/03/ficam-tfs-approval-process ‎ FICAM TFPAP IDESG TFTM Committee

  12. 3rd Party Certification: Types Peer-to-Peer- Participating organizations are assessed for compliance by other framework participants. This is typically done on behalf of the certifying body who would make actual certification decisions based on the assessment Ex. – AICPA typically uses peer review to maintain CPA certification status Independent Assessors- Service providersare assessed for compliance by entities whose sole purpose within the framework is compliance assessment; supports independence and objectivity in the assessment process Mayrequire an accreditation program for assessors This is typically done on behalf of the certifying body who would make actual certification decisions based on the assessment Ex. –Kantara Initiative - https://kantarainitiative.org/confluence/display/certification, InCommon Silver Certifying Body (IDESG) Assessment- Participating organizations are assessed for compliance directly by the certifying body (e.g., the IDESG) FICAM PKI, IDESG TFTM Committee

  13. 3rd Party Certification: Peer Review IDESG TFTM Committee

  14. 3rd Party Certification: Independent Assessment IDESG TFTM Committee

  15. 3rd Party Certification: Certifying Body Assessment IDESG TFTM Committee

  16. Overview IDESG TFTM Committee

  17. Discussion Considerations Other factors for additional evaluation? What can realistically be implemented in 2014 to establish a foundation to build from? What can/should be the target for 2015 and 2016? What are risks to IDESG? Would other forms of certification increase the level of assurance for any of these approaches? TFPs, ISO 9000/001, ISO 27001, CompTIA, BBBonline, etc. IDESG TFTM Committee

  18. Next Steps Summary Develop recommendation for 2014 conformance program approach (self attest, self cert, etc.) and discuss with full TFTM Prepare recommendations paper for plenary on the 2014 Trustmark and Compliance Program IDESG TFTM Committee

More Related