Search results

== The IDEF Self-Assessment Listing Service (SALS) == ...status through self-assessment with a set of common standards for reliable security, privacy, ease of use, cost savings, and user choice and declare their comm

...e their own credentials is protected storage and ask the CSP to verify the security of those credentials. ...e functions of an [electronic] Identity Proofing and Credential Management Service, either in full or as a discrete component (i.e., a sub-set of the function

...ish an integrity (aka health) claim for a device that, together with other security measures, is good evidence of the integrity of the information exchanged wi Integrity has two meanings in computer security. The first relates to the device not having been changed in any way since i

Service Provider CAs, FCPCA, EGCA) are out of scope. The document provides a detail '''Security''': The document is an information security policy and procedures document.

...non-compulsory and (5) for PII to be protected after the termination of a service. '''Security''': The document is an information security policy.

...ion assertions from another party such as an Identity Provider, Credential Service Provider (CSP), or Trusted Broker. (Sal/Krum) ...rds that UXC is recommending. ISO 29115 has already been submitted by the Security Committee as confirmed by Mary Ellen Condon.

...the Social Security numbers and information as it relates to the military service of a customer. Draft legislation has been put together that covers how an o ...t access to the Social Security is the Holy Grail. Someone gets the Social Security number and then they can find out all kinds of information about the person

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - '''''draft'''''== *Review security requirements. #1 through #10 discussed in earlier meetings. However, ther

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - '''draft'''== #**Andrew - this can be an extension of Authentication service

...? What if we created a graph and called out UXC issues around privacy and security around organizations vs individuals. ...rement. “Service providers in the ecosystem follow recognized information security standards, frameworks, and/or appropriate practices.” We could include s

...number of actors involved in the process. It describes a case in which a Service Provider obtains information about a User sufficient to make an access cont ...ies and often dictates a specific authentication solution in order for the service provider to authenticate the user.

##Credential Service Provider (CSP) (A trusted entity hosting a subset of the above roles.) (aka ###Service (silicon based life form, like a newsfeed)

<center>'''National Security Telecom Advisory Comm.(NSTAC) Report to the President on Identity Managemen <center>'''Oasis: Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0'''</center>

<center>'''National Security Telecom Advisory Comm.(NSTAC) Report to the President on Identity Managemen <center>'''Oasis: Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0'''</center>

National Security Telecommunications Advisory Committee (NSTAC) Report to the President on Id Sample agreement between “relying party” and “credential service provider.”

...ing Party (RP) role. This case is specifically designed to include general security, privacy and user experience criteria that will apply by default to all oth ...organization acting through a user agent that needs to access resources of service providers (RPs).

This design pattern assumes the use of a device connected to internet service providers as described in the [[Common to any Internet Identity Ecosystem]] ...):''' A service provider that needs a collection of claims to provide that service. The claims may relate to financial responsibility or other user attributes

== Terms and definitions specific to the IDESG Self-Assessment Listing Service (SALS) in 2016 == ...that exists, e.g., a person, organization, device, software application or service.

'''Title''': Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profi '''Security''': The document is an information security profile. It requires IdPs and RPs to use "approved cryptographic

A product, service, environment or facility which is usable by USERs with the widest range of A non-human application or service acting in the digital environment on behalf of a human USER. Synonymous wi

This use case helps the IRS determine whether a taxpayer's Social Security Number is being used fraudulently in a tax return. It does this by checking Internal Revenue Service, Social Security Administration, commercial tax preparation software vendors

...ategories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. It has the following objectives. — To help the public cloud service provider to comply with applicable obligations when acting as a PII process

...private and subject to protections. A high-security pseudonymous identity service (for example a dating website) could verify attributes such as legal names

...the benefit of the user, not solely for the benefit of the web site of the service provider. The challenge will be to find a way to fund solutions to problems ...ony]] with an Identity or Attribute Provider that has an IDESG Trustmark. (security committee priority 1)

...and behaviors, while the data in the [[User Object]] held in some internet service will never contain more than a small subset of those attributes. The model ...entities is considered to be an independent browser. Web apps supplied by service providers are not fully explored in this version.

...gram state, it reduces user errors and surprises. A good GUI provides this service. Using an interactive program is like being a doctor trying to navigate a p ...ers deserve. After all the greatest hassle for users is created when their security or privacy are breached. While interoperability is seldom raised as a user

Identity Proofing is the process by which a Credential Service Provider (CSP) and a Registration Authority (RA) collect and verify informa * Credential Service Provider.

'''Security''': ...[[Public Key Infrastructure]], [[Relying Party]], [[Resource Provider]], [[Service Provider]], [[Shibboleth]], [[Sponsored Partner]], [[Support Contact]], [[T

'''Security''': The document is an information security assurance framework. ...he document promotes interoperability by specifying the requirements for a service to operate at the

'''Security''': The document is a information security profile at OMB-04-04 levels of assurance 1 and 2. ...he document promotes interoperability by specifying the requirements for a service to operate at the

...ibilities and the parameters of those requirements and responsibilities to Service Providers in online transactions. At more detailed and granular layers as d ...rinciples and created from a bi-direction approach balancing human userand service provider requirements, desires, and benefits.

...erent entities/roles (IdP, RP, User, etc.) that require different privacy, security, UX and other considerations. ...Such considerations will create a context for deriving requirements – like security requirements, UX requirements, and privacy requirements, so on.

Entities that act as [[IDEF Glossary THIRD PARTIES|THIRD-PARTY]] service providers for another entity, in conducting [[IDEF Glossary DIGITAL IDENTIT ...service provider. For purposes of this Requirement, the term "THIRD-PARTY service provider" refers to THIRD-PARTIES that an assessed entity outsources or del

*Standards – ISO 29115 has already been submitted by the Security Committee. **Self-Assessment Listing Service (SALS) will be up soon for examination and Sal requested that UXC review an

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES== #**** A service provider can hold more than one role

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - '''''draft'''''== ...and Ryan Galluzzo. The task force will bring their findings to the broader Security Committee once they are finished. Again, if anyone joins the call outside o

...e''': Identity Assurance Framework: Additional Requirements for Credential Service Providers: US Federal ...ia supplement the Kantara IAF level of assurance requirements found in the Service

the Service Assessment Criteria (SAC), which establishes baseline criteria for general '''Security''':

'''Security''': The document defines terms used in a security assurance framework. ...[[Security]], [[Service Assessment Criteria]], [[Signatory]], [[Specified Service]], [[Subject]], [[Subscriber]], [[Threat]], [[Token]]

...ments which will benefit both Kantara- accredited Assessors and Credential Service Providers having their services assessed against the IAF Service Assessment Criteria (SAC)

'''Title''': Identity Assurance Framework: Service Assessment Criteria ...rainitiative.org/confluence/download/attachments/45057040/Kantara+IAF-1400-Service+Assessment+Criteria.pdf

==SECURITY COMMITTEE NOTES - '''''draft'''''== **Final Security Requirements are due March 16.

==SECURITY COMMITTEE MEETING NOTES - '''''draft'''''== **Requirement #10: Outcome based requirement statement, updated to: Service provider employs secure authentication on protocols for the purpose of demo

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES == *Process FMO Security Requirements feedback

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES == #Security Committee officer elections

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - '''''draft'''''== *Confirm finalized security requirements (confirmation, not detailed discussion)

* Privacy, Security, Standards, User Experience, met to discuss requirements coordination. Furt ...rite requirements that cover material changes to services after an initial service agreement is established

...ng how complete/accurate/timely data is that they collect to provide their service. How do we provide guidance to companies based on risk of that transaction ...tion in the Identity Ecosystem, organizations shall, while maintaining the security of individuals’ information, transfer it upon their request and destroy i

'''Category''': Security Requirements Specification '''Description''': Part of the Security Content Automation Protocol (SCAP), Asset Identification is a language for

'''Category''': Security Control Implementation Guide '''Security''': The document is an information security guideline. The requirements in the document are grouped into four

'''Security''': ...rust Identity]], [[Security Token]], [[Signed Security Token]], [[Unsigned Security Token]], [[Proof-of-possession]], [[Integrity]], [[Confidentiality]], [[Dig

'''Title''': Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0 '''URL''': http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf

RFC 6819, OAuth 2.0 Threat Model and Security Considerations service, either on behalf of a resource owner by orchestrating an approval interact

==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - '''''draft'''''== *David Temoshok reviewed the SALS Program Overview with the Security Committee.

...ovider which can exist either as a part of the user agent on in some cloud service. This use case considers the former implementation. In either implementatio ...(RP): A service provider that needs a collection of claims to provide that service. The claims may relate to financial responsibility or other user attributes

...(RP): A service provider that needs a collection of claims to provide that service. The claims may relate to financial responsibility or other user attributes ...hnologies that may be used by the relying party and the various providers. Security Token Services typically provide token translation services. For example s

...stry compatible database. Searches can be done on services, companies, and service category. The method describes how people can determine the current members ...to rely on certain assertions by other actors to fulfill their information security requirements." In this document the objective is simply to allow two digita

...to provide identification or personal information to gain access to a web service. This pattern specifically focuses on the interaction with a relying party ...Party (RP):''' An entity that needs a collection of claims to provide that service; the RP might rely on a collection of claims from different identity or att

...t calculate the tradeoffs among security, privacy, and gaining access to a service they desire." Page 12

* [https://playbook.cio.gov/ U.S. Digital Service Digital Playbook] ...2016/NIST.IR.8080.pdf NIST Interagency Report (NISTIR) 8080, Usability and Security Considerations for Public Safety Mobile Authentication]

...this community as well as greater social cohesion and internet-wide cyber-security. 6 Any Relying Party or Service Provider in the IDESG Identity Ecosystem that complies with the NSTIC princ

This design pattern assumes the use of a device connected to internet service providers as described in the [[Design Pattern: Common to any Internet Iden ...):''' A service provider that needs a collection of claims to provide that service. The claims may relate to financial responsibility or other user attributes

