Secure Req 2
<< Back to Baseline Functional Requirements Index
SECURE-2. DATA INTEGRITY
Entities MUST implement industry-accepted practices to protect the confidentiality and integrity of identity data - including authentication data and attribute values - during the execution of all digital identity management functions, and across the entire data lifecycle (collection through destruction).
The execution of all identity transactions and functions must make use of transport that offers confidentiality and integrity protection (e.g., properly configured TLS).
Where operations and functions are executed by separate organizations, secure transport mechanisms and business processes must be used to preserve the confidentiality and integrity of identity data being transmitted to and stored by service providers.
Authentication data (e.g., passwords and passphrases) must be properly protected through industry accepted cryptographic techniques (e.g., salted and hashed).
Sensitive data collected during identity transactions must be protected at all times using industry accepted practices for encryption and data protection.
Appropriate access control measures must be in place to ensure access to identity data is restricted to only authorized users with a need to know. Appropriate access control measures including multifactor authentication must be in place to ensure that access to identity data by data custodians is restricted to users responsible for administering and maintaining the data. See SECURE-8 (MULTIFACTOR AUTHENTICATION). All access to identity data must be securely logged and separation of duties should be considered as a means to further limit access. See SECURE-14 (SECURITY LOGS).
Please note, the IDESG Privacy Requirements (PRIVACY-1 through PRIVACY-15) also impose separate requirements on the handling and storage of identifiers attributes and credentials.
FICAM TFPAP Trust Criteria, LOA 1-3, Multiple Sections, PCI-DSS (actually Requirement 7 & 8 – pages 61-72), ISO 27002 (2005) Sec. 11, FFIEC, Wholesale Payment System Booklet, http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_WholesalePaymentSystems.pdf