Identity Assurance Framework: Service Assessment Criteria

convertingtownΛογισμικό & κατασκευή λογ/κού

4 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

213 εμφανίσεις

www.kantarainitiative.org

1


1


2

Identity Assurance Framework
:


3

Service Assessment Criteria

4


5


6


7

Version
:

3.0

8


9

Date
:

2012
-
10
-
10

10

Editor
:

Richard G. Wilsher

11



Zygma LLC

12

Contributors

13

The full list of contributors can be referenced here:
14

http://kantarainitiative.org/confluence/display/idassurance/IAF+2.0+Contributors

15

Abstract

16

The Kantara
Initiative Identity Assurance Work Group (IAWG) was formed to foster
17

adoption of identity trust services. The primary de
liverable of the IAWG is the Identity
18

Assurance Framework (IAF), which is comprised of many different documents that detail
19

the levels
of

assurance and the

certification program that bring the Framework to the
20

marketplace.
The IAF is comprised of a set of documents that includes an

Overview

21

publication, the
IAF
Glossary
, a summary
Assuran
ce Levels

document, and an
Assurance
22

Assessment Scheme (AAS)
,

which encompasses the associated assessment and
23

certification program, as well as several subordinate documents, among them the
Service
24

Assessment Criteria (SAC)
, which establishes baseline crit
eria for general organizational
25

compliance
, identity proofing services, credential strength, and credential management
26

services against which all CSPs will be evaluated. The present document describes the
27

Service Assessment Criteria component of

the IAF, including setting out the Assurance
28

Levels.

29

The latest versions of each of these documents can be found on Kantara’s
Identity
30

Assurance Framework
-

General Information web page
.

31


32

Filename:

Kantara IAF
-
1400

SAC

v
3
-
0

33

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


2

Notice

34


35

This document has been prepared by Participants of Kantara Initiative. Permission is
36

hereby granted to use the document solely for the purpose of implementing the
37

Specification. No rights are granted to
prepare derivative works of this Specification.
38

Entities seeking permission to reproduce portions of this document for other uses must
39

contact Kantara Initiative to determine whether an appropriate license for such use is
40

available.

41



42

Implementation or use

of certain elements of this document may require licenses under
43

third party intellectual property rights, including without limitation, patent rights.

The
44

Participants of and any other contributors to the Specification are not and shall not be
45

held respo
nsible in any manner for identifying or failing to identify any or all such third
46

party intellectual property rights. This Specification is provided "AS IS," and no
47

Participant in
Kantara
Initiative makes any warranty of any kind, expressed or implied,
48

in
cluding any implied warranties of merchantability, non
-
infringement of third party
49

intellectual property rights, and fitness for a particular purpose. Implementers of this
50

Specification are advised to review Kantara Initiative’s website
51

(
http://www.kantarainitiative.org/
)
for information concerning any Necessary Claims
52

Disclosure Notices that have been received by the Kantara Initiative Board of Trustees.

53



54

Copyright:
The content of this document is copyri
ght of Kantara Initiative.

55

©
20
12

Kantara Initiative.

56


57


58

59

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


3

Contents

60


61

1

INTRODUCTION

................................
................................
................................
..........
5

62

1.1

Changes in this revision

................................
................................
..............................
5

63

2

ASSURANCE LEVELS

................................
................................
................................
.
7

64

3

SERVICE ASSESSMENT CRITERIA
-

GENERAL

................................
.................
8

65

3.1

Context and Scope

................................
................................
................................
......
8

66

3.2

Criteria Applicability

................................
................................
................................
..
8

67

3.3

Status and

Readership

................................
................................
................................
.
8

68

3.4

Criteria Descriptions

................................
................................
................................
...
9

69

3.5

Terminology

................................
................................
................................
..............

11

70

4

COMMON ORGANIZATIONAL SERVICE ASSESSMENT CRITERIA

...........
12

71

4.1

Assurance Level 1

................................
................................
................................
.....
12

72

4.1.1

Enterprise and Service Maturity

................................
................................
...
12

73

4.1.2

Notices and User information

................................
................................
.......
13

74

4.1.3

Not used

................................
................................
................................
........
14

75

4.1.4

Not used

................................
................................
................................
........
14

76

4.1.5

Not used

................................
................................
................................
........
14

77

4.1.6

Not used

................................
................................
................................
........
14

78

4.1.7

Secure C
ommunications

................................
................................
...............
14

79

4.2

Assurance Level 2

................................
................................
................................
.....
15

80

4.2.1

Enterprise and Service Maturity

................................
................................
...
15

81

4.2.2

Notices and User Information/Agreements

................................
..................
16

82

4.2.3

Information Security Management

................................
...............................
18

83

4.2.4

Security
-
relevant Event (Audit) Records

................................
......................
20

84

4.2.5

Operational infrastructure

................................
................................
.............
20

85

4.2.6

External Services and Components

................................
..............................
22

86

4.2.7

Secure Communications

................................
................................
...............
22

87

4.3

Assurance Level 3

................................
................................
................................
.....
25

88

4.3.1

Enterprise and Service Maturity

................................
................................
...
25

89

4.3.2

Notices and User Information

................................
................................
.......
27

90

4.3.3

Information Security Management

................................
...............................
28

91

4.3.4

Security
-
Relevant Event (Audit) Records

................................
....................
31

92

4.3.5

Operational Infrastructure

................................
................................
.............
31

93

4.3.6

External Services and Components

................................
..............................
33

94

4.3.7

Secure Communications

................................
................................
...............
33

95

4.4

Assurance Level 4

................................
................................
................................
.....
34

96

4.4.1

Enterprise and Service Maturity

................................
................................
...
34

97

4.4.2

Notices and Subscriber Information/Agreements

................................
.........
37

98

4.4.3

Information Security Management

................................
...............................
38

99

4.4.4

Security
-
Related (Audit) Records

................................
................................
.
41

100

4.4.5

Operational Infrastructure

................................
................................
.............
42

101

4.4.6

External Services and Components

................................
..............................
43

102

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


4

4.4.7

Secure Communications

................................
................................
...............
44

103

4.5

Compliance Tables

................................
................................
................................
....
46

104

5

OPER
ATIONAL SERVICE ASSESSMENT CRITERIA

................................
........
53

105

5.1

Assurance Level 1

................................
................................
................................
.....
53

106

5.1.1

Part A
-

Credential Operating Environment

................................
...............
53

107

5.1.2

Part B
-

Credential Issuing

................................
................................
..........
55

108

5.1.3

Part C
-

Credential Renewal and Re
-
issuing
................................
...............
57

109

5.1.4

Part D
-

Credential Revocation

................................
................................
...
57

110

5.1.5

Part E
-

Credential Status Management

................................
......................
57

111

5.1.6

Part F
-

Credential Validation/Authentication

................................
............
58

112

5.2

Assurance Level 2

................................
................................
................................
.....
59

113

5.2.1

Part A
-

Credential Operating Environment

................................
...............
59

114

5.2.2

Part B
-

Credential Issuing

................................
................................
..........
61

115

5.2.3

Part C
-

Credential Renewal and Re
-
issuing
................................
...............
70

116

5.2.4

Part D
-

Credential Revocation

................................
................................
...
71

117

5.2.5

Part E
-

Credential Status Management

................................
......................
73

118

5.2.6

Part F
-

Credential Validation/Authentication

................................
............
74

119

5.3

Assurance Level 3

................................
................................
................................
.....
76

120

5.3.1

Part A
-

Credential Operating Environment

................................
...............
76

121

5.3.2

Part B
-

Credential Issuing

................................
................................
..........
79

122

5.3.3

Part C
-

Credential Renewal and Re
-
issuing
................................
...............
88

123

5.3.4

Part D
-

Credential Revocation

................................
................................
...
88

124

5.3.5

Part E
-

Credential Status Management

................................
......................
91

125

5.3.6

Part F
-

Credential Validation/Authentication

................................
............
92

126

5.4

Assurance Level 4

................................
................................
................................
.....
94

127

5.4.1

Part A
-

Credential Operating Environment

................................
...............
94

128

5.4.2

Part B
-

Credential Issuing

................................
................................
..........
97

129

5.4.3

Part C
-

Credential Renewal and Re
-
issuing
................................
.............
105

130

5.4.4

Part D
-

Credential Revocation

................................
................................
.
106

131

5.4.5

Part E
-

Credential Status Management

................................
....................
109

132

5.4.6

Part F
-

Credential Validation/Authentication

................................
..........
110

133

5.5

Compliance Tables

................................
................................
................................
..

112

134

6

REFERENCES

................................
................................
................................
...........
123

135

7

SAC v2.0 to
SAC v3.0 CRITERIA MAPPING

................................
........................
1
26

136


137



138

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


5

1

I
NTRODUCTION

139

Kantara Initiative formed the Identity Assurance Work Group (IAWG) to foster adoption
140

of consistently managed identity trust services.
The
IAWG's objective is to create
a
141

Framework of
baseline policy

requirements (criteria) and rules against which identity
142

trust services can be assessed and evaluated. The goal is to facilitate trusted identity
143

federation and to promote uniformity and interoperability amongst identity service
144

providers,

with a specific focus on the level of trust, or assurance, associated with identity
145

assertions. The primary deliverable of IAWG is the Identity Assurance Framework (IAF).

146

The IAF
specifies

criteria for a harmonized, best
-
of
-
breed, industry
-
recognized ide
ntity
147

assurance standard. The IAF is a Framework supporting mutual acceptance, validation,
148

and life cycle maintenance across identity federations
.

of the

IAF is

a set of documents
149

that includes an
Overview
, the IAF
Glossary
,
a
summary
detailing

Assurance Levels
, and
150

an
Assurance Assessment Scheme (AAS)

supported by

Rules governing Assurance
151

Assessments (RAA)
,

which
defines
the associated assessment and certification program
, as
152

well as several
subordinate

documents
. The present document
,
subordinate

to the AAS,

153

describes the Service Assessment Criteria component of the IAF.

154

The latest versions of each of these documents can be found on Kantara’s
Identity
155

Assurance Framework
-

General Information web page
.

156

Assurance Levels (ALs) are the levels of trust associated with a credential as measured by
157

the associated technology, processes, and policy and practice statements controlling the

158

operational environment. The IAF defers to the guidance provided by the U.S. National
159

Institute of Standards and Technology (NIST) Special Publication 800
-
63 version 1.0.1
160

[
NIST800
-
63
-
1
] which outlines four levels of assuranc
e, ranging in confidence level from
161

low to very high. Use of ALs is determined by the level of confidence or trust (i.e.
162

assurance) necessary to mitigate risk in the transaction.

163

The Service Assessment Criteria
of the IAF establishes baseline criteri
a for general
164

organizational
compliance
, identity proofing services, credential strength, and credential
165

management services against which all
credential service providers (
CSPs
)

will be
166

evaluated. The IAF
focus
es

on baseline iden
tity assertions and
will
evolve to include
167

attribute
-

and entitlement
-
based assertions in future releases. The IAF will also establish
168

a protocol for publishing updates, as needed, to account for technological advances and
169

preferred practice and policy up
dates.

170

Changes in this revision

171

The
for
this revision is to permit greater flexibility in the combination of Service
172

Components and Full Service Provision and
identi
f
ies
the specific criteria
with
which
173

Service
Components
must comply
.

174

Specifically:

175

a)

The merging of the
Credential Management (
CM
)
SAC and the
Identity (
ID
)
SAC

176

into a single grouping, the
Operational (
OP
)

SAC (i.e. Operational Criteria)
.
177

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


6

The OP
-
SAC

facilitate
s

the flexible allocation of criteria to specific components
178

of a full service;

179

b)

Placing of
Organizational
(
CO
)

SAC and OP
-

SAC into their own discrete first
-
180

level sections, thus making them more distinct;

181

c)

R
estructur
ing
the functional criteria by placi
ng them into contiguous sets for
182

each Assurance Level, making it easier for developers, service operators and
183

assessors to access and apply the criteria applicable to the Assurance Levels
for
184

which
they have chosen

to
seek certification
;

185

d)

Requirement for ce
rtain OP
-
SAC Part A criteria to be Mandatory for all
186

Component Service applicants;

187

e)

Consistency in the use of ‘Subscriber’ and ‘Subject’;

188

f)


Appropriate revisions to other text within this doc to reflect and consistently
189

deal with the points above
;

190

g)

Clear stat
ement that the requirements of this document are normative
in the IAF
.

