Secure Req 1

From IDESG Wiki
Jump to: navigation, search

<< Back to Baseline Functional Requirements Index

SECURE-1. SECURITY PRACTICES

Entities MUST apply appropriate and industry-accepted information security STANDARDS, guidelines, and practices to the systems that support their identity functions and services.

SUPPLEMENTAL GUIDANCE

Entities may satisfy this Requirement by confirming that they (a) have considered existing information security standards, guidelines and practices relevant to their environment; (b) have identified the specific sources of guidance that are appropriate for their operations, in light of the information security risks they face; and (c) have implemented the portions of that guidance they deemed appropriate.

This Requirement does not mandate which information security policies, procedures or technologies an entity should or must use. However, some specific policies and technologies are the subject of other, more specific items elsewhere in this Requirements set.

Entities must have risk-based countermeasures and safeguards in place to resist common threats to identity solutions and identity data, including, for example, Session hijacking; Eavesdropping; Theft; Man-in-the-middle; Online Guessing; Replay; Unauthorized copying or duplication; and Insider Threats.

The security standards, guidelines, and practices employed in digital identity management services, to govern the security of their networks, devices, solutions, and systems, must be both operational and well documented. Please note the applicability of Requirement INTEROP-5 (DOCUMENTED PROCESSES) regarding documentation and best practice INTEROP-BP-G (RECOMMENDED LEGAL COMPLIANCE) regarding limitations imposed by laws. Please note the applicability of best practice INTEROP-BP-F (RECOMMENDED FEDERATION COMPLIANCE) and Requirement INTEROP-6 (THIRD-PARTY COMPLIANCE) regarding limitations arising from the involvement of THIRD-PARTIES such as intermediaries, similar service providers, or FEDERATIONS.

REFERENCES

Potential candidates for adoption include: ISO/IEC 27000 series, PCI-DSS, NIST SP 800-53-4, CSA CCM, COBIT v5, FFIEC (multiple documents), PCI-DSS, NISTIR 7621 R1 (draft)

APPLIES TO ACTIVITIES

REGISTRATION, CREDENTIALING, AUTHENTICATION, AUTHORIZATION, INTERMEDIATION

KEYWORDS

POLICIES, RISK, SECURITY, OPEN-STANDARDS



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |