Authentication Services

advertisement
UNCLASSIFIED
COMMERCIAL SERVICE
PROVIDER
ASSURANCE FRAMEWORK
Final Draft September 2012
1|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Contents
EXECUTIVE SUMMARY ............................................................................................................................................................... 3
1.
Introduction ..................................................................................................................................................................... 4
2.
Purpose and Principles ..................................................................................................................................................... 6
3.
Compliance Checklist ....................................................................................................................................................... 7
Data Vault/Mailbox Requirements ....................................................................................................................................... 7
Authentication Requirements ............................................................................................................................................. 10
Data Verification Service Requirements ............................................................................................................................. 12
4.
Assurance Framework .................................................................................................................................................... 13
Risk Management ............................................................................................................................................................... 13
Security Risk Management ................................................................................................................................................. 15
Commercial Providers ......................................................................................................................................................... 19
Privacy ............................................................................................................................................................................ 19
Security .......................................................................................................................................................................... 20
Authentication Services ...................................................................................................................................................... 22
Privacy ............................................................................................................................................................................ 22
Security .......................................................................................................................................................................... 23
Data Verification Services ................................................................................................................................................... 23
Privacy ............................................................................................................................................................................ 24
Security .......................................................................................................................................................................... 24
Legal ............................................................................................................................................................................... 24
Conformity Assessment ...................................................................................................................................................... 24
Information Assurance – Capability Maturity ..................................................................................................................... 26
5.
Technical Standards ....................................................................................................................................................... 27
Department of Human Services WebServices (DHS WS) Profiles ....................................................................................... 27
Standards used in the DHS WS-Profiles .............................................................................................................................. 28
Taxonomy ........................................................................................................................................................................... 29
Authentication protocol...................................................................................................................................................... 29
Standards used in the Authentication Protocol .................................................................................................................. 30
6.
Governance .................................................................................................................................................................... 31
7.
ICT Procurement ........................................................................................................................................................... 32
8.
Future NTIF related Activities ......................................................................................................................................... 33
Attachment 1 ........................................................................................................................................................................... 34
Attachment 2 ........................................................................................................................................................................... 36
Attachment 3 ........................................................................................................................................................................... 37
Attachment 4 ........................................................................................................................................................................... 38
2|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
EXECUTIVE SUMMARY
There is an emerging commercial provider market for a range of on-line services such as personal
data vaults, digital mailboxes, data verification and authentication services. These services have
been developed and marketed in what amounts to a caveat emptor (buyer beware) market.
This Assurance Framework therefore provides:


guidance for agencies to determine the Level of Assurance required to be demonstrated by
Providers (Section 4); and
the criteria to be satisfied by Providers to deliver the required Level of Assurance (Section 3)
The underlying premise of the Framework is that, based on an understanding of Provider assurance
levels, individuals will be able to choose to utilise services offered by commercial service providers
in order to access online government services. Equally, individuals should not be forced to hold
multiple credentials to access the range of required government services.
In the longer term, the government is exploring the viability of an Australia-wide/overarching
National Trusted Identities Framework (NTIF). The Assurance Framework identifies potential
additional streams of work that will need to be completed within an NTIF context. By applying
consistent standards for all participants in this market, an NTIF could allow a digital identity that is
trusted by one participant (such as a bank) to be trusted by another (such as a government agency).
Development of the Assurance Framework is underpinned by existing Australian Government
security frameworks and informed by existing national identity management policy frameworks.
The value of an individual’s personal information must be recognised by Providers and reflected in
the development of privacy and risk based security controls that meet agency requirements. The
Assurance Framework addresses each of these concerns.
Consistent with Australian and international government policies, the Framework establishes four
Assurance levels for the provision of broadly defined data management and authentication services
by commercial providers. For each level of assurance the Framework specifies performance
outcomes and standards to be achieved by Providers. As appropriate, and particularly for higher
assurance services, the Framework specifies particular conformity assessment requirements that
must be met.
The Framework also flags the potential application of commercial security standards such as the
Payment Card Industry Data Security Standard (PCI-DSS) in circumstances where Providers support
storage of such information.
The Framework is also cognizant of other related policy initiatives within government, in particular
cloud computing and data centre policies and emerging policy in relation to storage and processing
of government information. Although not specifically concerned with the provision of identity
management services, the principles and strategies inherent in these policies and programs provide
valuable input in terms of implementation of the Assurance Framework.
3|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
1. Introduction
“Personal data is the new oil
of the Internet and the new
currency of the digital world.”
Meglena Kuneva, European
Consumer Commissioner,
March 2009
Individuals and organisations are increasingly required to “prove who they are” by providing
personal and confidential information to multiple organisations to obtain desired services or
products. This is in addition to the large volume of personal information that is shared by
individuals through social media sites. The outcome is that personal information is transmitted,
stored and shared/sold across the globe, often without the knowledge or consent of the “owner” or
subject of that information.
However, the rapid rate of technological change and commercialisation in using personal data has
the very real potential to undermine end user confidence and trust. Concerns about the misuse of
personal data, and lack of adequate security standards by government and business continue to
grow. Fundamental questions about privacy, property, global governance, human rights –
essentially around who should benefit from the products and services built upon personal data – are
major uncertainties. (World Economic Forum 2010 Personal Data: The Emergence of a New Asset Class. See
http://www.weforum.org/reports/personal-data-emergence-new-asset-class).
There is no cohesive, nationally recognised framework for managing or coordinating individual
digital identities in Australia. While Government has traditionally played a central role there is
evidence that the market has matured to the point where commercial providers are offering identity
related solutions, for example:




