Interop Req 6
<< Back to Baseline Functional Requirements Index
INTEROP-6. THIRD-PARTY COMPLIANCE
Entities that act as THIRD-PARTY service providers for another entity, in conducting digital identity management functions, must comply with each of the applicable IDESG Baseline Requirements that apply to that other entity and those relevant functions.
This Requirement applies to outsourcing or delegation of digital identity management functions or transactions to THIRD-PARTIES. An entity assessing its compliance with the applicable IDESG Baseline Requirements must also apply them to the functions or transactions carried out on its behalf by a service provider. For purposes of this Requirement, the term "THIRD-PARTY service provider" refers to THIRD-PARTIES that an assessed entity outsources or delegates to perform digital identity management functions on behalf of the assessed entity.
In some FEDERATIONS, the federation itself may also act as an intermediary or service provider for participant entities in some identity management functions, and thereby be subject to this requirement.
Cloud computing service providers providing data storage or other services for an entity may also be within the scope of this Requirement, depending on the functions performed on behalf of the assessed entity, and the provider's access to the data handled on behalf of the assessed entity. See comments about "data storage companies" in the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act (2013), Final Rule comments on HITECH Act Section 13408: http://federalregister.gov/a/2013-01073.
Regarding "digital identity management functions", see Appendix A.
Reference for cloud computing processors of personal information: ISO/IEC 27018 (2014): Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498, and https://www.iso.org/obp/ui/#iso:std:iso-iec:27018:ed-1:v1:en
Reference example of intermediaries and similar subcontractors or service agencies who fulfill data transactions for others, and take responsibility for their compliance with various requirements: see "Business Associate" regulations in the HIPAA Privacy Regulations: 45 CFR Parts 160 and 164, §§ 160.103, 164.502(a)(3), (a)(4) and (e); and the treatment of "Clearinghouse" functions in § 164.500(b) : http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div5