EURIM Identity Governance SubgroupIntroductionThe aim is to put current initiatives (including regulatory and legislative) into the context of achievable policies and improve understanding on the part of both government (politicians and officials) and citizens on how these could and should be used to deliver better service as well as to help control fraud and other crime. Terms of reference are being drafted in the light of the highly welcome central government adoption of the principles of federated identity - ISP Safeguarding Identity Strategy.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Date | Description |
| Electronic Voter Registration | |
| Jul 10 |
Interim Note on electronic Voter Registration
(working draft for discussion only) |
| Jul 10 |
Table of responses: electoral registration schemes overseas |
| Identity Governance Papers | |
| Jul 10 |
How do they know it is really you?
Brief Outline
(working draft) |
| May 10 |
How do they know it is really you? Draft 3-page Summary
(draft for discussion only) |
| May 10 |
How
do they know it is really you? Draft 1-page Flyer
(draft for discussion only) |
| Supporting Papers - HMG Reports and Resources | |
|
1) Trust Services e-Government Strategy Policy
Framework and Guidelines Version 3.0
Published by the Office of the e-Envoy in September 2002, this document describes a set of guidelines for e-government users to have confidence in the services they use. The trust services enable the parties to determine who originated the transaction (in which the real-world identity binds to the electronic identity), whether the transaction received matches the transaction sent, and whether the recipient accepted the transaction. |
|
|
2) HMG's Minimum Requirements for the Verification of the Identity of
Organisations Issued by the Office of the e-Envoy in 2003, this detailed technical document supporting the Registration & Authentication Framework represents a minor update to the tScheme guideline for the Verification of the Identity of Organisations in respect of access to Government services. It describes HMG's minimum requirements for the validation and verification of an organisation's identity as part of the process of issuing a digital certificate or a PIN or Password for use with e-government services. |
|
|
3) HMG's Minimum Requirements for the Verification of the
Identity of Individuals |
|
|
4) A National Information Assurance Strategy
(Central Sponsor for Information Assurance - 2007) The strategy identified three main goals: (i) to make central and local government better able to deliver public services through the appropriate use of IT; (ii) to strengthen the UK's national security by protecting information and information systems at risk of compromise; and (iii) to enhance the UK's economic and social well-being as government, businesses and citizens realize the full benefits of IT. The document noted that only 1% of UK businesses had a comprehensive approach for identity management. An example of comment on the strategy can be found at: www.computerweekly.com/Articles/2007/08/24/226310/ National-Information-Assurance-Strategy-is-too-little-too-late-says.htm |
|
|
5) Independent Review of Government Information Assurance (Nick
Coleman, 2008) Commissioned by Cabinet Office, the Coleman Report describes the rapid pace of technological change, leading to information sharing and storage by Government on an unprecedented scale. It notes the scale of identity fraud costs to the UK economy, and exposes problems associated with governance and risk management, with a series of recommendations on information security governance, accountability, and setting minimum standards. These include tackling identity management challenges through mandating the use of privacy impact assessments, and specifying standards of protection for identity registration, management and use in government and the wider public sector. |
|
|
6 & 7) Data Handling Procedures in
Government:
Interim
and
Final Reports
(Cabinet Office, 2007, 2008) The final report is the outcome of a Prime Ministerial initiative in which the Cabinet Secretary (Sir Gus O'Donnell), with the advice of security experts, was asked to work with Departments to ensure that they and all their agencies check their procedures for the storage and use of data. The Interim Report, published on 17 December, summarized action taken across Government and set out initial directions of reform to strengthen the Government's arrangements. The Final Report summarizes work conducted in Departments to improve data handling, and sets out how measures should be put in place, with a new set of minimum mandatory standards for Departments, including an undertaking to adopt Privacy Impact Assessments, with standards of protection for identity management as recommended by the Coleman Report. Information Charters should improve transparency to the citizen. Improvements in information security are to be achieved by putting in place:
