SALS FAQs

From IDESG Wiki
Revision as of 04:03, 28 June 2018 by Omaerz (talk | contribs) (12 revisions imported: Initial Upload of old pages from IDESG Wiki)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Error creating thumbnail: File missing
This article is under construction and should not be considered complete.
Last modified by Omaerz

Identity Ecosystem Steering Group (IDESG): Self-Assessment Listing Service (SALS)

FREQUENTLY ASKED QUESTIONS

The definitive current text for this document is posted on the Web. Any versions in static downloadable form are provided for convenience only, and may not always represent the most current information.
PDF DOWNLOAD LINK: https://workspace.idesg.org/kws/public/download/431/latest/SALS-FAQs-v3.98-20160111.pdf


GENERAL QUESTIONS

What is this document?

This document provides answers to frequently asked questions regarding the IDESG’s Self-Assessment Listing Service ("SALS") program. The SALS provides an authoritative source of self-reported contact and basic service information about a select group of companies, government agencies, and other entities that offer trustworthy and reliable online identity-related services.

What is the IDESG SALS?

The Self Assessment Listing Service is a publicly-accessible listing service of entities that provide online identity services ( "Service Providers") that have self-assessed and confirmed their conformity to the IDEF Baseline Functional Requirements v1.0. The SALS helps parties to evaluate the policies and operations of the Service Providers with which they interact, and to compare identity services across multiple Service Providers, to assure that their practices meet their needs for online security, privacy, interoperability and positive user experience.

The IDESG has developed the IDEF and the SALS Program to raise the bar for online services as envisioned in the US National Strategy for Trusted Identities in Cyberspace ("NSTIC"). See also "What is the IDESG?" below. The SALS provides a way for Service Providers to publicly declare their conformity to the IDEF Baseline Requirements, thus providing useful information to individual and institutional consumers of their services in order to make better-informed selections of services that best fit their respective needs.

Why was the SALS created?

The IDESG SALS program presents an invitation to identity Service Providers to self-assess against the Identity Ecosystem Framework (IDEF) – a set of common, baseline requirements for the performance of identity-related services for privacy, security, interoperability, and user experience for the online Identity Ecosystem. The SALS Program is intended to provide transparency and information to SALS Users that the Service Providers listed on the SALS have asserted conformance to the common requirements.

Who needs this service?

The SALS is of value to parties that depend on the reliability and integrity of online identity and data services. That includes almost everyone who interacts online. The SALS helps individuals and entities decide who they want to trust online. It is of use to those parties that want to learn more about the reliability and trustworthiness of online identities and data services offered in the various markets—based on the degree of implementation and conformance to the IDEF Baseline Requirements.

Who is on the SALS list?

The entities whose information is displayed in the SALS program have taken the time and effort to publicly confirm their positive self-assessment of their conformity to the IDEF Baseline Requirements. This distinguishes them from other companies and identity service organizations, and demonstrates their commitment to the IDESG principles of security, privacy, security, ease of use, cost effectiveness, resiliency, interoperability and user choice. These Service Providers have voluntarily taken on additional effort and expense to earn your trust.

Are there any costs for SALS listings or usage?

Application to the IDESG’s SALS Program, and access to the SALS Listing Information, are available at no charge to Service Providers or to the public at this time. Parties that are listed on SALS are referred to as "Service Providers" and parties that simply access the SALS listing information are referred to as "SALS Users."

What is the IDESG?

The Identity Ecosystem Steering Group (IDESG) is a non-profit, non-governmental organization established to promote secure, user-friendly ways to help provide individuals and organizations confidence in their online interactions. The IDESG was established to advance the National Strategy for Trusted Identities in Cyberspace (NSTIC), an initiative (PDF file) that was launched by the President of the United States in 2011 to establish and sustain an online interaction environment that is secure, broadly interoperable, cost-effective and easy to use and that enhances privacy of the individual and provides greater security for individuals and entities. For additional information on the IDESG, see http://www.idesg.org/About/Overview.

To further this mission, the IDESG has produced a set of rules, guidelines, standards and processes called the "Identity Ecosystem Framework" (IDEF) to which online identity Service Providers and related parties are invited to use to assess and report on their degree of implementation and conformance through the SALS Program. When multiple Service Providers commit to the common standard of the IDEF, it results in their being able to better work together to provide more trustworthy, secure services and to enhance the leverage of identity credentials that citizens already possess for multiple purposes. This makes listed Service Providers uniquely valuable. They have demonstrated their commitment to privacy, security, user needs and other NSTIC principles by taking on the cost and effort of self-certification and compliance. Their common commitment to the NSTIC goals is a form of policy standardization that, like technical standardization, is a pathway to enhanced risk reduction and leverage for listed Service Providers and SALS Users.

