
	EURIM TOR/Aims
	Achievements
	List of members
	Structure and Governance
	What EURIM is & is not
	Testimonials
	Corporate Information
	Notes for Editors


	Benefits of membership
	Achievements
	Membership types & fees
	Application Form
	List of members


	Index of Publications
	Briefings
	Status Reports
	Working Group Archive
	Useful Information
	Guidelines

EURIM Identity Governance Subgroup

Back to main IG page

Introduction

The aim is to put current initiatives (including regulatory and legislative) into the context of achievable policies and improve understanding on the part of both government (politicians and officials) and citizens on how these could and should be used to deliver better service as well as to help control fraud and other crime.

Terms of reference are being drafted in the light of the highly welcome central government adoption of the principles of federated identity - ISP Safeguarding Identity Strategy.

Experiences of Identity Governance

IdenTrust’s Trust Network
The Trust Network is a worldwide Scheme for the provision of high-assurance trusted e-Identity credentials issued through the worlds banks. The Trust Network provides a scale-able distributed architecture capable of underpinning multiple applications across multiple networks across multiple jurisdictions. The IdenTrust Trust Network is recognized and used by Corporates, Governments and Banks around the world as a framework which provides for Interoperability of eSignatures across geographies, industry verticles, products, and supply chains. The Network is supported by a contract-based liability management structure which enables the effective management of the significant Operational Risks related to the issuance of, and the reliance upon, electronic credentials in a networked world, both domestically & globally, which attest to the fundamental requirement of “Are you really are who you say you are?”. It is core to each stage of 21st century Transaction Management processes (including, but also preceding, the payment which invariably forms the conclusion to any transaction).
View one pager

www.identrust.com

JANET operates the UK Access Management Federation for Education and Research. A Policy Board ensures that the federation’s policies are implementable within JANET(UK)’s legal framework. Organisations may join as an Identity Provider (e.g. a university or local authority), or as a Service Provider (e.g. a publisher or content provider), or as both. The federation uses the standards-based Shibboleth software, which defines a common framework for access management and governance that is being adopted by education and commercial sectors across the world. More details of the federation and framework are available at

http://www.jisc.ac.uk/aboutus/committees/workinggroups/
federationpolicy.aspx and at: http://shibboleth.internet2.edu/

Shibboleth’s policy framework will also allow inter-operation within the higher education community. An illustrated explanation of how Shibboleth works can be located at http://www.ukfederation.org.uk/content/Documents/HowItWorks. Although Shibboleth has been designed primarily for secure access to web resources, work is ongoing to extend the framework for institutional authentication and authorisation.

The Global Trust Council is an international organisation that introduces innovative human rights in the digital world. They bridge the gap and reaffirm the rights between the physical and digital worlds. The GTC framework enables users and legal entities to protect their intellectual property rights, and makes them legally responsible for their actions in digital interactions. www.globaltrustcouncil.org

Subgroup Outputs

Date	Description
Electronic Voter Registration
Sep 11	EURIM Response to Political and Constitutional Reform Committee Call for evidence: The Government’s proposals on Electoral Administration
Mar 11	Individual Voter Registration - Lessons from Overseas
Mar 11	Individual Voter Registration - Lessons from Overseas Summary
Jul 10	Interim Note on Individual Voter Registration (working draft for discussion only)
Jul 10	Table of responses: electoral registration schemes overseas

Identity Governance Papers
May 11	‘Identity Assurance: when four levels are not four levels’ Discussion Paper by Piotr Cofta E-authentication involves remote authentication of individuals over a network, for both electronic government and e-commerce. This paper tries to explain possible problems between the government and the industry view of Identity Assurance Levels. These describe the degree to which a relying party in an electronic business transaction can be confident that the identity information presented can be trusted. There are however significant differences in the meaning of those levels between US and UK, and this paper attempts to provide mapping between the two approaches, with recommendations to government, working in cooperation with appropriate international and national bodies and with the industry.
Feb 11	Key points of the Identity Governance Subgroup meeting on 23 February – for use in preparing a rough draft for political input
Dec 10	Why world-class Identity Governance is central to UK economic performance
Jul 10	How do they know it is really you? Brief Outline (working draft)
May 10	How do they know it is really you? Draft 3-page Summary (draft for discussion only)

Supporting Papers
We need Information and Identity Governance regimes that are fit for purpose and attract globally trusted business and transaction hubs to the UK/EU. It is essential that secure and proportionate means of asserting identity are available to empower individuals to manage their electronic identities, including across borders, and to provide the appropriate level of information for a given transaction. The BCS Identity Assurance Working Group’s 2012 report ‘Aspects of Identity’ alerts all parties to the urgent need for the development of pragmatic models that build on the successes of federated trust in international banking, use of credit and debit cards and use of phones, and in which liabilities are clearly articulated in contracts and understood by all parties.

