https://wiki.idesg.org/index.php?action=history&feed=atom&title=Secure_Req_2Secure Req 2 - Revision history2026-05-01T09:58:53ZRevision history for this page on the wikiMediaWiki 1.38.4https://wiki.idesg.org/index.php?title=Secure_Req_2&diff=6610&oldid=prevOmaerz: 9 revisions imported: Initial Upload of old pages from IDESG Wiki2018-06-28T04:03:35Z<p>9 revisions imported: Initial Upload of old pages from IDESG Wiki</p>
<p><b>New page</b></p><div>''<< Back to [[Baseline_Functional_Requirements_v1.0|Baseline Functional Requirements Index]]''<br />
<br />
== SECURE-2. DATA INTEGRITY ==<br />
Entities MUST implement industry-accepted practices to protect the confidentiality and integrity of identity data - including authentication data and attribute values - during the execution of all digital identity management functions, and across the entire data lifecycle (collection through destruction).<br />
<br />
=== SUPPLEMENTAL GUIDANCE ===<br />
The execution of all identity transactions and functions must make use of transport that offers<br />
confidentiality and integrity protection (e.g., properly configured TLS).<br />
<br />
Where operations and functions are executed by separate organizations, secure transport<br />
mechanisms and business processes must be used to preserve the confidentiality and integrity of<br />
identity data being transmitted to and stored by service providers.<br />
<br />
Authentication data (e.g., passwords and passphrases) must be properly protected through industry<br />
accepted cryptographic techniques (e.g., salted and hashed).<br />
<br />
Sensitive data collected during identity transactions must be protected at all times using industry<br />
accepted practices for encryption and data protection.<br />
<br />
Appropriate access control measures must be in place to ensure access to identity data is restricted<br />
to only authorized users with a need to know. Appropriate access control measures including<br />
multifactor authentication must be in place to ensure that access to identity data by data custodians is<br />
restricted to users responsible for administering and maintaining the data. See [[Secure Req 8|SECURE-8<br />
(MULTIFACTOR AUTHENTICATION)]]. All access to identity data must be securely logged and separation<br />
of duties should be considered as a means to further limit access. See [[Secure Req 14|SECURE-14 (SECURITY LOGS)]].<br />
<br />
Please note, the [[Baseline_Functional_Requirements_v1.0#Privacy|IDESG Privacy Requirements]] (PRIVACY-1 through PRIVACY-15) also impose separate<br />
requirements on the handling and storage of identifiers attributes and credentials.<br />
<br />
=== REFERENCES ===<br />
FICAM TFPAP Trust Criteria, LOA 1-3, Multiple Sections, PCI-DSS (actually Requirement 7 & 8 – pages<br />
61-72), ISO 27002 (2005) Sec. 11, FFIEC, Wholesale Payment System Booklet,<br />
http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_WholesalePaymentSystems.pdf<br />
<br />
=== APPLIES TO ACTIVITIES ===<br />
[[IDEF Functional Model REGISTRATION|REGISTRATION]], <br />
[[IDEF Functional Model CREDENTIALING|CREDENTIALING]], <br />
[[IDEF Functional Model AUTHENTICATION|AUTHENTICATION]], <br />
[[IDEF Functional Model AUTHORIZATION|AUTHORIZATION]], <br />
[[IDEF Functional Model INTERMEDIATION|INTERMEDIATION]]<br />
<br />
=== KEYWORDS ===<br />
[[IDEF Keywords ATTRIBUTES|ATTRIBUTE]], [[IDEF Keywords DATA-INTEGRITY|DATA-INTEGRITY]], [[IDEF Keywords SECURITY|SECURITY]]<br />
<br />
----<br />
----<br />
Quick Links: [[SALS]] | [[Baseline Functional Requirements v1.0]] | [[Glossary]] |<br />
<br />
----<br />
----</div>Omaerz