191


192

193

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


7

2

A
SSURANCE LEVELS


194

The IAF has ad
opted four Assurance Levels (AL
s
), based on the four levels of assurance
195

posited by the U.S. Federal Government and described in OMB

M
-
04
-
04 [
M
-
04
-
04
] and
196

NIST Special Publication 800
-
63
-
1

[
NIST800
-
63
-
1
]. These are further described in
the

197

Identity Assurance Framework: Levels of Assurance

document
, which can be found on
198

Kantara’s
Identity Assurance Framework
-

General Information page
.

199

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


8

3

S
ER
VICE ASSESSMENT CRIT
ERIA

-

GENERAL

200

Context and Scope

201

T
he Identity Assurance Work Group (IAWG) developed and maintains
t
he Service
202

Assessment Criteria (SAC)
as part of its Identity
Assurance Framework. These criteria
203

set out the requirements for credential service

and
identity
providers at all assurance
204

levels within the Framework.
These criteria
identify

the
specific
requirements, at

each
205

Assurance Level (AL)
,
with

which
Service

providers must comply and
against

which
206

they
must be assessed by Kantara

Accredited Assessors. They are divided into two parts:

207


208

1)

Organizational Criteria
:

209

These criteria address the general business and organizational
compliance

of
210

services and their providers. They are generally referred
-
to as the ‘CO
-
SAC’;

211

2)

Operational Criteria
:

212

These criteria address operational
compliance

of credential management services
213

and the necessary functions which they
e
mbrace
. They are generally referred
-
to
214

as the ‘OP
-
SAC’.

215

Criteria Applicability

216

Any

Full Service Provi
der

applying for certification

under the Identity Assurance
217

Framework (IAF)
must comply with
a
ll criteria (i.e. CO
-
SAC and OP
-
SAC, at the
218

applicable level)
for
Certification
.

219

Each Service Component
supporting, or i
ncluded as a part of,

a Full Service
Provi
der
220

offering

must comply with the CO
-
SAC and a defined sub
-
set of OP
-
SAC clauses which
221

fall within the
component’s s
c
ope.

The Full Service Provider
retains

the responsibility to
222

ensure each

requirement

is met.

223

These criteria have been approved
by the Kantara membership

for use by Kantara
-
224

Accredited Assessors in the performance of
CSP
/IdP
assessments
seeking Kantara
225

Certification
certification
.

226

In the context of the Identity Assurance Framework, the status of this document is
227

normative. An applicant’s credential service shall comply with all applicable criteria
228

within these SAC at th
eir
requested

AL(s).

229

. To be
certified

under the IAF Identity Assurance Program and
granted the right to use
230

Kantara
Initiative Trust Mark, credential services must conform to all applicable criteria
231

at the appropriate level.

232

Status and

Readership

233


234

This document
establishes

normative

Kantara requirements and is required reading for
235

Kantara
-
Accredited Assessors

an
d applicant Service Providers. It will also be of interest
236

to those wishing to gain a detailed knowledge of the
Kantara Initiative’s Identity
237

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


9

Assurance Framework.

I
t
establishes

the
Service Assessment Criteria
with

which
238

credential service

provider
s must
comply

to be granted Kantara
certification
.

239

.

240

Criteria Descriptions

241

The Service Assessment Criteria are or
ganized by AL. Subsections within each level
242

describe the criteria that apply to specific functions.
Subsections describing the
243

requirements for the same function at different levels of assurance have the same title.

244

Each

criterion
includes

three components: a unique alphanumeric tag, a short name, and
245

the
specific
criterion (or criteria
. The tag provides a unique reference for each criterion
246

that assessors and service providers can use

to refer to that criterion. The name identifies
247

the intended scope or purpose of the criterion.

248



249

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


10

The criteria are described as follows:

250


251


252


253


254


255


256


257


258


259


260



261


262


«ALn_CO_ZZZ#999»
«name»Criterion ALn (i.e.,
AL1_CO_ESM#010)

263


264


265


266


267


268


269

When a given criterion changes (i.e. becomes more rigorous) at higher Assurance Levels
270

the new or revised text is
shown in bold

or ‘
[Omitted]
’ is i
ndicated where text has been
271

removed. With the obvious exception of AL1, when a criterion is first introduced it is
272

also shown in bold.

273

As noted in the above schematic, when originally prepared, the tags had numbers
274

incrementing in multiples of ten to per
mit the later insertion of additional criteria. Since
275

then there has been addition and withdrawal of criteria.

276

Where a criterion is not used in a given AL but is used at a higher AL its place is held by
277

the inclusion of a tag which is marked ‘No stipulati
on’. A title and appropriate criteria
278

will be added at the higher AL which occupies that position. Since in general higher ALs
279

have a greater extent of criteria than lower ALs, where a given AL extends no further
280

through the numbering range, criteria bey
ond that value are by default omitted rather than
281

being included but marked ‘No stipulation’.

282

Further, over time, some criteria have been removed, or withdrawn. In order to avoid the
283

re
-
use of that tag such tags are retained but marked ‘Withdrawn’.

284

Short descriptive name

The actual criterion at a given
assurance level, stated as a
requirement.

Tag sequence number,
originally incremented by 10 to
allow insertion once the SAC is
first published.


An abbreviated prefix for the
specific SAC.

The assurance level at which
this criterion applies.

An
abbreviation for the topic
area to which the criterion
relates

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


11

Not
only do these editorial practices preserve continuity they also guard against possible
285

omission of a required criterion through an editing error.

286

Terminology

287

All special terms used in this
document
are defined in the
IAF Glossary
, which can be
288

found on Kan
tara’s
Identity Assurance Framework
-

General Information page
.

289

Note that when, in these criteria, the term ‘Subscriber’ is used it applies equally to
290

‘Subscriber’ and ‘Subject’ as defined in

the
IAF Glossary
, according to the context in
291

which used. The term ‘Subject’ is used when the reference is explicitly toward that party.

292

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


12

4

COMMON ORGANIZATIONAL

293

SERVICE ASSESSMENT CRITERIA

294

The Service Assessment Criteria in this section establish the gener
al business and
295

organizational requirements for
compliance

of services and service providers at all
296

Assurance Levels (AL)


refer to

Section
2
.

These criteria are generally referred to
297

elsewhere within IAWG documentation as CO
-
SAC

and can be identified by their tag
298

“ALn_CO_ xxxx”
.

299

All applicants for Certification
,

whether Service Components or Full Service Providers

300

must
comply with

these criteria
,
.