digital mailbox providers (such as Australia Post and Digital Post Australia) which will enable
people to receive correspondence from participating organisations in a single in-box;
personal identity management (or authentication) providers who provide people with
credentials (eg a user name and pass word) to enable access to a variety of services;
online verification services (such as GreenID), which enable people to verify their identity
online; and
personal data management or data vault services, which enable people to store and retrieve
their personal data electronically, including personal records like birth certificates.
This Framework is an initial, practical response to the need identified in the Reliance Framework to
develop an Assurance Framework that will facilitate the exchange of people’s personal data with
commercial operators of authentication, secure mail or data management (data vault) services.
4|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Development of the Assurance Framework is:


underpinned by existing Australian Government security frameworks – the Protective
Security Policy Framework (PSPF) and the Australian Government Information Security
Manual (ISM) as well as current and planned privacy legislation ; and
informed by existing policy frameworks such as the National e-Authentication Framework,
the Gatekeeper Public Key Infrastructure (PKI) Framework, the National Identity Security
Strategy and activities currently underway in relation to matters such as data sovereignty,
cloud computing and Data-Centres-as-a-Service (DCaaS).
The government is exploring the viability of an Australia-wide/overarching National Trusted
Identities Framework (NTIF). This Framework will help to inform the viability study of an NTIF. If
implemented, an NTIF would create an Australia-wide framework which would support the
development of an innovative and competitive private-sector led identity market — allowing better
and easier links between citizens, organisations, businesses and governments.
Definitions
Digital Mailbox
A digital mailbox is effectively a third-party email address that individuals can use to receive
electronic communications (eg from businesses and government). Mailboxes may have additional
storage capacity where individuals can choose to store important information – these are often
referred to as data vaults.
Data Vault
A data vault is a third-party secure storage capability that individuals can use to store sensitive
information. It is often, but not always associated with a digital mailbox.
Data Verification
Data verification is a process wherein data is checked for accuracy and authenticity. In the context
of this Assurance Framework it means verifying with an authoritative source that personal
information (eg name, date of birth) submitted by an individual is correct.
Identity Provider
The Organization for the Advancement of Structured Information Standards (OASIS) defines an
Identity Provider (IdP) as “A kind of provider that creates, maintains, and manages identity
information for principals and provides principal authentication to other service providers within a
federation, such as with web browser profiles.” (see https://www.oasis-open.org/org)
5|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
2. Purpose and Principles
The purpose of the Assurance Framework is to guide commercial service providers (Providers) and
government agencies on the various policies and standards that apply, within a risk management
context, to the provision of digital mailbox, data management and authentication services to
Government. The Framework identifies those policies and standards with which compliance is
mandatory as well as mechanisms for demonstrating such compliance.
The Framework provides:


guidance for agencies to determine the Level of Assurance required to be demonstrated by
Providers; and
the criteria to be satisfied by Providers to deliver the required Level of Assurance.
This Assurance Framework has regard to:




technical and performance standards, with the objective that people can choose Providers
who are able to demonstrate compliance with such standards in order to access
Government services;
the need to demonstrate compliance with privacy legislation and maintain risk-managed
levels of security in relation to people’s personal data;
advice concerning procurement options with reference to the Commonwealth Procurement
Rules and liability policy; and
the need for any advice to consumers in relation to Provider service offerings.
The Framework establishes the following core principles:




Agencies will specify their requirements in relation to data integrity, security and identity
assurance levels;
People will eventually be able to choose from a range of Providers in order to access a suite
of Government services;
Providers will adopt robust risk management approaches that consider risks of aggregated
personal information to deliver the levels of privacy and security required by agencies in
relation to people’s personal data;
Agencies may:
o choose to engage directly with Providers for the delivery of specific services in which
case accountability for the performance of the service or function and responsibility
for outcomes remains with the agency;
o act as a relying party in which case accountability for the performance of the service
or function and responsibility for outcomes remains with the Provider.
6|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
3. Compliance Checklist
Data Vault/Mailbox Requirements
Levels of Assurance – Data Management Services (data vaults, mailboxes etc)
Minimal assurance
Low assurance
Level 1
Minimal confidence
in the services
offered
Level 2
Low confidence in
the services
provided
Moderate
assurance
Level 3
Moderate
confidence in the
services provided
High assurance
Level 4
High confidence in
the services
provided.
Important
Achieving LoA 4 Assurance requires completion of the requirements for LOA1 – LoA 3.
Where the Provider supports storage of digital copies of government issued credentials (eg passports or motor
vehicle licences) these credentials remain the property of the issuing agency.
Where the Provider supports storage of financial data such as credit card details, compliance with the Payment
Card Industry Data Security Standard (PCI-DSS) will apply (see https://www.pcisecuritystandards.org).
Where a Provider utilises secure data storage services from a third party the security and privacy controls must
clearly identify the respective roles and responsibilities of both the Provider and third party.
Note
Providers must specify the physical location of data centres used to store personal information. Where a
Provider utilises services outside Australia to store, backup, process, transmit, manage or otherwise support its
Australian operations these must be clearly identified and included in the Provider’s security and privacy
documentation. Agencies will apply a risk assessment process in making decisions to rely on data or credentials
known to be stored by an individual outside Australia.
LOA 1
LOA 2
LOA 3
LOA 4

REQUIREMENT
Organisation
Services
 Fully operational
legal entity compliant
with all relevant legal
requirements
including agency
specific legislation
and policies (self
assessed).
 Published Liability
Policy
 Financial situation
sufficient for liability
exposure (self
assessed).
 Annual service
management audit
(external) – see ASAE
3402: Assurance
Reports on Controls
at a Service
Organisation
 Audit records
maintained for 36
months
 Financial situation
sufficient for liability
exposure
(independent
assessment by a
qualified accountant
who is a member of a
professional
accounting body)

Privacy
 Independent
Privacy Impact
Assessment (PIA) –
see
http://www.oaic.gov.
au/publications/guide
lines/Privacy_Impact_
Assessment_Guide.ht
ml for further
information.
 Demonstrated
compliance with all
National Privacy
7|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT

Information
Security
Management
System
Requires
specification of
relevant technical
and security
standards.
LOA 1
Principles (NPPs), the
Information Privacy
Principles (IPP’s) as
applicable and all
Australian Privacy
Principles (APP’s)
should the 2012
Amendment Bill
become law.
 Destroy an
individual’s stored
data within a
reasonable time of
the person
terminating their
relationship with the
Provider
 Provide a means
for subscribers to
securely amend their
stored information
 Documented
Security Risk
Management Plan
(SRMP) including DSD
Mitigation Strategies
(see
http://www.dsd.gov.a
u/infosec/top35mitig
ationstrategies.htm)
 Appropriate
operator access
controls and data
protection
mechanisms (at rest
and in motion) are
implemented
LOA 2
 Defined
managerial
responsibility for all
security policies
 ISMS complies
with ISO/IEC 27001
(self assessment)
 Documented
incident management
plan addressing in
particular security
and privacy breach
management
 Effective
personnel security
controls are in place
 Adequate Physical
Security controls are
in place to protect
premises and
information
resources.
 2 yearly security
audit by an IRAP
assessor to ensure
documented security
controls are being
effectively
implemented and
remain adequate for
the services provided
 A secure log of all
relevant security
events is maintained
 Shared secrets
appropriately secured
(physical and logical)
LOA 3
 An independent
protective security
risk review (PSRR) is
performed at least
annually by an IRAP
assessor
LOA 4
 DR plan tested
and reviewed
annually
 ISMS has been
certified by JAS-ANZ
accredited
certification body to
ISO/IEC 27001 and is
subject to annual
audit – see
http://www.jasanz.com.au/ for
further information
8|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT
LOA 1
Storage and
electronic
transmission of
personal information
 Use an encryption
product that
implements a DACA
as per ISM
requirements
 Where practical,
cryptographic
products must
provide a means of
data recovery
 Use an encryption
product that
implements a DACP
to communicate
sensitive information
over public network
infrastructure – see
http://www.dsd.gov.a
u/infosec/ism/index.h
tm for further
information1
 Demonstrate an
appropriate physical
security environment
for the protection of
business assets and
processes
 Documented
Physical Security
Policy as part of
overall SRMP
Physical security
Personnel Security
 Compliance with
PERSEC 1 in the PSPF
(self assessment).
PCI-DSS requirements
for storage of
payment card data