What is the Identity Ecosystem Framework?

The IDESG’s Identity Ecosystem Framework project ("IDEF") defines the set of minimum, baseline requirements for Service Providers in the Identity Ecosystem. The IDEF contains rules, reference models, processes and policies that describe how entities in the Identity Ecosystem are expected to operate. The purpose of the IDEF is to lay the foundation for a thriving Identity Ecosystem that operates in accordance with the NSTIC guiding principles of increased security, interoperability, ease of use and enhanced privacy. The IDESG has developed the IDEF, and the SALS Program, to meet the principles that all participants in a broad, open, safe community of federated identity should voluntarily follow.

Are there plans to expand the SALS to include third party assessment and certification marks?

Yes. Initially the program calls for the self-assessment and conformance confirmation of Service Providers to the Baseline Requirements. The IDESG is building future capability for third-party assessment and conformance attestation as well.

What is the self-assessment process for SALS listing?

The self-assessment is a responding party's evaluation of its performance in implementing each of the IDEF Baseline Requirements, using a structured checklist format (the SALS Self-Assessment Matrix) in a form that enables applicant Service Providers easily to confirm and express their conformance to the IDEF Baseline Requirements. SALS applicant Service Providers will need to assess their organization’s policies, procedures, systems and operations against the IDEF Baseline Requirements to determine the degree to which they have implemented and conform to those requirements. The self-assessment results are recorded on the SALS Matrix and submitted to the IDESG, along with a statement reporting on the applicants’ status of implementation (if not fully conformant) or attesting to its full conformance to the applicable requirements. The IDESG will post organizational information and the SALS Matrix for all accepted Service Providers.

The IDESG does not validate the substance of the self-assessment information it receives from applicant Service Providers. Rather, the IDESG publicly posts the completed SALS Matrix self-report for each responding Service Provider.

What types of entities can be listed in the SALS?

There are a variety of different entities that might be interested in distinguishing themselves in markets and service settings as offering the risk reduction and leverage advantages of conformity to the IDEF Baseline Requirements. This includes any entity providing "identity services" in an existing online Identity system (Service Providers) and institutional parties that handle and consume identity information from such Service Providers (Relying Parties). Such services include, but are not limited to, the following:

  • Identity account enrollment, registration, and/or maintenance;
  • Identity proofing and/or verification;
  • Credential issuance and/or management; and
  • Authentication and authorization services that rely on identity authentication from others, for access authorization and/or transactions, such as online retail sites, cloud service providers, or online government benefits programs. Sometimes called "Relying Parties."

See IDESG's Functional Model (PDF link) for more information and discussion of those roles.

The types of services listed above reflect different stages of the processes through which identities of people, entities and things are established and maintained online in networked information systems. They are separated out for SALS purposes because each listed stage of the identity process involves different types of data-related actions and each has a different risk profile, and because many of the listed subservices are provided by different parties, even within a single online identity system.

How do the "Relying Parties" (the fourth service role above) differ from 1 through 3?

Relying Parties include the businesses and governments that rely upon the online identity systems offered by the Service Providers described by the previous three categories. Even though they rely on the credentials in the ordinary course of their respective businesses, many of these Service Providers also have a role in protecting the integrity of the systems that enhance IDESG principles.

"Relying Parties" may be the largest category of potential reporting entity, since there are many more Relying Parties than there are Service Providers in the first 3 categories. The "authorization" role in the last category of provider is roughly analogous to the role of restaurants or retail stores in the credit card system. In credit card networks, there are many more retail establishments that accept and rely on cards than there are banks that issue the cards and handle payments and payment processors that facilitate the information flows. Consider that restaurants rely on the integrity of the information systems maintained by the credit card companies, banks and other stores and restaurants (so that they don’t end up giving away free meals), AND they also have a role to play as part of that system in maintaining its integrity.

For example, restaurants and stores have to make certain that their employees don’t misuse credit card information since that would harm the system and the many parties that rely on its integrity. In order to similarly reflect the entire Identity Ecosystem, the SALS includes both traditional identity service providers (roles 1-3) and other service providers that rely on online identity systems (role 4) in the listing in an effort to assure that there is a single place where stakeholders can check to confirm that all transactional parts of the online Identity Ecosystem are working in harmony with respect to the IDESG principles.

Why are identity services subdivided into defined classes, in the IDEF and SALS materials?

In today’s distributed online identity systems, multiple parties typically work together to provide identity services in a given system. In fact, technical and policy standards upon which all stakeholders can rely enable these networks of relationships to grow without the parties having to deal directly with one another. This is the case in credit card systems, for example, and other similar existing networks of relationships that rely upon technical and policy standards to help guide their participants to work better together to provide the consistency and reliability needed to earn trust in both economic transactions and social and political interactions in various distinct settings.