301

Assurance Level 1

302

4.1.1

Enterprise and Service Maturity

303

These criteria apply to the establishment of the organization offering the service
and its
304

basic standing as a legal and operational business entity within its respective jurisdiction
305

or country.

306

An enterprise and its specified service must:

307

AL1_CO_ESM#010

Established enterprise

308

Be a valid legal entity, and a person with the legal author
ity to commit the organization
309

must submit the signed
application
package.

310

AL1_CO_ESM#020

Withdrawn

311

Withdrawn



312

AL1_CO_ESM#030

Legal & Contractual compliance

313

Demonstrate that it understands and complies with any legal requirements incumbent on
314

it in connection with operation and delivery of the specified service, accounting for all
315

jurisdictions and countries within which its services may be used.

316

Guidance
: ‘Understanding’ is implicitly the correct understanding. Both it and
317

compliance are requ
ired because it could be that understanding is incomplete, incorrect or
318

even absent, even though compliance is apparent, and similarly, correct understanding
319

may not necessarily result in full compliance. The two are therefore complementary.

320

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


13

AL1_CO_ESM#0
40

No stipulation

321

AL1_CO_ESM#050

No stipulation

322

AL1_CO_ESM#055

Termination provisions

323

Define the practices in place for the protection of
Subject
s' private and secret information
324

related to their use of the service which must ensure the ongoing secure pres
ervation and
325

protection of legally required records and for the secure destruction and disposal of any
326

such information whose retention is no longer legally required. Specific details of these
327

practices must be made available.

328

Guidance
: Termination covers

the cessation of the business activities, the service
329

provider itself ceasing business operations altogether, change of ownership of the service
-
330

providing business, and other similar events which change the status and/or operations of
331

the service provider

in any way which interrupts the continued provision of the specific
332

service.

333

4.1.2

Notices and User information

334

These criteria address the publication of information describing the service and the
335

manner of and any limitations upon its provision.

336

An enterprise
and its specified service must:

337

AL1_CO_NUI#010

General Service Definition

338

Make available to the intended user community a Service Definition that includes all
339

applicable Terms, Conditions,
and
Fees, including any limitations of its usage. Specific
340

provisi
ons are stated in further criteria in this section.

341

Guidance
:
T
he intended user community encompasses potential and actual
Subscriber
s,
342

Subject
s
,

and relying parties.

343

AL1_CO_NUI#020

Service Definition inclusions

344

Make available a Service Definition for the
specified service containing clauses that
345

provide the following information:

346

a)

a Privacy Policy

that complies with the Kantara Federal Privacy Policy

347


348

AL1_CO_NUI#030

Due notification

349

Have in place and follow appropriate policy and procedures to ensure that i
t notifies
350

Users in a timely and reliable fashion of any changes to the Service Definition and any
351

applicable Terms, Conditions, and
the required
Privacy Policy for the specified service.

352

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


14

AL1_CO_NUI#040

User Acceptance

353

Require

Subscriber
s and
Subject
s

to:

354

a)

indicate, prior to receiving service, that they have read and accept the terms of
355

service as defined in the Service Definition;

356

b)

re
-
affirm their

understanding and observance of the terms of service

at periodic
357

intervals, determined by significant service provision events (e.g. issuance, re
-
358

issuance, renewal),
;

359

c)

always provide full and correct responses to requests for information.

360

AL1_CO_NUI#050

Record of User Acceptance

361

Obtain a record (hard
-
copy or electronic) of the
Subscriber
's and
Subject
’s acceptance of
362

the terms and conditions of service, prior to initiating the service and thereafter at
363

periodic intervals, determined by significant service

provision events (e.g. re
-
issuance,
364

renewal).

365


366

4.1.3

Not used

367

4.1.4

Not used

368

4.1.5

Not used

369

4.1.6

Not used

370

4.1.7

Secure Communications

371

AL1_CO_SCO#010

No stipulation

372

AL1_CO_SCO#020

Limited access to shared secrets

373

Ensure that:

374

a)

access to shared secrets shall be
Subject

to discretionary controls which permit
375

access to those roles/applications needing such access;

376

b)

stored shared secrets are not held in their plaintext form unless given adequate
377

physical or logical protection;

378

c)

passwords or secrets
tran
smitted across any public or unsecured network

are
379

encrypted
.

380

381

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


15

Assurance Level 2

382


383

Criteria in this section address the establishment of the enterprise offering the service and
384

its basic standing as a legal and operational business entity within its respec
tive
385

jurisdiction or country.

386

4.1.8

Enterprise and Service Maturity

387

These criteria apply to the establishment of the enterprise offering the service and its
388

basic standing as a legal and operational business entity.

389

An enterprise and its specified service must:

390

AL2_CO_ESM#010

Established enterprise

391

Be a valid legal entity
,

and a person with legal authority to commit the organization must
392

submit the signed
application for certification
.

393

AL2_CO_ESM#020

Withdrawn

394

Withdrawn

395

AL2_CO_ESM#030

Legal & C
ontractual compliance

396

Demonstrate that it understands and complies with any legal requirements incumbent on
397

it in connection with
the
operation and delivery of the specified service, accounting for all
398

jurisdictions within which its services may be offered
. Any specific contractual
399

requirements shall also be identified
.

400

Guidance
: Kantara Initiative will not
certify
a service which is not fully released for the
401

provision of services to its intended user/client community. Systems, or parts thereof,
402

which are not fully proven and released shall not be considered in an assessment and
403

therefore should not be included wit
hin the scope of the
application
.

404

AL2_CO_ESM#040

Financial Provisions

405

Provide documentation
of financial resources that
support

for
continued operation
406

of the service and demonstrate appropriate liability processes and procedures that
407

satisfy the degree of liability exposure being carried.

408

Guidance
: The organization must show that it

has
the financial resources

to operate the
409

service for at least a twelve
-
month period, with a clear review of the budgetary planning
410

within that period
. It must also show how it has det
ermined the degree of liability
411

protection required, in view of its exposure per ‘service’ and the number of users it has.
412

This criterion helps ensure that Kantara Initiative does
certif
y

services
that are
not likely
413

to be sustain
able over at least this minimum period

of time
.

414

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


16

AL2_CO_ESM#050

Data Retention and Protection

415

Specifically set out and demonstrate that it understands and complies with those
416

legal and regulatory requirements incumbent upon it concerning the retention and
417

destruction of
personally

identifiable information

(PII)

(personal and business

-

i
.e.
418

its secure storage and protection against loss, accidental public exposure
,

and/or
419

improper destruction) and the protection of
Subject
s’

PII
)

against unlawful or
420

unauthorized access, excepting that permitted by the information owne
r or required
421

by due process
.