1
Not allowed
LOA 2
LOA 3
LOA 4
 Use an Evaluation
Assurance Level (EAL)
2 encryption product
from DSD’s Evaluated
Products List (EPL)
that has completed a
DCE – see
http://www.dsd.gov.a
u/infosec/ism/index.h
tm for further
information.
 Data centres used
to store personal
information must be
located in Australia.
 Compliance with
the PSPF Physical
Security Protocol at
http://www.protectiv
esecurity.gov.au/phys
icalsecurity/Pages/Pro
tocol.aspx
 Documented
Personnel Security
Management Plan
including: verification
of qualifications,
police records check,
referee checks,
identity verification.

Not allowed
 Physical security
arrangements
certified by
Gatekeeper
Authorised Physical
Security Evaluator –
see
http://www.finance.g
ov.au/egovernment/securityandauthentication/gatek
eeper/physicalsecurity-evaluationpanel.html
 Vetting of
personnel and
contractors in
Positions of Trust in
accordance with
AS4811-2006:
Employment
Screening including
appropriate
personnel security
aftercare
arrangements
 Completion of the
Attestation of
Compliance with the
Payment Card
Industry Data Security
Standard (PCI DSS).by
a Qualified Security
Assessor (QSA).
Providers should note that the use of encryption may introduce challenges to meet data availability requirements
9|Page
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Authentication Requirements
National e-Authentication Framework (NeAF) Levels of Assurance – Identity/Attributes
Minimal assurance
Low assurance
Moderate assurance
High assurance
Level 1
Minimal confidence
in the identity
assertion /
credential.
Level 2
Low confidence in
the identity
assertion /
credential.
Level 3
Moderate
confidence in the
identity assertion /
credential.
Level 4
High confidence in
the identity
assertion /
credential.
Important
Achieving LoA 4 Assurance requires completion of the requirements for LOA1 – LoA 3.
Note
Given the sensitivity of the personal information collected and stored, Providers of authentication services at LOA
2 and above must satisfy the security and privacy requirements for mailbox/data vault Providers (above) to a
minimum of LOA 3.
REQUIREMENT

Identity Proofing
(Providers to
demonstrate
completion of
NeAF
assessment
[reflected in
Identity and
Credential
Policies] and
implementation
of provisions of
ISO/IEC 29115)
LOA 1
LOA 2
LOA 3
LOA 4
 Ensure that each
applicant‘s identity
record is unique
within the service‘s
community of
subjects and uniquely
associable with
tokens and/or
credentials issued to
that identity
 Accept a selfassertion of identity
 Accept selfattestation of
evidence.
 Accept
pseudonyms – self
asserted, socially
validated
 Perform all
identity proofing
strictly in accordance
with its published
Identity Proofing
Policy
 Applicant
provides name, DOB,
address, email/phone
(to be verified with
issuing institutions as
appropriate)
 Maintain
appropriate Identity
and Verification
Records in
accordance with the
Archives Act
 Electronic
verification where
possible (DVS2 or
other authorised data
verification service
provider – see below)
of presented
documents with the
specified issuing
authority to
corroborate date of
birth, current address
of record, and other
personal information.
 The Primary
document must be a
Government issued
credential with a
biometric
 GSEF processes
may be considered on
a risk basis
 Only face-to-face
identity proofing.
 GSEF processes
apply
Applicant presents:
 secondary
Government Picture
ID (not the same as
the primary
document) or
credential issued by a
regulated financial
institution
OR
 two items
confirming name, and
address or email
address, such as:
utility bill,
professional license
or membership, or
other evidence of
equivalent standing
(see Gatekeeper EOI
Policy)
 All presented
credentials and
information are
where possible
electronically verified
with relevant issuing
authority
Optional ID proofing:
 Known customer
(see Gatekeeper EOI
Policy and AS4860—
2007. Knowledgebased identity
authentication—
Recognizing Known.
Customers)
 3rd party
verification
(authorised referee)
2
Optional ID Proofing:
 Known Customer
Private sector access to the DVS has yet to be finalised
10 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
LOA 1
LOA 2
LOA 3
LOA 4
Credentials
REQUIREMENT
Account for the
following system
threats and apply
appropriate controls:
 the introduction
of malicious code;
 compromised
authentication arising
from insider action;
 out-of-band
attacks by other users
and system operators
(e.g., the ubiquitous
shoulder-surfing);
 spoofing of
system
elements/applications
 malfeasance on
the part of
subscribers and
subjects.
 Single factor
authentication
solutions acceptable
 Published
Credential Policy and
Practices Statement
approved by internal
Policy Management
Authority
 Strong passwords
as per ISM
 Non-PKI multifactor authentication
protocols required
 Cryptographic
technology deployed
through a Public Key
Infrastructure – “soft”
certificates
 Cryptographic
technology deployed
through a Public Key
Infrastructure
deployed on
hardware tokens
protected by
password or
biometric controls
Privacy
 Demonstrated
compliance with all
National Privacy
Principles (NPPs), the
Information Privacy
Principles (IPP’s) as
applicable and all
Australian Privacy
Principles (APP’s)
should the 2012
Amendment Bill
become law.
 Amendment of
subscriber personal
information requires
either:
(i) re-proving their
identity, as in the
initial registration
process, or
(ii) by using their
credentials to
authenticate their
revision.
 Documented Key
Management Plan
(KMP) assessed by
commercial IRAP
assessor (see
Gatekeeper PKI
Framework for details
of KMP
requirements).
 Successful
amendment of
personal information
should result in reissuance of the
credential.
Key Management
 Full Gatekeeper
accreditation
 Gatekeeper High
Assurance
accreditation.
 Specifications for
hardware tokens
from EPL
11 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
REQUIREMENT
Credential
Management
LOA 1
LOA 2
 User choice of
UserID that is verified
to be unique within
the service‘s
community of
subjects and bound to
a single identity
record.
 Permit users to
change their
PINs/passwords
Revocation
 User may submit
a request for
revocation to the
Credential Issuer
 Issuer to
implement
appropriate security
and verification
processes
 Documented
Credential
Management Policies
and Practices as part
of KMP and
consistent with
Privacy Policy and
Security Risk
Management Plan.
LOA 3
 Full Gatekeeper
accreditation
LOA 4
 Gatekeeper High
Assurance
accreditation.
 Specifications for
hardware tokens
from EPL
Data Verification Service Requirements
REQUIREMENT
LOA 1
LOA 2
LOA 3
LOA 4
 Independent
Privacy Impact
Assessment
completed
 Published Privacy
Policy
 Demonstrated
compliance with all
National Privacy
Principles (NPPs), the
Information Privacy
Principles (IPP’s) as
applicable and all
Australian Privacy
Principles (APP’s)
should the 2012
Amendment Bill
become law.
 Appropriate
contractual
arrangements
established with
issuing authorities
 If personal
information is
retained satisfy the
requirements for
mailbox/data vault
providers at LOA3
Data verification
services (these
services apply only at
authentication
assurance LOA3 and
above)
12 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
4. Assurance Framework
In accordance with the Protective Security Policy Framework, when an agency contracts services to a
third party, accountability for the performance of the service or function and responsibility for
outcomes remains with the agency requesting the service. This agency responsibility includes the
management of risks to any assets (personnel, physical or information) the agency entrusts to the
Provider. Assets need to be considered individually and in aggregate.
In the case of the Assurance Framework these assets may include:
o
o
o
government issued documents or credentials
sensitive personal information
sensitive correspondence to and from agencies
In addition Providers may also support storage of other information including:
o
o
financial information eg credit card details
routine transactions with non-government service providers such as utilities and
telecommunications companies.
Agencies should therefore establish service level agreements with Providers that, at a minimum
specify assurance requirements as set out in Section 3. Such agreements should clearly specify the
nature of the services to be provided and the compliance requirements that must be demonstrated
for the particular service offering.
The nature and extent of data storage supported by the Provider will provide a necessary input into
an agency’s risk assessment. This is because the quantity and sensitivity of stored information will
increase the attractiveness of the service as a target for cyber-criminals, and therefore the potential
for compromise to agency operations.
Risk Management
Agencies must undertake a protective security risk assessment to determine the required level of
assurance that Providers must demonstrate in order for the agency to rely on the services offered.
The PSPF states:
“Agencies must adopt a risk management approach to cover all areas of protective security
activity across their organisation, in accordance with the Australian Standard for Risk
Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security
risk management.” (see
http://www.protectivesecurity.gov.au/pspf/Documents/Protective%20Security%20Policy%2
0Framework.pdf )
13 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Implementation of this Assurance Framework will require:

Agencies intending to rely on services provided by commercial operators to undertake a
thorough risk assessment (as per the PSPF) to determine the level of assurance required to
be demonstrated by Providers.
o
The outcome of the risk assessment including all protective security measures and
resultant residual risks must be signed-off by the agency head.
Note that some services, such as the ability of individuals to store personal information and copies of
documents may not be directly applicable to an agency’s engagement with a Provider.
For example an individual may choose to store a digital copy of their Passport in their
mailbox. The fact that the individual has a copy of their passport stored in the mailbox may
have no bearing on their interaction with a given agency. However, the fact that the
Passport remains the property of the issuing agency will have implications for the security
controls implemented by the Provider.
The risk assessment should focus on the possible threats to the agency arising from reliance on the
services to be offered by the Provider on which the agency intends to rely and consider:
Mailbox/vault services

the potential type and quantity of information that an individual may choose to store in their
vault (eg electronic copies of personal documents, digital credentials, answers to shared
secrets etc) as well as the aggregate volume of such data holdings
Authentication services

the type and volume of personal information/documentation that is collected and stored in
order to issue an authentication credential (individual and aggregate), whether such data is
verified and if so whether the verification outcomes are also stored.
Data verification services

the type and volume of personal information/documentation that is collected and stored
The risk assessment should include:
(i) a protective security risk review
GOV-6: Agencies must adopt a risk management approach to cover all areas of
protective security activity across their organisation, in accordance with the Australian
Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB
167:2006 Security risk management. See
14 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
http://www.protectivesecurity.gov.au/informationsecurity/Documents/information%20
security%20management%20protocol.pdf
(ii) a National e-Authentication Framework (NeAF) assessment as appropriate.
The NeAF provides agencies with a methodology to undertake identity-risk assessments
and thereby determine the level of authentication assurance required for a particular
online transaction (or set of similar transactions). See http://www.finance.gov.au/egovernment/security-and-authentication/authentication-framework.html.
The Australian Government Business Impact Levels (BILs)3 form a part of the PSPF. They provide
agencies with common set of rules that leads to a consistent approach to assessing business impact
from an Australian Government perspective. BILs will vary greatly between agencies, based on their
functions and size. BILs in themselves do not measure the size of the risk associated with the
information.
Security Risk Management
Risk can be identified and analysed in terms of:





What could happen? How could resources and activities central to the operation of an
agency be affected?
How would it happen? What weaknesses could be exploited to make this happen? What
security controls are already in place? Are they adequate?
How likely is it to happen? Is there opportunity and intent? How frequent is it likely to be?
What would the consequence be?
What possible effect could it have on an agency’s operations, services or credibility
Possible Threat vectors – internal / external











