Omaerz: 16 revisions imported: Initial Upload of old pages from IDESG Wiki

2018-06-28T04:01:54Z

16 revisions imported: Initial Upload of old pages from IDESG Wiki

New page

''<< Back to [[Baseline_Functional_Requirements_v1.0|Baseline Functional Requirements Index]]''

== INTEROP-6. THIRD-PARTY COMPLIANCE ==
Entities that act as [[IDEF Glossary THIRD PARTIES|THIRD-PARTY]] service providers for another entity, in conducting [[IDEF Glossary DIGITAL IDENTITY MANAGEMENT FUNCTIONS|digital identity management functions]], must comply with each of the applicable [[Baseline Functional Requirements v1.0|IDESG Baseline Requirements]] that apply to that other entity and those relevant functions.

=== SUPPLEMENTAL GUIDANCE ===
This Requirement applies to outsourcing or delegation of [[IDEF Glossary DIGITAL IDENTITY MANAGEMENT FUNCTIONS|digital identity management functions]] or transactions to [[IDEF Glossary THIRD PARTIES|THIRD-PARTIES]]. An entity assessing its compliance with the applicable IDESG Baseline Requirements must also apply them to the functions or transactions carried out on its behalf by a service provider. For purposes of this Requirement, the term "THIRD-PARTY service provider" refers to THIRD-PARTIES that an assessed entity outsources or delegates to perform digital identity management functions on behalf of the assessed entity.

In some [[IDEF Glossary FEDERATIONS|FEDERATIONS]], the federation itself may also act as an intermediary or service provider for participant entities in some identity management functions, and thereby be subject to this requirement.

Cloud computing service providers providing data storage or other services for an entity may also be within the scope of this Requirement, depending on the functions performed on behalf of the assessed entity, and the provider's access to the data handled on behalf of the assessed entity. See comments about "data storage companies" in the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act (2013), Final Rule comments on HITECH Act Section 13408: http://federalregister.gov/a/2013-01073.

Regarding "digital identity management functions", see [[APPENDIX_A-Defined_Terms|Appendix A]].

=== REFERENCES ===
Reference for cloud computing processors of personal information: ISO/IEC 27018 (2014): Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498, and https://www.iso.org/obp/ui/#iso:std:iso-iec:27018:ed-1:v1:en

Reference example of intermediaries and similar subcontractors or service agencies who fulfill data transactions for others, and take responsibility for their compliance with various requirements: see "Business Associate" regulations in the HIPAA Privacy Regulations: 45 CFR Parts 160 and 164, §§ 160.103, 164.502(a)(3), (a)(4) and (e); and the treatment of "Clearinghouse" functions in § 164.500(b) : http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div5

=== APPLIES TO ACTIVITIES ===
[[IDEF Functional Model REGISTRATION|REGISTRATION]],
[[IDEF Functional Model CREDENTIALING|CREDENTIALING]],
[[IDEF Functional Model AUTHENTICATION|AUTHENTICATION]],
[[IDEF Functional Model AUTHORIZATION|AUTHORIZATION]],
[[IDEF Functional Model INTERMEDIATION|INTERMEDIATION]]

=== KEYWORDS ===
[[IDEF Keywords COMPLIANCE|COMPLIANCE]], [[IDEF Keywords INTEROPERABILITY|INTEROPERABILITY]], [[IDEF Keywords INTERMEDIARIES|INTERMEDIARIES]],
[[IDEF Keywords TRANSACTION|TRANSACTION]], [[IDEF Keywords THIRD PARTIES|THIRD-PARTIES]]

----
----
Quick Links: [[SALS]] | [[Baseline Functional Requirements v1.0]] | [[Glossary]] |

----
----

Interop Req 6 - Revision history

Omaerz: 16 revisions imported: Initial Upload of old pages from IDESG Wiki