422

Guidance
: Note that whereas the criterion is intended to address unlawful or
423

unauthorized access arising from malicious or careless actions (or inaction)
,

some access
424

may be unlawful UNLESS authorized by the
Subscriber

or Sub
ject
,

or effected as a part
425

of a specifically
-
executed legal process.

426

AL2_CO_ESM#055

Termination provisions

427

Define the practices in place for the protection of
Subject
s


PII

information related to
428

their use of the service
. These
practices

must ensure the ongoing secure preservation and
429

protection of legally required records and
the secure destruction and disposal of any such
430

information whose retention is no longer legally required. Specific details of these
431

practices m
ust be made available.

432

Guidance
: Termination covers the cessation of the business activities, the service
433

provider itself ceasing business operations altogether, change of ownership of the service
-
434

providing business, and other similar events which change t
he status and/or operations of
435

the service provider in any way which interrupts the continued provision of the specific
436

service.

437

4.1.9

Notices and User Information/Agreements

438

These criteria apply to the publication of information describing the service and the
439

m
anner of and any limitations upon its provision, and how users are required to accept
440

those terms.

441

An enterprise and its specified service must:

442

AL2_CO_NUI#010

General Service Definition

443

Make available
a Service Definition that includes all applicable Ter
ms, Conditions, and
444

Fees, including any limitations of its usage,
and definitions of any terms having
445

specific intention or interpretation

to the intended user community
.
Specific
446

provisions are stated in further criteria in this section.

447

Guidance
:
T
he intended user community encompasses potential and actual
Subscribe
r
s,
448

Subject
s
,

and relying parties.

449

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


17

AL2_CO_NUI#020

Service Definition inclusions

450

Make available a Service Definition for the specified service containing clauses that
451

provide the following information:

452

a)

Privacy
,

Identity Proofing & Verification, and
Revocation and Termination
453

Policies;


454

b)

the country in
,

or legal jurisdiction under
,

which the service is operated;

455

c)

if different from the above, the legal jurisdiction under which
Subscriber

and
456

any relying party
enter

into
agreements
;

457

d)

appli
cable legislation with which the service complies;

458

e)

obligations incumbent upon the CSP;

459

f)

obligations incumbent upon the
Subscriber
/Subject
;

460

g)

notifications and guidance for relying parties, especially in respect of actions
461

they are expected to take should they choose to rely upon the
service
;

462

h)

statement of warranties;

463

i)

statement of liabilities
toward
Subscribers
,

Subjects and Relying Parties;

464

j)

p
rocedures for notification of changes to terms and conditions;

465

k)

steps the
CSP

will take in the event that it chooses or is obliged to terminate
466

the service;

467

l)

a
vailability

of the specified service
per se

and of its help desk facility
.

468

AL2_CO_NUI#030

Due notification

469

Have in place and follow appropriate policy and procedures to ensure that it notifies
470

Subscriber
s and
Subject
s in a timely and reliable fashion of any changes to the Service
471

Definition and any applicable Terms, Conditions, F
ees, and Privacy Policy for the
472

specified service
,

and provide a clear means by which
Subscriber
s and
Subject
s

must
473

indicate that they wish to accept the new terms or terminate their subscription
.

474

AL2_CO_NUI#040

User Acceptance

475

Require

Subscriber
s and
Subject
s

to:

476

a)

indicate, prior to receiving service, that they have read and accept the terms of
477

service as defined in the Service Definition;

478

b)

at periodic intervals, determined by significant service provision events (e.g.
479

issuance, re
-
issuance, renewal)
and

otherwise at least once every
five

years
, re
-
480

affirm their understanding and observance of the terms of service;

481

c)

always provide full and correct responses to requests for information.

482

AL2_CO_NUI#050

Record of User Acceptance

483

Obtain a record (hard
-
copy or e
lectronic) of the
Subscriber
's and
Subject
’s acceptance of
484

the terms and conditions of service, prior to initiating the service and thereafter at
485

periodic intervals, determined by significant service provision events (e.g. re
-
issuance,
486

renewal)
and otherwi
se at least once every
five

years
.

487

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


18

AL2_CO_NUI#060

Withdrawn

488

Withdrawn.

489

AL2_CO_NUI#070

Change of Subscriber Information

490

Require and provide the mechanisms for
Subscriber
s and
Subject
s to provide

in a
491

timely manner
,

as required under the terms of their use o
f the service
and only after
492

the Subscriber's and/or Subject’s identity has been authenticated
,
full and correct
493

amendments should any of their recorded information change,
.

494

AL2_CO_NUI#080

Withdrawn

495

Withdrawn.

496

4.1.10

Information Security Management

497

These criteria address
enterprise manage
ment of

the security
requirements
of its bus
iness,
498

the specified service, and information it holds relating to its user community. This
499

section focuses on the key components that comprise a well
-
established and effective
500

Information Security Management System (ISMS), or other IT security management

501

methodology recognized by a government or professional body.

502

An enterprise and its specified service must:

503

AL2_CO_ISM#010

Documented policies and procedures

504

Document

all security
-
relevant administrative, management, and technical policies
505

and procedures. The enterprise must ensure
these are based upon recognized
506

standards,
and
published references or organizational
guidelines which

are adequate
507

for the specified service, and are implemented in the manner intended.

508

AL2_CO_ISM#020

Policy Management and Responsibility

509

Have a clearly defined managerial role, at a senior level, in which full responsibility
510

for the business's security policies is vested and from which review,
certification
,

and
511

promulgation of po
licy and related procedures is applied and managed. The latest
512

approved versions of these policies must be applied
at
all times.

513

AL2_CO_ISM#030

Risk Management

514

Demonstrate a risk management methodology that adequately identifies and
515

mitigates risks relate
d to the specified service and its user community.

516

AL2_CO_ISM#040

Continuity
of Operations
Plan

517

Have
,

and
maintian the currency
o
f,

a Continuity of Operations Plan that covers
518

disaster recovery and the resilience of the specified service.

519

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


19

AL2
_CO_ISM#050

Configuration Management

520

Demonstrate that there
a configuration management system
in place
that at least
521

includes:

522

a)

version control for software system components;

523

b)

timely identification and installation of all organizationally

approved patches
524

for any software used in the provisioning of the specified service.