Supporting Papers - HMG Reports and Resources
1) Trust Services e-Government Strategy Policy Framework and Guidelines Version 3.0 Published by the Office of the e-Envoy in September 2002, this document describes a set of guidelines for e-government users to have confidence in the services they use. The trust services enable the parties to determine who originated the transaction (in which the real-world identity binds to the electronic identity), whether the transaction received matches the transaction sent, and whether the recipient accepted the transaction.
2) HMG's Minimum Requirements for the Verification of the Identity of Organisations Issued by the Office of the e-Envoy in 2003, this detailed technical document supporting the Registration & Authentication Framework represents a minor update to the tScheme guideline for the Verification of the Identity of Organisations in respect of access to Government services. It describes HMG's minimum requirements for the validation and verification of an organisation's identity as part of the process of issuing a digital certificate or a PIN or Password for use with e-government services.
3) HMG's Minimum Requirements for the Verification of the Identity of Individuals Issued by the Office of the e-Envoy in 2003, this detailed technical document supporting the Registration & Authentication Framework represents a minor update to the tScheme guideline for the Verification of the Identity of Individuals in respect of access to Government services. It describes HMG's minimum requirements for the validation and verification of an individual's identity as part of the process of issuing a digital certificate or a PIN or Password for use with e-government services.
4) A National Information Assurance Strategy (Central Sponsor for Information Assurance - 2007) The strategy identified three main goals: (i) to make central and local government better able to deliver public services through the appropriate use of IT; (ii) to strengthen the UK's national security by protecting information and information systems at risk of compromise; and (iii) to enhance the UK's economic and social well-being as government, businesses and citizens realize the full benefits of IT. The document noted that only 1% of UK businesses had a comprehensive approach for identity management. An example of comment on the strategy can be found at: www.computerweekly.com/Articles/2007/08/24/226310/ National-Information-Assurance-Strategy-is-too-little-too-late-says.htm
5) Independent Review of Government Information Assurance (Nick Coleman, 2008) Commissioned by Cabinet Office, the Coleman Report describes the rapid pace of technological change, leading to information sharing and storage by Government on an unprecedented scale. It notes the scale of identity fraud costs to the UK economy, and exposes problems associated with governance and risk management, with a series of recommendations on information security governance, accountability, and setting minimum standards. These include tackling identity management challenges through mandating the use of privacy impact assessments, and specifying standards of protection for identity registration, management and use in government and the wider public sector.
6 & 7) Data Handling Procedures in Government: Interim and Final Reports (Cabinet Office, 2007, 2008) The final report is the outcome of a Prime Ministerial initiative in which the Cabinet Secretary (Sir Gus O'Donnell), with the advice of security experts, was asked to work with Departments to ensure that they and all their agencies check their procedures for the storage and use of data. The Interim Report, published on 17 December, summarized action taken across Government and set out initial directions of reform to strengthen the Government's arrangements. The Final Report summarizes work conducted in Departments to improve data handling, and sets out how measures should be put in place, with a new set of minimum mandatory standards for Departments, including an undertaking to adopt Privacy Impact Assessments, with standards of protection for identity management as recommended by the Coleman Report. Information Charters should improve transparency to the citizen. Improvements in information security are to be achieved by putting in place: core measures to protect personal data and other information across Government; a culture that properly values, protects and uses information; stronger accountability mechanisms within Departments; and stronger scrutiny of performance.
8) OGC Procurement Policy Note 2008 This information note provides guidance on Cabinet Office mandatory requirements for the adoption of OGC model contract clauses and provisions relating to security (including the vetting and training of contractor personnel) and information assurance in contracts.
9) Empowering Individuals to Control their Personal Information (report of the Work Group on User-Centric Identity Management, sponsored by The Information Commissioner's Office, The Technology Strategy Board, and The Cyber Security Knowledge Transfer Network) This 2008 document looks at new user-centric architectures that seek to give the individual control of their personal information, facilitating of joined-up service delivery while reducing costs and enhancing personal privacy. The report does not reflect a consensus of all participants, but it does highlight the need for clear thinking about organizational boundaries and for fresh approaches to the business and liability models that underpin information system design.
10) Challenges and opportunities in identity assurance (Sir James Crosby, 2008) Commissioned by Gordon Brown when chancellor to consider how the public and private sectors might work together in identity management for their mutual benefit and that of citizens and consumers, the report sets out 10 principles for the design of a "consumer-driven universal ID assurance system" scheme.
11) Employee Authentication Services: Registration Authority Operators Guide (2008) This document provides guidance on the use of the EAS Management Server for registering new users in EAS and enrolling these users for access to services through EAS. EAS is a two-factor authentication service run by Government primarily to provide access to Government databases. An individual is placed onto EAS via a Registration Authority which is an organisation that authenticates the identity of users and then ‘enrols’ them onto the various services and databases that can be accessed via EAS. This enables users to access multiple applications through a unified and validated security platform with a single token. EAS is a cross-Government project originally led by the Department of Children Schools and Families and supported by the Department for Communities and Local Government, the Department for Work and Pensions and local authorities. EAS delivers a cross-Government
12) Safeguarding Identity (Immigration and Passport Service, 2009) Led by IPS, involving some 12 departments and agencies, and building on a wide range of contemporary initiatives (including Directgov and the National Identity Service), 'Safeguarding Identity' aimed to deliver a common framework for the use and handling of individuals' identity information. It describes how the ID card and the transformational government scheme could form a united structure in which personal information can be passed between departments to deliver citizen-centric services.
13) Government ICT Strategy (January 2010) This document from the Cabinet Office sets out how technology will be used to change the way government works. There are 14 strands to the ICT Strategy, which are underpinned by principles that aim to make the way government works, smarter, cheaper and greener.
14 & 15) RSDOPS Parts 1 and 2 (CESG, July 2010) The new Requirements for Secure Delivery of Online Government Services (RSDOPS) documents replace the Information Assurance Requirements for Transformational Government set. RSDOPS are working documents that do not currently constitute formal Goverment policy, but are published to increase awareness, understanding and encourage debate in this area. The CTO Council are in the process of endorsing the RSDOPS documents to ensure a broader engagement with stakeholders. The aim of RSDOPS is to take forward the National Information Assurance Strategy, which places an emphasis on information risk management and recognises that security measures will be tailored to the specific business needs, rather than rely on prescriptive standards set by a central authority. RSDOPS also revises, repositions, and will replace the E-Government Security Framework. Feedback is now sought to ensure that stakeholders' views are captured as part of the ongoing development process and, where appropriate, are used to refine the content. RSDOPS consists of two parts - Principles (1) and Security Components (2). Part 1 explains the scope and purpose of the document and related standards, and legislation. It contains the conceptual model and technical approach, security expectations of stakeholders and a summary of security components for incorporation into a security case. Part 2 describes a set of overlapping security components that can be used to express security requirements for online services. For each component a set of levels has been defined with increasingly stringent requirements.
16) HMG Security Policy Framework (May 2010) The Security Policy Framework represents a new and innovative approach to protective security and risk management in government (replacing the Manual of Protective Security), with mandatory requirements for framing departmental security policies to meet the specific business needs of the organisation and its delivery partners. This includes a requirement for departments and agencies to apply the requirements of the Baseline Personnel Security Standard to all HMG staff (including the armed forces), contractors and temporary staff. It is the reference document for information protectively marked RESTRICTED and higher and provides the Government guidance for the implementation of ISO/IEC27001 Series of Security Standards.
17) Technical Risk Assessment (October 2009) This Standard is a component of the HMG Security Policy Framework and provides the IA practitioner with a methodology for risk management. It is mandatory policy for all HMG Departments and Agencies, and is also recommended for the wider Public Sector.
18) The Public Sector Network (PSN) ‘network of networks’ model will revolutionise the way in which Government departments and agencies communicate, with a common infrastructure designed to enable local delivery suited to local needs. The Identity Assurance Strategy (IAS) drawn up by PSN core infrastructure team supports both the ICT Strategy for the public sector and the Cross-Government Identity Management Strategy, including the core public sector goals detailed in Digital Britain, Building Britain’s Future, Excellence and Fairness, and the Operational Efficiency Programme. The IAS covers the authentication, authorisation and accountability of users, groups, roles, devices, resources and services, and includes an Annex that gives a basic interpretation of the 4 levels of Registration and Authentication for HMG identities. Strategic outcomes, which are described in detail, are designed to underpin the use and uptake of the PSN and to provide support for e.g. cloud services include deployment of a tiered authentication model with different levels of trust that are implemented using both contractual and technical controls.
19) The ‘Cross-Government Identity Management Strategy for Government Employees’ drawn up by the Cross-Government Identity Management Working-Group aims to deliver a single, re-usable user identification and authentication solution, enabling trusted access to sensitive or classified Government data conveniently, efficiently and securely; across organisational boundaries. The primary driver is to promote a consistent, interoperable approach towards Identity Management that will underpin the cost-effective delivery of public sector services. The strategy dovetails with the PSN Identity Management strategy to form a cohesive capability that will enable delivery of key requirements for PSN and G-Cloud initiatives, including the use of portable identity across government and eventually the wider delivery and supply chains for government.