*Terms of Service and Privacy Statements are shown on user sites and occasionally positive us *Organizations, such as financial institutions, offer a service to give user notification of specific status changes, which the user is typ

This design pattern assumes the use of a device connected to internet service providers as described in the [[Design Pattern: Common to any Internet Iden ...):''' A service provider that needs a collection of claims to provide that service. The claims may relate to financial responsibility or other user attributes

...other service providers that interact with the user. Connections that the service providers have beyond the user connection are not indicated as all data sen This design pattern assumes the use of a device connected to internet service providers as described in the [[Design Pattern: Common to any Internet Iden

...th a community identity card so they are welcomed as part of the community service system that coordinates social services. ...for them to use to assert their identity; the process will be privacy and security compliant.

...ile] of the NIST cyber-security framework should serve as both a source of security assurance as well as a paradigm of federated frameworks that we could use i ...U provides a trust framework with qualified trust service providers. These service providers can issue both server and client certificates and there are vario

...in the covered health care providers (aka the [[Electronic Health Record]] service). ...ns or, in some cases, all residents. The US has determined that the social security number (SSN) is not a secure means of identification and has mandated that

...cosystem]]s this plan lays out how to address specific community needs for security, privacy, interoperability and user experience. It is expected that all com A user-friendly online query service that will give users actionable information about compliant participants.

...cols, etc.). DIDs point to DID Documents. A DID Document contains a set of service endpoints for interacting with the entity." The primary difference between Security

* The immediate goal is that the user of the web platform service recognize the value of conformance to the framework profile. *Application - a collection of software that provides a service to entities, both digital and (through agents) real-world.

...s an assurance of its own identity, provenance and policies as well as the security configuration of the device it is running on. ===Security===

## Testing must include all 4 IDEF components of: Security, Privacy, User Experience and Interoperability. ...tested. This requirement likely goes beyond a strict reading of the HIPAA security requirements.

...etrics, disease history, whatever (maybe even the old standard, the social security number). ...YOD) to work environments. In all cases the enterprise will have from some security, possibly even remote wipe capability, for the phone. In other words, the e

...nitial consent and a method for notification from a subject to any digital Service Provider. ...sent receipt and authorization in response to this message which meets the security requirements of the intended purpose.

...e entity to any other registered covered entity. (For the [[Record Locator Service]].) The services that they provide are listed below. # Specific physical location where service was provided to a patient. (eg Pine Lake Office of Swedish Physicians) (aka

...user puts the agent on the smart phone, in that case the user lets a cloud service be their agent. #The auditor that verifies the functionality of the Remote Attestation Service.

...to the [[Remote Attestation Use Case]]. In this case the user lets a cloud service be their agent, in that case the user puts the agent on the smart phone. ...ormation, for example, medical records for an [[Electronic Health Record]] service. The sink of the user data.

independently of the service provider infrastructure pretext that it will be protected by terms of service and

...e user agrees to share some private, sensitive information from a resource service to a new partner web site. [[Category:Security]]

...g on new or existing contractual relationships bolstered by negotiation of security and other technical details. Such an approach is not scalable, however, as #[[Record Locator Service]](RLS) = provides the ability to identify where records are located based u

#[[Record Locator Service]](RLS) = provides the ability to identify where records are located based u #Patient queries a known Medical [[Record Locator Service]] (MRLS) to see what sites have his data online and accessible. (Always opt

# [[Credential Service Provider]] # Security

...s and entities to comply with the same standards that apply to the fee for service programs. The CMS Interoperability and Patient Access final rule requires c ...0] is a specification under development in Kantara.for apps to prove their security to the relying party.

...ience]] will be through the web browser as the most common user agent, for security purposes the experience of the native app cannot be sacrificed to a good br ...the usual visual trust mechanisms may be bypassed (e.g., Transport Layer Security (TLS) confirmation, web site mechanisms). By using an embedded or internal

This is designed to be the source document for a Service Assessment Criteria for apps that are used in user, patient or delegate app ...urity, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, us

...n report that the app will be sufficiently responsive to patient needs for security and privacy. This is a proposal to seek funding from the US HHS ONC to buil ## The security of the user's private data in transit and at rest on the app.

...th requirements for travel that are collected from among many [[Credential Service Provider]]s. For example: acceptable proofs might include: # [[Credential Service Provider]] can generate a health travel credential from Patient Health Info

...e entity to any other registered covered entity. (For the [[Record Locator Service]].) The services that they provide are listed below. ...- usually loss of access to one or more EHR - access to the record locator service might be the best place to address.

...Planns, of the Department of Homeland Security (DHS) has issued a RFC] for security standards and requirements to enable Federal agencies to accept them if com **This includes comments relating to the economic, privacy, security, environmental, energy, or federalism impacts that might result from a futu

A proposal is in process to extend the Service Assessment Criteria for NIST SP 800-63 into a Trust Registry API for Mobile * Report on the level of security of user secrets (e.g. Private keys and other credentials). Hardware versus