|
|
|
8) OGC Procurement Policy Note 2008 This information note provides guidance on Cabinet Office mandatory requirements for the adoption of OGC model contract clauses and provisions relating to security (including the vetting and training of contractor personnel) and information assurance in contracts. |
|
|
9) Empowering
Individuals to Control their Personal Information (report of the Work
Group on User-Centric Identity Management, sponsored by The Information
Commissioner's Office, The Technology Strategy Board, and The Cyber
Security Knowledge Transfer Network) This 2008 document looks at new user-centric architectures that seek to give the individual control of their personal information, facilitating of joined-up service delivery while reducing costs and enhancing personal privacy. The report does not reflect a consensus of all participants, but it does highlight the need for clear thinking about organizational boundaries and for fresh approaches to the business and liability models that underpin information system design. |
|
|
10) Challenges and opportunities in identity assurance (Sir James
Crosby, 2008) Commissioned by Gordon Brown when chancellor to consider how the public and private sectors might work together in identity management for their mutual benefit and that of citizens and consumers, the report sets out 10 principles for the design of a "consumer-driven universal ID assurance system" scheme. |
|
|
11) Employee Authentication Services: Registration Authority
Operators Guide (2008) This document provides guidance on the use of the EAS Management Server for registering new users in EAS and enrolling these users for access to services through EAS. EAS is a two-factor authentication service run by Government primarily to provide access to Government databases. An individual is placed onto EAS via a Registration Authority which is an organisation that authenticates the identity of users and then ‘enrols’ them onto the various services and databases that can be accessed via EAS. This enables users to access multiple applications through a unified and validated security platform with a single token. EAS is a cross-Government project originally led by the Department of Children Schools and Families and supported by the Department for Communities and Local Government, the Department for Work and Pensions and local authorities. EAS delivers a cross-Government |
|
|
12)
Safeguarding Identity (Immigration and Passport Service, 2009) Led by IPS, involving some 12 departments and agencies, and building on a wide range of contemporary initiatives (including Directgov and the National Identity Service), 'Safeguarding Identity' aimed to deliver a common framework for the use and handling of individuals' identity information. It describes how the ID card and the transformational government scheme could form a united structure in which personal information can be passed between departments to deliver citizen-centric services. |
|
|
13) Government ICT Strategy
(January 2010) This document from the Cabinet Office sets out how technology will be used to change the way government works. There are 14 strands to the ICT Strategy, which are underpinned by principles that aim to make the way government works, smarter, cheaper and greener. |
|
|
14 & 15) RSDOPS
Parts
1
and
2 (CESG, July
2010) The new Requirements for Secure Delivery of Online Government Services (RSDOPS) documents replace the Information Assurance Requirements for Transformational Government set. RSDOPS are working documents that do not currently constitute formal Goverment policy, but are published to increase awareness, understanding and encourage debate in this area. The CTO Council are in the process of endorsing the RSDOPS documents to ensure a broader engagement with stakeholders. The aim of RSDOPS is to take forward the National Information Assurance Strategy, which places an emphasis on information risk management and recognises that security measures will be tailored to the specific business needs, rather than rely on prescriptive standards set by a central authority. RSDOPS also revises, repositions, and will replace the E-Government Security Framework. Feedback is now sought to ensure that stakeholders' views are captured as part of the ongoing development process and, where appropriate, are used to refine the content. RSDOPS consists of two parts - Principles (1) and Security Components (2). Part 1 explains the scope and purpose of the document and related standards, and legislation. It contains the conceptual model and technical approach, security expectations of stakeholders and a summary of security components for incorporation into a security case. Part 2 describes a set of overlapping security components that can be used to express security requirements for online services. For each component a set of levels has been defined with increasingly stringent requirements. |