Supporting Papers - e-ID in Europe and elsewhere
1) The lessons of European and Middle Eastern implementations of e-ID (April 2010) Interoperable electronic ID has been developed as part of the “i2010” initiative to create a “Single European Information Space” for public service delivery across the EU. This will enable European citizens to access services wherever they may be in Europe. In parallel, the European Citizen Card (ECC) standard for physical and electronic performance of cards has been under development, with the first ECC-compliant cards available in France. This paper looks at practical experience in both European and non-European countries in order to learn lessons and facilitate the roll-out of new national e-ID projects.
2) European Citizen Card: One Pillar of Interoperable e-ID Success (October 2008) The ECC is an open application standard that provides an interoperable and cross border e-services solution; this document describes the advantages of the smart card, especially for e-ID.
3) & 4) Coesys Biometric Enrolment Solution (2010) and Enrolment Solutions for the Public Sector These solutions have been specifically developed for biometric enrolment, and can be applied to National e-ID/e-Passport, HealthCard, Driving License, e-Voter Registration and population registration etc. Coesys offers a timesaving generic enrolment engine designed to speed up data capture, to verify an applicant’s identity and to ensure the quality of data captured.
5) Computerized voter registration in Benin documents an ongoing project to create a new national register in Benin. It will enable reliable authentication of eligible voters based on digital, mobile, biometric enrolment and registration to a national database. More information is available at www.gemalto.com/php/pr_view.php?id=813
6) State of the Electronic Identity Market This Report emphasises the role of interoperability and credential portability in eID market development, lists key barriers limiting the growth of the eID market, and provides a set of recommendations aimed at promoting the development of a mature, integrated EU27-wide eID ecosystem.
7) What is missing for interoperability? This paper examines the outstanding challenges for cross-border e-ID interoperability in the EU. Services provided by e-ID projects are based on the key functions of Identification, Authentication, and digital Signature (IAS), allowing EU citizens and businesses to benefit from secure electronic identification that maximizes user convenience while respecting data protection regulations. However, interoperability between national systems is crucial in order to facilitate pan-EU mobility and must be based on a general framework agreed by all member states. The goal is a combination of interoperability, security and privacy for the introduction of cross-border e-ID-based services. While the technical means for interoperability have been demonstrated, the main challenges involve standards, security, legal and semantic issues.