These services are the "nuts and bolts" of online trusted systems. If they are properly operated with attention to the IDESG principles, they can result in trusted online identity systems, and trustworthy relationships and interactions that are more reliable, predictable, consistent and less risky.

QUESTIONS FROM PROVIDERS

What is the value of the SALS for Identity Service Providers and Relying Parties?

By qualifying for listing in the SALS, Service Providers and Relying Parties gain:

  • Risk reduction through the clarification of duties offered by the IDEF Baseline Requirements;
  • Competitive differentiation from parties not listed in the IDESG SALS;
  • Marketing exposure to SALS Users;
  • Identification of potential joint offerings and collaborations with other Service Providers;
  • Reputation enhancement for online policy leadership and customer care innovation;
  • Permission to reference their listing as listed IDESG Identity Service Provider in advertising and promotional materials; and
  • Benefit of timely access to IDESG publications and research into emerging customer needs and market trends as reflected in the IDESG IDEF and discussion forums.

What is required for a Service Provider to be listed in the SALS?

To be listed in the SALS, Service Providers must be bona fide service providers in the Identity Ecosystem and must self-assess and report on the degree that their identity-related services conform to the IDEF Baseline Requirements.

How do I provide a report as a Service Provider for posting in the SALS Program?

  • Download or review the SALS Application Package on (this) IDESG SALS website.
  • Perform the self-assessment.
  • Report self-assessment results on the SALS Matrix.
  • Complete either the Full Compliance Attestation Form or the Status Report Attestation Form, as applicable.
  • Submit PDF file of the SALS Matrix and the appropriate attestation form to the IDESG, as described in the Application Instructions and Attestation Forms. The SALS Application Package contains all necessary forms in order to be considered for listing.

What is the Self-Assessment Matrix, and how do I use it for my own self-assessment?

The Matrix provides a standard structure for Service Providers to report the results of their assessment of their operations based on the IDEF Baseline Requirements. The Matrix lists all applicable baseline requirements for the Service Providers’ functions under assessment and links to Supplemental Guidance for each requirement to assist in the self-assessment process. The Matrix allows SALS Applicants to report the status of implementation for each requirement in one of four ways: fully conformant, implementation underway, implementation considered and implementation not considered/applicable. The Matrix allows SALS Applicants to provide additional information to support the reported status of implementation.

What is the process for getting listed on IDESG SALS?

Service Providers can download or review the SALS Application Package. The Application Package contains:

After completing the self-assessment (using the Matrix), SALS applicant Service Providers complete and sign either the Full Compliance Attestation (Path 1) or the Status Report Attestation (Path 2), as applicable, along with the completed Self-Assessment Matrix, and submit them to the IDESG. The IDESG processes the application and then adds accepted Service Providers to the SALS, and posts their relevant Application Information to the publicly-available listing.

How can I get help with my questions about the application process?

Questions and/or requests for information or assistance can be sent to sals@idesg.org.

QUESTIONS FROM SALS USERS

What is the value of the SALS for individuals and entities?

By using the IDESG SALS to help select their online service providers, SALS Users can gain:

  • Greater privacy, security, and transparency when conducting business online,
  • Easier-to-use online systems,
  • Cost savings and resource savings through simpler identity controls,
  • Relevant identity information to help inform online transaction decisions,
  • Improved service consistency, reliability, and predictability across various online services, and
  • Greater engagement with future Identity Ecosystem developments.

Is the IDESG providing independent verification of the Provider self-assessment?

No. The IDESG does not validate the Service Provider self-assessment information it receives. Rather, the SALS Program uses crowdsourcing and reputation to ensure the accuracy of SALS Self-Assessment entries.

Does the IDESG SALS automatically update SALS entries when the provider changes its policies or operations?

No. Listed Service Providers are required under the SALS Terms of Use to update their entries to reflect material changes, and are required to reconfirm and/or update their listing information at least annually.

How can I convince my Identity Service Providers to get on the SALS?

Let your Service Providers know that the IDESG's principles and requirements are important to you, and affect your decisions about who you want to associate with online. You can vote with the choices you make online. If you are either an Identity Service Provider that is currently not on the SALS, or you are working with one who is not, ask yourself why. Please encourage your organization to review the SALS Application Package] to increase the transparency and integrity of their customers’ online interactions.

What prevents Service Providers from providing false or misleading information about their self-assessment results?

The SALS Terms of Use requires the self-assessment information submitted to the IDESG and posted on the SALS be accurate. Service Providers listed on the SALS are making public declarations. The IDESG reserves the right to remove any listing information from the SALS in accordance with the SALS Supplemental Terms of Use.


>> Forward to: Application Instructions and Attestation Forms
<< Back to: SALS Application Package
<< Back to: SALS Program