Presentation on theme: "TFTM Sub-Committee 01-06 What do we need for the IDESG Trust Mark Program Discussion Deck TFTM Committee April 16, 2014 4-16-2014IDESG TFTM Committee1."— Presentation transcript:
TFTM Sub-Committee 01-06 What do we need for the IDESG Trust Mark Program Discussion Deck TFTM Committee April 16, 2014 4-16-2014IDESG TFTM Committee1
Used to indicate that a product or service provider has met the requirements of the Identity Ecosystem, as determined by an accreditation authority. (Source: NSTIC Strategy) Statement of conformance to a well-scoped set of identity trust and/or interoperability requirements. (Source: GTRI) Electronic labels or visual representations indicating that an e- merchant/service provider has demonstrated conformity to standards regarding, e.g., security, privacy, and business practice. (Source: European Consumers Centre Network) (E-commerce) An electronic commerce badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. (Source: Techopedia) Many more… 4-16-2014IDESG TFTM Committee2 What is a Trustmark? Definitions
Means for public recognition – “statement, label, representation, badge, image, logo, indication” Conformance requirements – “well-scoped set of requirements, identity Ecosystem requirements, trust standards” Determination of conformance – “statement of conformance, demonstrated conformity, has met the requirements, shown to be trustworthy” Implied but not as clearly stated: Trust marks issued by 3 rd -party to online service providers – “(Trust mark) accreditation authority, issuing organization” 4-16-2014IDESG TFTM Committee3 What do these Trustmark Definitions have in common?
Set of well-scoped identity management requirements At a minimum to address the NSTIC Guiding principles Means to determine/assert conformance to the defined requirements Requirements expressed as assessment criteria Assessment process Assessors Means to indicate/recognize conformance assertion Trustmark issuing organization 4-16-2014IDESG TFTM Committee4 What does IDESG need for a Trustmark Program?
Potentially all participating service providers in the Identity Ecosystem (NSTIC Strategy) IDPs CSPs Attribute Providers/Attribute Authorities Relying Parties Other IE participants? Identity media Transaction hubs? Trust brokers? Participants in Trust Frameworks but not necessarily TF Providers unless they are active participants Not end users/subjects 4-16-2014IDESG TFTM Committee5 Who can receive a Trustmark(s)?
Start with NSTIC Guiding Principles and derived requirements Privacy/Voluntary, Secure/Resilient, Interoperable, Usability/Ease-of-Use 34 derived requirements in 4 sets Coordinate with committees to analyze requirements in relation to functions in functional model Modify, add, delete Compile and document as 4 core sets of requirements (aka, GTRI modular trust components) TFTM Deliverable TFTM-01-04 NSTIC/IDESG Interim Requirements Catalog Could be administered as 4, or more, separate trust marks (GTRI model) Could be single NSTIC trust mark Determine if other requirements for specific communities/use cases should be added beyond core set e.g., GTRI Pilot, COPPA, Patriot Act/Customer Informations Programs, HIPPA, etc. 4-16-2014IDESG TFTM Committee6 What should TFTM/IDESG do to establish requirements?
Examine/analyze range of conformity assessment approaches Task under TFTM 01-06 Self-assertion, self-certification, peer-peer assessment, independent 3 rd party, audit Entities/organizations performing IDM conformance assessments today Qualified/approved assessors IDESG capability to perform assessments Recommend approaches for 2014, 2015 and beyond Map and assess IDESG core requirements against current TFP frameworks and conformity assessment procedures/criteria Tasks for TFTM-01-05 and 01-06 Do current TF/TFP policies and procedures meet all IDESG requirements? Can assessments performed by external TFPs be adopted by IDESG? (FICAM model) 4-16-2014IDESG TFTM Committee7 What should TFTM/IDESG do to assess conformance with requirements?
Examine/analyze range of conformity approaches for conformance determination Task under TFTM 01-06 Self-assertion, self-certification, peer-peer assessment, independent 3 rd party, assessor/auditor Entities/organizations performing IDM conformance assessments Qualified/approved assessors IDESG capability to perform assessments Recommend approaches for 2014, 2015 and beyond 4-16-2014IDESG TFTM Committee8 What should TFTM/IDESG do to determine/validate conformance based on assessment results?
Examine/analyze trust mark issuer legal responsibilities and obligations Task under TFTM 01-06 Explore/analyze operational and legal options for trust mark issuance Task under TFTM 01-06 Make recommendation for IDESG trust mark issuance 2014, 2015 and beyond 4-16-2014IDESG TFTM Committee9 Should IDESG be a trust mark issuer?
1.Support the development and review of IDESG requirements (TFTM 01-04 & 05) Identify common, core requirements for contribution to IDESG committees to develop requirements specific to their domains 2.Identify the priority components for the Identity Ecosystem Framework (01-03) 3.Examine options and make recommendation for approach for IDESG trust mark program conformance assessment for 2014, 2015 and beyond(TFTM 01-06) 4.Examine options and make recommendation for IDESG trust mark issuance for 2014, 2015 and beyond (TFTM 01-06) 4-16-2014IDESG TFTM Committee10 Next Steps Summary