Forthcoming Subgroup Meetings

Date	Description

Recent Subgroup Meetings

Date	Description	Papers
23 Jan 12	Identity Governance Subgroup meeting to agree action plans arising from the preceding joint meeting with the EIF and to review progress with plans for Masters Programmes to address research topics, the Cloud and Trusted Computing sub-groups, the new “Trust to Cost” sub-group and the meeting to collate responses to Cabinet Office drafts being circulated to members for comment.
19 Dec 11	Identity Governance Meeting	Summary Report
24 Oct 11	Identity Governance Subgroup Meeting	Summary Report
13 Jul 11	Identity Governance Subgroup Scoping Meeting	Summary Report
13 May 11	Identity Governance Subgroup Meeting	Summary Report Presentation
23 Mar 11	Identity Governance Subgroup Meeting	Summary Report
23 Feb 11	Identity Governance Subgroup Meeting	Summary Report Key points – for use in preparing a rough draft for political input
07 Dec 10	Identity Governance Subgroup Meeting	Summary Report Presentation
22 Nov 10	Individual Voter Registration Subgroup Meeting	Summary Report Presentation
21 Oct 10	Individual Voter Registration Subgroup Meeting	Summary Report Presentation
14 Sep 10	Identity Governance Subgroup Meeting	Summary Report
26 Jul 10	Individual Voter Registration Subgroup Meeting	Summary Report
26 Jul 10	Identity Governance Subgroup Meeting	Summary Report
30 Jun 10	Identity Governance Subgroup Meeting	Summary Report
15 Jun 10	Identity Governance Subgroup meeting on electronic Individual Voter Registration (eVR)	Summary Report Presentation - Erland Flaterud Presentation - Paul Wilson
26 May 10	Identity Governance Subgroup Meeting	Summary Report Presentation
27 Apr 10	Identity Governance Subgroup Meeting	Summary Report
25 Mar 10	Identity Governance Subgroup Meeting	Summary Report Presentation
03 Feb 10	Identity Governance Subgroup scoping meeting	Summary Report
07 May 09	Identity Governance Subgroup Meeting	Summary Report
09 Apr 09	Identity Governance Subgroup Meeting	Summary Report

EURIM Identity Governance Subgroup

Introduction

Subgroup Outputs

Forthcoming Subgroup Meetings

Recent Subgroup Meetings

Other Relevant Documents and Links

Back to Top