525

AL2_CO_ISM#060

Quality Management

526

Demonstrate that there is
a quality management system
in place
that is appropriate
527

for the specified service.

528

AL2_CO_ISM#070

Sys
tem Installation and Operation Controls

529

Apply controls during system development, procurement installation, and operation
530

that protect the security and integrity of the system environment, hardware,
531

software, and communications.

532

AL2_CO_ISM#080

Internal Ser
vice Audit

533

Be
subjected to a first
-
party

audit

of
at least once every 12 months
for

the

effective
534

provision of the specified service by
an independent enterprise
internal

audit
535

function
,
, unless it
can show that by reason of its organizational size or due to other
536

operational restrictions it is unreasonable to be so audited.


537

Guidance
: ‘First
-
party’ audits are
c
onducted

by an independent part of the same
538

organization which offers the

service. The auditors cannot be involved in the
539

specification, development or operation of the service.

540

Using a ‘third
-
party’ auditor (i.e. one having no relationship with the Service Provider nor
541

any vested interests in the outcome of the assessment oth
er than their professional
542

obligations to perform the assessment objectively and independently) should be
543

considered when the organization cannot easily provide truly independent internal
544

resources but wishes to benefit from the value which audits can prov
ide. This could be
545

accomplished by fulfilling the AL2_CO_ISM#090 requirement on a 12
-
monthly basis.

546

AL2_CO_ISM#090

Independent Audit

547

Be
subjected to a third
-
party

audit

at least every
36
months to ensure the
548

organization's security
-
related practices ar
e consistent with the policies and
549

procedures for the specified service and the applicable SAC.

550

Guidance
: The appointed auditor
shall be a

Kantara
-
Accredited Assessor

551

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


20

AL2_CO_ISM#100

Audit Records

552

Retain records of all audits, both internal and independent, for a period which, as a
553

minimum, fulfills its legal obligations

which in any event is not less than 36 months.
554

Such records must be held securely and be protected against unauthorized access,
555

loss, alteration, public disclosure, or

unapproved destruction.

556

AL2_CO_ISM#110

Withdrawn

557

Withdrawn
.

558


559

4.1.11

Security
-
relevant Event (Audit) Records

560

These criteria apply to the need to provide an auditable log of all events that are pertinent
561

to the correct and secure operation of the service.

562

An enter
prise and its specified service must:

563

AL2_CO_SER#010

Security event logging

564

Maintain a log of all relevant security events
affecting
the operation of the service,
565

together with an accurate record of the time
,
date

and
individual

who performed th
e
566

action

and retain such records with appropriate protection and controls to ensure
567

successful retrieval,
and
accounting for service definition, risk management
568

requirements, applicable legislation
,

and organizational policy.

569

Guidance
:
I
t is sufficient that the accuracy of the time source is based upon an internal
570

computer/s
ystem clock synchronized to an I
nternet time source. The time source need
571

not be
authenticable
.

572


573

4.1.12

Operational infrastructure

574

These criteria apply to the infrastructure within which the delivery of the specified
575

service takes place. These criteria emphasize the personnel involved and their selection,
576

training, and duties.

577

An enterprise and its specified service must:

578

AL2_CO_OPN#
010

Technical security

579

Demonstrate that the technical controls employed will provide the level of security
580

protection required by the risk assessment and the ISMS, or other IT security
581

management methods recognized by a government or professional body, and

that
582

these controls are effectively integrated with the applicable procedural and physical
583

security measures.

584

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


21

Guidance
:
A
ppropriate technical controls, suited to this Assurance Level, should be
585

selected from [NIST800
-
63
-
1
] or its equivalent, as establishe
d by a recognized national
586

technical authority.

587

AL2_CO_OPN#020

Defined security roles

588

Define, by means of a job description, the roles and responsibilities for each service

589

related
security relevant

task
.

R
elati
e tasks

to spe
cific procedures, (which shall be
590

set out in the ISMS, or other IT security management methodology recognized by a
591

government or professional body) and other service
-
related job descriptions. Where
592

the role is security

critical or where special privilege
s or shared duties exist, these
593

must be specifically identified as such, including the applicable access privileges
594

relating to logical and physical parts of the service's operations.

595

AL2_CO_OPN#030

Personnel recruitment

596

Demonstrate that it has defined pra
ctices for the selection, evaluation, and
597

contracting of all service
-
related

personnel, both direct employees
598

consultants/contractors
.

599

AL2_CO_OPN#040

Personnel skills

600

Ensure that employees are sufficiently trained, qualified, experienced, and current
601

for the roles they fulfill. Such measures must be accomplished either by recruitment
602

practices or through a specific training program. Where employees are undergoing
603

on
-
t
he
-
job training, they must only do so under the guidance of a mentor possessing
604

the defined service experience

for the training being provided.

605

AL2_CO_OPN#050

Adequacy of Personnel resources

606

Have sufficient
qualified
staff to adequately operate and resour
ce the specified
607

service according to its policies and procedures.

608

AL2_CO_OPN#060

Physical access control

609

Apply physical access control mechanisms to ensure that:

610

a)

access to sensitive areas is restricted to authorized personnel;

611

b)

all removable media and pape
r documents containing sensitive information
612

as plain
text are stored in secure containers
.

613

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


22

Require a minimum of two
-
person physical access control when accessing any
614

cryptographic modules.

615

AL2_CO_OPN#070

Logical access control

616

Employ logical access contro
l mechanisms that ensure access to sensitive system
617

functions and controls is restricted to authorized personnel.

618


619

4.1.13

External Services and Components

620

These criteria apply to the
required
relationships and obligations
contracted parties
must

621

apply

to
the policies and procedures of the enterprise
. These
policies

and procedures
622

must
also
available for assessment as
parts of

the overall service provision.

623

An enterprise and its specified service must:

624

AL2_CO_ESC#010

Contracted policies and procedures

625

Where the enterprise uses external suppliers for specific
components of the service
626

or for resources that are integrated with
and under its control
its own
, ensure that
627

those
suppliers
are engaged through reliable and appropriate contract
s
which
628

stipulate which critical policies, procedures, and practices subcontractors are
629

required to fulfill.

630

AL2_CO_ESC#020

Visibility of contracted parties

631

Where the en
terprise uses external suppliers
as noted above

ensure that the
632

suppliers' compliance with contractually

stipulated policies

and procedures, and
633

thus with
IAF
S
ervice

A
ssessment
C
riteria, can be independently verified, and
634

subsequently monitored if necessary.

