Example Requirements for UXC Review
Example Requirements
Compiles for UXC to facilitate development of UXC requirements
-- Developed by Ellen Nadeau
Interoperability Requirements
- Pulled from original NSTIC derived requirements
Requirement: Organizations shall accept external users authenticated by third parties.
Requirement: Organizations shall adopt common business policies and processes (e.g., liability, identity proofing, and vetting) related to the transmission, receipt, and acceptance of data between systems.
Privacy Committee Requirements
- Developed by privacy committee
Requirement: Organizations shall provide concise, meaningful, timely, and easy-to-understand mechanisms to end-users on how they collect, use, disseminate, and maintain personal information.
Requirement: When terminating business operations or overall participation in the Identity Ecosystem, organizations shall, while maintaining the security of individuals' information, transfer it upon their request and destroy it unless they request otherwise.
Security Committee Requirements
- Developed by security committee
Requirement: User control of the credential and associated token is proven during the authentication process.
Supplemental information/guidance: Successful authentication requires that the user prove, through a secure authentication protocol, that he or she controls the credential and associated token(s).
Requirement: The confidentiality and integrity of shared secrets are protected. Shared Secrets are never stored in plaintext.
Supplemental information/guidance:
The execution of all identity transactions and functions should make use of transport that offers confidentiality and integrity protection such as a secure (encrypted) transport.
Sensitive data collected during identity transactions should be protected at all times using industry accepted practices for encryption and data protection.
Where operations and functions are executed by separate organizations, secure transport mechanisms and business processes should be used to preserve the confidentiality and integrity of identity data being transmitted to and stored by service providers.
Entities should have countermeasures and safe-guards in place to resist common threats to identity solutions and identity data, including (but not limited to):
- Session hijacking
- Eavesdropping
- Theft
- Man-in-them-middle
- Online Guessing
- Replay
- Unauthorized copying or duplication