Example Requirements for UXC Review - Revision history

Omaerz: 3 revisions imported: Initial Upload of old pages from IDESG Wiki

2018-06-28T03:52:23Z

3 revisions imported: Initial Upload of old pages from IDESG Wiki

New page

=== Example Requirements ===
==== Compiles for UXC to facilitate development of UXC requirements ====
-- Developed by Ellen Nadeau

== Interoperability Requirements ==
*Pulled from original NSTIC derived requirements 
'''Requirement''': Organizations shall accept external users authenticated by third parties. 
'''Requirement''': Organizations shall adopt common business policies and processes (e.g., liability, identity proofing, and vetting) related to the transmission, receipt, and acceptance of data between systems. 

=== Privacy Committee Requirements ===
*Developed by privacy committee 
'''Requirement''': Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to end-users on how they collect, use, disseminate, and maintain personal information. 
'''Requirement''': When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals' information, transfer it upon their request and destroy it unless they request otherwise.

=== Security Committee Requirements ===
*Developed by security committee 
'''Requirement''': User control of the credential and associated token is proven during the authentication process. 
'''Supplemental information/guidance''': Successful authentication requires that the user prove, through a secure authentication protocol, that he or she controls the credential and associated token(s). 

'''Requirement''': The confidentiality and integrity of shared secrets are protected. Shared Secrets are never stored in plaintext. 
'''Supplemental information/guidance''': 
The execution of all identity transactions and functions should make use of transport that offers confidentiality and integrity protection such as a secure (encrypted) transport. 
Sensitive data collected during identity transactions should be protected at all times using industry accepted practices for encryption and data protection. 
Where operations and functions are executed by separate organizations, secure transport mechanisms and business processes should be used to preserve the confidentiality and integrity of identity data being transmitted to and stored by service providers. 
Entities should have countermeasures and safe-guards in place to resist common threats to identity solutions and identity data, including (but not limited to): 
* Session hijacking 
* Eavesdropping 
* Theft 
* Man-in-them-middle 
* Online Guessing 
* Replay 
* Unauthorized copying or duplication 
[[Category:User Experience]]

Mary Hodder: syntax fix

2014-10-22T04:13:49Z

syntax fix

← Older revision		Revision as of 04:13, 22 October 2014
Line 1:		Line 1:
	== Example Requirements ==		=== Example Requirements ===
	==== Compiles for UXC to facilitate development of UXC requirements ====		==== Compiles for UXC to facilitate development of UXC requirements ====
	-- Developed by Ellen Nadeau		-- Developed by Ellen Nadeau

Mary Hodder: added doc

2014-10-22T04:13:09Z

added doc

New page

== Example Requirements ==
==== Compiles for UXC to facilitate development of UXC requirements ====
-- Developed by Ellen Nadeau

== Interoperability Requirements ==
*Pulled from original NSTIC derived requirements 
'''Requirement''': Organizations shall accept external users authenticated by third parties. 
'''Requirement''': Organizations shall adopt common business policies and processes (e.g., liability, identity proofing, and vetting) related to the transmission, receipt, and acceptance of data between systems. 

=== Privacy Committee Requirements ===
*Developed by privacy committee 
'''Requirement''': Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to end-users on how they collect, use, disseminate, and maintain personal information. 
'''Requirement''': When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals' information, transfer it upon their request and destroy it unless they request otherwise.

=== Security Committee Requirements ===
*Developed by security committee 
'''Requirement''': User control of the credential and associated token is proven during the authentication process. 
'''Supplemental information/guidance''': Successful authentication requires that the user prove, through a secure authentication protocol, that he or she controls the credential and associated token(s). 

'''Requirement''': The confidentiality and integrity of shared secrets are protected. Shared Secrets are never stored in plaintext. 
'''Supplemental information/guidance''': 
The execution of all identity transactions and functions should make use of transport that offers confidentiality and integrity protection such as a secure (encrypted) transport. 
Sensitive data collected during identity transactions should be protected at all times using industry accepted practices for encryption and data protection. 
Where operations and functions are executed by separate organizations, secure transport mechanisms and business processes should be used to preserve the confidentiality and integrity of identity data being transmitted to and stored by service providers. 
Entities should have countermeasures and safe-guards in place to resist common threats to identity solutions and identity data, including (but not limited to): 
* Session hijacking 
* Eavesdropping 
* Theft 
* Man-in-them-middle 
* Online Guessing 
* Replay 
* Unauthorized copying or duplication