|
|
16) HMG Security Policy Framework (May 2010) The Security Policy Framework represents a new and innovative approach to protective security and risk management in government (replacing the Manual of Protective Security), with mandatory requirements for framing departmental security policies to meet the specific business needs of the organisation and its delivery partners. This includes a requirement for departments and agencies to apply the requirements of the Baseline Personnel Security Standard to all HMG staff (including the armed forces), contractors and temporary staff. It is the reference document for information protectively marked RESTRICTED and higher and provides the Government guidance for the implementation of ISO/IEC27001 Series of Security Standards. |
|
|
17) Technical Risk Assessment (October 2009) This Standard is a component of the HMG Security Policy Framework and provides the IA practitioner with a methodology for risk management. It is mandatory policy for all HMG Departments and Agencies, and is also recommended for the wider Public Sector. |
|
| Supporting Papers - e-ID in Europe and elsewhere | |
|
1) The lessons of European and Middle Eastern implementations of e-ID
(April 2010) Interoperable electronic ID has been developed as part of the “i2010” initiative to create a “Single European Information Space” for public service delivery across the EU. This will enable European citizens to access services wherever they may be in Europe. In parallel, the European Citizen Card (ECC) standard for physical and electronic performance of cards has been under development, with the first ECC-compliant cards available in France. This paper looks at practical experience in both European and non-European countries in order to learn lessons and facilitate the roll-out of new national e-ID projects. |
|
|
2) European Citizen Card: One Pillar of Interoperable
e-ID Success (October 2008) The ECC is an open application standard that provides an interoperable and cross border e-services solution; this document describes the advantages of the smart card, especially for e-ID. |
|
|
3) &
4)
Coesys Biometric Enrolment Solution (2010) |
|
Forthcoming Subgroup Meetings
| Date | Description | |
| 14 Sep 10 | Identity Governance Subgroup Meeting |
More
details... |
Recent Subgroup Meetings
| Date | Description | Papers |
| 26 Jul 10 | Individual Voter Registration Subgroup Meeting |
Summary
Report |
| 26 Jul 10 | Identity Governance Subgroup Meeting |
Summary
Report |
| 30 Jun 10 | Identity Governance Subgroup Meeting |
Summary
Report |
| 15 Jun 10 | Identity Governance Subgroup meeting on electronic Individual Voter Registration (eVR) |
Summary
Report Presentation - Erland Flaterud Presentation - Paul Wilson |
| 26 May 10 | Identity Governance Subgroup Meeting |
Summary
Report Presentation |
| 27 Apr 10 | Identity Governance Subgroup Meeting |
Summary
Report |
| 25 Mar 10 | Identity Governance Subgroup Meeting |
Summary
Report Presentation |
| 03 Feb 10 | Identity Governance Subgroup scoping meeting |
Summary
Report |
| 07 May 09 | Identity Governance Subgroup Meeting |
Summary Report |
| 09 Apr 09 | Identity Governance Subgroup Meeting |
Summary
Report |
Other Relevant Documents and Links
|
Building an Online Identity Legal Framework: The Proposed National
Strategy - Smedinghoff |
| National Strategy for Trusted Identities in Cyberspace - http://www.dhs.gov/xlibrary/assets/ns_tic.pdf |
|
Considerations Relating to an Identity Rights Charter
- Draft Identity Rights Charter for consideration by the IPS from the
IPS Expert Panel |
|
Intellect Paper: 'Creating an identity infrastructure: a technology
industry view'.
This paper seeks to address the issues of identity management and identity assurance from the standpoint of the IT Industry". |
| Stage Zero Gateway Reviews of the ID
Cards programme The
"Entitlement Cards" OGC Gateway review 0 Strategic Assessment - June
2003 is at The "Identity Card" OGC Gateway review 0
Strategic Assessment - January 2004 is at |
Back to Top
|
||||||||||||||||||||||
 | ||||||||||||||||||||||
|
||||||||||||||||||||||
| ||||||||||||||||||||||
| copyright ©2010 www.eurim.org.uk | ||||||||||||||||||||||