635


636

4.1.14

Secure Communications

637

An enterprise and its specified service must:

638

AL2_CO_SCO#010

Secure remote communications

639

If the
specific service components are located remotely from and communicate over
640

a public or unsecured network with other service components or other CSPs which
641

it services, the communications must be cryptographically authenticated, including
642

long
-
term and sess
ion tokens,

by an authentication method that meets, at a
643

minimum, the requirements of AL2 and encrypted using a [
FIPS140
-
2
] Level 1
-
644

compliant encryption method or equivalent, as established by a recognized national
645

technical
authority.

646

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


23

AL2_CO_SCO#015

Verification / Authentication confirmation messages

647

Ensure that any verification or confirmation of authentication messages, which
648

asserts either that a weakly bound credential is valid or that a strongly bound
649

credential has not
been subsequently revoked, is logically bound to the credential
650

and that the message, the logical binding, and the credential are all transmitted
651

within a single integrity
-
protected session between the service and the Verifier /
652

Relying Party.

653

AL2_CO_SCO#0
16

Verification of Revoked Credential

654

When a verification / authentication request results in notification of a revoked
655

credential one of the following measures shall be taken:

656

a)

the confirmation message shall be time
-
stamped, or;

657

b)

the session keys shall expi
re with an expiration time no longer than that of
658

the applicable revocation list, or;

659

c)

the time
-
stamped message, binding, and credential shall all be signed by the
660

service.

661

AL2_CO_SCO#020

Limited access to shared secrets

662

Ensure that:

663

a)

access to shared secret
s shall be
Subject

to discretionary controls that only permit
664

access by those roles/applications requiring such access;

665

b)

stored shared secrets are not held in their plaintext form unless given adequate
666

physical or logical protection;

667

c)

any long
-
term (i.e., no
t session) shared secrets are revealed only to the
668

Subject

or to
the
CSP

s direct agents (bearing in mind
(a) above
).

669


670

These roles should be defined and documented by the CSP in accordance with
671

AL2_CO_OPN#020
above
.

672

AL2_CO_SCO#030

Logical protection of
shared secrets

673

Ensure that one of the alternative methods (below) is used to protect shared secrets:


674

a)

concatenation of the password to a salt and/or username which is then hashed
675

with an Approved algorithm such that the computations used to conduct a
676

dictionary or exhaustion attack on a stolen password file are not useful to
677

attack other similar password files, or;

678

b)

encryption using an Approved algorithm and modes, and the shared secret
679

decrypted only when immediately required for authentication, or;

680

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


24

c)

an
y secure method allowed to protect shared secrets at Level 3 or 4.

681


682

683

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


25

Assurance Level 3

684

Achieving AL3 requires meeting more stringent criteria in addition to all criteria required
685

to achieve AL2.

686

4.1.15

Enterprise and Service Maturity

687

Criteria in this section a
ddress the establishment of the enterprise offering the service and
688

its basic standing as a legal and operational business entity.

689

An enterprise and its specified service must:

690

AL3_CO_ESM#010

Established enterprise

691

Be a valid legal entity and a person with

legal authority to commit the organization must
692

submit the signed
certification application
.

693

AL3_CO_ESM#020

Withdrawn

694

Withdrawn

695

AL3_CO_ESM#030

Legal & Contractual compliance

696

Demonstrate that it understands and complies with any legal
requirements incumbent on
697

it in connection with operation and delivery of the specified service, accounting for all
698

jurisdictions within which its services may be offered. Any specific contractual
699

requirements shall also be identified.

700

Guidance
: Kantara I
nitiative will not
certify
a service which is not fully released
to
701

provide

services to its intended user/client community. Systems, or parts thereof, which
702

are not fully proven and released shall not be considered in an asse
ssment and therefore
703

should not be included within the scope of the
certification application
. Parts of systems
704

still under development, or even still being planned, are therefore ineligible for inclusion
705

within the scope of assessment.

706

AL3_CO_ESM#040

Financial Provisions

707

Provide
proof of

financial resources that
support

the continued operation of the service
708

and demonstrate appropriate liability processes and procedures that satisfy the degree of
709

liability exposu
re being carried.

710

Guidance
:
The organization must show that it has the financial resources to operate the
711

service for at least a twelve
-
month period, with a clear review of the budgetary planning
712

within that period. It must also show how it has determine
d the degree of liability
713

protection required, in view of its exposure per ‘service’ and the number of users it has.
714

This criterion helps ensure that Kantara Initiative does not grant certification to services
715

that are not likely to be sustainable over at

least this minimum period of time.

716

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


26

AL3_CO_ESM#050


717

Data Retention and Protection

718

Specifically set out and demonstrate that it understands and complies with those legal
and
719

regulatory requirements incumbent upon it concerning the retention and destruction of
720

personally identifiable information (PII) (personal and business
-

i.e. its secure storage
721

and protection against loss, accidental public exposure, and/or improper de
struction) and
722

the protection of Subjects’ PII against unlawful or unauthorized access, excepting that
723

permitted by the information owner or required by due process.

724

Guidance
: Note that whereas the criterion is intended to address unlawful or
725

unauthorized
access arising from malicious or careless actions (or inaction), some access
726

may be unlawful UNLESS authorized by the Subscriber
or Subject
,

or effected as a part
727

of a specifically
-
executed legal process
AL3_CO_ESM#055
Terminati
on provisions

728

Define the practices in place for the protection of
Subject
s
'
PII

related to their use of the
729

service which must ensure the ongoing secure preservation and protection of legally
730

required records and for the secure destruction and disposal of any such information
731

whose retention is no longer legally required. Specific d
etails of these practices must be
732

made available.

733

Guidance
: Termination covers the cessation of the business activities, the service
734

provider itself ceasing business operations altogether, change of ownership of the service
-
735

providing business, and other si
milar events which change the status and/or operations of
736

the service provider in any way which interrupts the continued provision of the specific
737

service.

738

AL3_CO_ESM#060

Ownership

739

If the enterprise named as the CSP is a part of a larger entity, the nature

of the
740

relationship with its parent organization shall be disclosed to the assessors and, on
741

their request, to customers.

742

AL3_CO_ESM#070

Independent management and operations

743

Demonstrate that, for the purposes of providing the specified service, its
744

manag
ement and operational structures are distinct, autonomous, have discrete
745

legal accountability, and operate according to separate policies, procedures, and
746

controls.

