https://wiki.idesg.org/index.php?action=history&feed=atom&title=Secure_Req_1Secure Req 1 - Revision history2026-05-01T09:53:25ZRevision history for this page on the wikiMediaWiki 1.38.4https://wiki.idesg.org/index.php?title=Secure_Req_1&diff=6545&oldid=prevOmaerz: 9 revisions imported: Initial Upload of old pages from IDESG Wiki2018-06-28T04:03:32Z<p>9 revisions imported: Initial Upload of old pages from IDESG Wiki</p>
<p><b>New page</b></p><div>''<< Back to [[Baseline_Functional_Requirements_v1.0|Baseline Functional Requirements Index]]''<br />
<br />
== SECURE-1. SECURITY PRACTICES ==<br />
Entities MUST apply appropriate and industry-accepted information security [[IDEF Glossary STANDARDS|STANDARDS]], guidelines, and practices to the systems that support their identity functions and services.<br />
<br />
=== SUPPLEMENTAL GUIDANCE ===<br />
Entities may satisfy this Requirement by confirming that they (a) have considered existing<br />
information security standards, guidelines and practices relevant to their environment; (b) have<br />
identified the specific sources of guidance that are appropriate for their operations, in light of the<br />
information security risks they face; and (c) have implemented the portions of that guidance they<br />
deemed appropriate.<br />
<br />
This Requirement does not mandate which information security policies, procedures or technologies<br />
an entity should or must use. However, some specific policies and technologies are the subject of<br />
other, more specific items elsewhere in this Requirements set.<br />
<br />
Entities must have risk-based countermeasures and safeguards in place to resist common threats to<br />
identity solutions and identity data, including, for example, Session hijacking; Eavesdropping; Theft;<br />
Man-in-the-middle; Online Guessing; Replay; Unauthorized copying or duplication; and Insider<br />
Threats.<br />
<br />
The security standards, guidelines, and practices employed in digital identity management services,<br />
to govern the security of their networks, devices, solutions, and systems, must be both operational and<br />
well documented. Please note the applicability of Requirement [[Interop Req 5|INTEROP-5 (DOCUMENTED PROCESSES)]]<br />
regarding documentation and best practice [[Interop Best Practice G|INTEROP-BP-G (RECOMMENDED LEGAL COMPLIANCE)]]<br />
regarding limitations imposed by laws. Please note the applicability of best practice [[Interop Best Practice F|INTEROP-BP-F<br />
(RECOMMENDED FEDERATION COMPLIANCE)]] and Requirement [[Interop Req 6|INTEROP-6 (THIRD-PARTY<br />
COMPLIANCE)]] regarding limitations arising from the involvement of [[IDEF Glossary THIRD PARTIES|THIRD-PARTIES]] such as<br />
intermediaries, similar service providers, or [[IDEF Glossary FEDERATIONS|FEDERATIONS]].<br />
<br />
=== REFERENCES ===<br />
Potential candidates for adoption include: ISO/IEC 27000 series, PCI-DSS, NIST SP 800-53-4, CSA<br />
CCM, COBIT v5, FFIEC (multiple documents), PCI-DSS, NISTIR 7621 R1 (draft) <br />
<br />
=== APPLIES TO ACTIVITIES ===<br />
[[IDEF Functional Model REGISTRATION|REGISTRATION]], <br />
[[IDEF Functional Model CREDENTIALING|CREDENTIALING]], <br />
[[IDEF Functional Model AUTHENTICATION|AUTHENTICATION]], <br />
[[IDEF Functional Model AUTHORIZATION|AUTHORIZATION]], <br />
[[IDEF Functional Model INTERMEDIATION|INTERMEDIATION]]<br />
<br />
=== KEYWORDS ===<br />
[[IDEF Keywords POLICIES|POLICIES]], [[IDEF Keywords RISK|RISK]], [[IDEF Keywords SECURITY|SECURITY]], [[IDEF Keywords OPEN-STANDARDS|OPEN-STANDARDS]]<br />
<br />
----<br />
----<br />
Quick Links: [[SALS]] | [[Baseline Functional Requirements v1.0]] | [[Glossary]] |<br />
<br />
----<br />
----</div>Omaerz