747


748

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


27

4.1.16

Notices and User Information

749

Criteria in this section address the publication of informati
on describing the service and
750

the manner of and any limitations upon its provision, and how users are required to accept
751

those terms.

752

An enterprise and its specified service must:

753

AL3_CO_NUI#010

General Service Definition

754

Make

a Service Definition
availab
le to the intended user community
that includes all
755

applicable Terms, Conditions,
and
Fees, including any limitations of its usage
,

and
756

definitions of any terms having specific intention or interpretation. Specific provisions
757

are stat
ed in further criteria in this section.

758

Guidance
:
T
he intended user community
includes
potential and actual
Subscriber
s,
759

Subject
s and relying parties.

760

AL3_CO_NUI#020

Service Definition inclusions

761

Make
a Service Definition
available
for the specified service containing clauses that
762

provide the following information:

763

a)

Privacy, Identity Proofing & Verification, and Revocation and Termination
764

Policies;


765

b)

the country in or the legal jurisdiction under which the service is operated;

766

c)

if different to the above, the legal jurisdiction under which
Subscriber

and any
767

relying party agreements are entered into;

768

d)

applicable legislation with which the service complies;

769

e)

obligations incumbent upon the CSP;

770

f)

obligations incumbent upon the
Subscriber

and Subject
;

771

g)

notifications and guidance for relying parties, especially in respect of actions they
772

are expected to take should they choose to rely upon the service's product;

773

h)

statement of warranties;

774

i)

statement of liabilities

toward both Subjects

and Relying Parties;

775

j)

procedures for notification of changes to terms and conditions;

776

k)

steps the CSP will take in the event that it chooses or is obliged to terminate the
777

service;

778

l)

availability of the specified service
per se

and of its help desk facility.

779

AL3_CO_NUI#030

Due notification

780

Have

in place and follow appropriate policy and procedures to ensure that it notifies
781

Subscriber
s and
Subject
s in a timely and reliable fashion of any changes to the Service
782

Definition and any applicable Terms, Conditions, F
ees, and Privacy Policy for the
783

specified service
,

and provide a clear means by which
Subscriber
s and
Subject
s must
784

indicate that they wish to accept the new terms or terminate their subscription.

785

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


28

AL3_CO_NUI#040

User Acceptance

786

Require

Subscriber
s and
Subj
ect
s

to:

787

a)

indicate, prior to receiving service, that they have read and accept the terms of
788

service as defined in the Service Definition;

789

b)

at periodic intervals, determined by significant service provision events (e.g.
790

issuance, re
-
issuance, renewal) and oth
erwise at least once every
five

years, re
-
791

affirm their understanding and observance of the terms of service;

792

c)

always provide full and correct responses to requests for information.

793

AL3_CO_NUI#050

Record of User Acceptance

794

Obtain a record (hard
-
copy or elect
ronic) of the
Subscriber

s and
Subject
’s acceptance of
795

the terms and conditions of service, prior to initiating the service and thereafter reaffirm
796

the agreement at periodic intervals, determined by significant service provision events
797

(e.g. re
-
issuance, r
enewal) and otherwise at least once every
five

years.

798

AL3_CO_NUI#060

Withdrawn

799

Withdrawn.

800

AL3_CO_NUI#070

Change of Subscriber Information

801

Require

and provide the mechanisms for
Subscriber
s and
Subject
s to provide in a timely
802

manner full and correct amendme
nts should any of their recorded information change, as
803

required under the terms of their use of the service, and only after the
Subscriber
's and/or
804

Subject
’s identity has been authenticated.

805

AL3_CO_NUI#080

Withdrawn

806

Withdrawn.

807


808

4.1.17

Information Security
Management

809

These criteria address the way in which the enterprise manages the security of its
810

business, the specified service, and information it holds relating to its user community.
811

This section focuses on the key components
of

a well
-
establ
ished and effective
812

Information Security Management System (ISMS), or other IT security management
813

methodology recognized by a government or professional body.

814

An enterprise and its specified service must:

815

AL3_CO_ISM#010

Documented policies and procedures

816

Document

all security
-
relevant administrative management and technical policies and
817

procedures. The enterprise must ensure that these are based upon recognized standards,
818

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


29

published references or organizational guidelines, are adequate for
the specified service,
819

and are implemented in the manner intended.

820

AL3_CO_ISM#020

Policy Management and Responsibility

821

Have a clearly defined managerial role, at a senior level, where full responsibility for the
822

business


security policies is vested and fr
om which review,
certification
,

and
823

promulgation of policy and related procedures is applied and managed. The latest
824

approved versions of these policies must be applied at all times.

825

AL3_CO_ISM#030

Risk Management

826

Demonstrate a risk management
methodology that adequately identifies and mitigates
827

risks related to the specified service and its user community
. The

risk assessment review
828

shall be performed at least once every six months
and must show

adherence to
829

practices
such as
Control Objectives for Information and Related Technology

830

(
CobIT
)

or [
IS
O
27001
]

practices
.

831

AL3_CO_ISM#040

Continuity
of Operations
Plan

832

Develop and
maintain

a continuity of operations plan that covers disaster recovery and
833

the resilience of the specified service
and
show that a review of this plan is performed
834

at least once every six months
.

835

AL3_CO_ISM#050

Configuration Management

836

Dem
onstrate that there is
a configuration management system
in place

that at least
837

includes:

838

a)

version control for software system components;

839

b)

timely identification and installation of all organizationally
-
approved patches for
840

any software used in the
provisioning of the specified service
;

841

c)

version control and managed distribution for all documentation associated
842

with the specification, management, and operation of the system, covering
843

both internal and publicly available materials
.

844

AL3_CO_ISM#060

Qualit
y Management

845

Demonstrate that there is
a quality management system
in place

that is appropriate for the
846

specified service.

847

AL3_CO_ISM#070

System Installation and Operation Controls

848

Apply controls during system development, procurement, installatio
n, and operation that
849

protect the security and integrity of the system environment, hardware, software, and
850

communications
with
particular regard to:

851

Kantara Initiative Identity Assurance Framework:

Version: 3.0

Service Assessment Criteria


www.kantarainitiative.org


30

a)

the software and hardware development environments, for customized
852

components;

853

b)

the procurement proc
ess for commercial off
-
the
-
shelf (COTS) components;

854

c)