Facility security breach (physical)
Software / hardware failures / compromise D/DOS attacks
System overloads due to business traffic
Eavesdropping / Spoofing
Configuration errors
Malicious use (internal – privileged users)
Operator negligence
Hacking / Malicious code injections / Social engineering of
administrative staff
Criminal User – identity fraud
Data spill / breach
others
3
http://www.ag.gov.au/Documents/Australian%20Government%20protective%20security%20governance%20
management%20guidelines%20-%20Australian%20Government%20Business%20impact%20levels.pdf. See
Annex 6 (Background Material) for details.
15 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Risk Assessment Framework
A sample security risk assessment framework for considering Provider mailbox/data vault services may
look like the following:
LIKELIHOOD
Almost Certain
Likely
Possible
Unlikely
Rare
Description
An attempt will inevitably be made to effect the threat
Will probably occur in most circumstances
Might not occur, but on balance more likely to occur at some time
Not generally expected to occur at some time
May occur only in exceptional circumstances
Figure 1: Threat likelihood ratings
1 (LOW)
Could be
expected to
harm
government
agency
operations,
commercial
entities or
members of
the public
2 (MEDIUM)
Could be
expected to
cause limited
damage to
national
security,
government
agency
operations,
commercial
entities or
members of
the public
3 (HIGH)
Could be
expected to
damage
government
agency
operations,
commercial
entities or
members of
the public
4 (VERY HIGH)
Could be
expected to
damage
national
security
5 (EXTREME)
Could be
expected to
seriously
damage
national
security
6 (CATASTROPHIC)
Could be expected
to cause
exceptionally grave
damage to national
security
Figure 2: Summary PSPF Business Impact Levels4
Rare
Unlikely
Possible
Likely
Almost Certain
Catastrophic
Moderate
Moderate
High
High
High
Extreme
Moderate
Moderate
Moderate
High
High
Very High
Low
Low
Low
Moderate
Moderate
High
Minimal
Minimal
Minimal
Low
Low
Medium
Minimal
Minimal
Minimal
Low
Low
Nil
Nil
Nil
Nil
Nil
Low
Figure 3: Sample Risk Ratings
4
Further detail is available at
http://www.protectivesecurity.gov.au/governance/Documents/Business%20impact%20levels.pdf
Note: An alternative approach is set out in ISO/IEC 31000:2009 Risk Management Principles and Guidelines
16 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
The outcome of this risk assessment can be broadly mapped to assurance requirements for
mailbox/data vault Providers in Section 3:
In very general terms:




High residual risk would warrant LoA 4
Moderate risk would warrant LoA 3
Low risk would warrant LoA 2
Minimal risk would warrant LoA 1
NeAF Assessment
The second of the risk assessments that agencies may need to undertake relates to the provision of
authentication services. The NeAF assessment will determine the Level of Assurance required for
any authentication credentials issued by Providers that will be relied on by agencies to access
services.
A NeAF assessment involves the following broad steps to determine assurance level requirements.
The first step involves a comprehensive and multi-dimensional assessment of the type and severity of
identity-related threats and risks for a transaction (or transaction set). A sample of the type of threats
and risks is set out below (further detail is available at http://www.finance.gov.au/egovernment/security-and-authentication/authentication-framework.html).
NeAF Illustrative consequences and severity
Consequence
Consequence
Severity
Insignificant
Minor
Moderate
Major
Severe
rating
Risk to any party’s personal
safety
No risk
No risk
No risk
Any risk to
personal safety
Threaten life
directly
Release of personally or
commercially sensitive data
to third parties without
consent
No impact
Would
have little
impact
Measurable impact,
breach of
regulations or
commitment to
confidentiality
Release of
information
would have a
significant
impact
Would have severe
consequences to a
person, agency or
business
Financial loss to any client of
the service provider or other
third party
No loss
Minimal
Minor
Significant
Substantial
Financial loss to Agency /
service provider
No loss
Minimal
< 2% of
monthly
agency
budget
Minor
2% to < 5% of
monthly agency
budget
Significant
5% to < 10% of
monthly agency
budget
Substantial
≥ 10% of monthly
agency budget
Impact on government
finances or economic and
commercial interests
No impact
No impact
Cause financial
loss or loss of
earning potential
Work
significantly
against
Substantial
Damage
Damage to any party’s
standing or reputation
No damage
No
damage
Minor: short-term
damage
Limited longterm damage
Substantial longterm damage
17 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
The second step involves mapping the likelihood of these occurring in order to determine overall risk
levels and from there the required assurance level can be determined.
NeAF Indicative assurance level requirements based upon likelihood and consequences
Consequences
Likelihood
Insignificant
Minor
Moderate
Major
Severe
Almost
certain
Nil
Low
Moderate
High
High
Likely
Nil
Low
Moderate
High
High
Possible
Nil
Minimal
Low
Moderate
High
Unlikely
Nil
Minimal
Low
Moderate
Moderate
Rare
Nil
Minimal
Low
Moderate
Moderate
Note
The threats and likelihood ratings above and those in the NeAF documents are indicative only and
agencies must apply the principles set out in the NeAF in the context of their own business and risk
environment.
The outcomes of this NeAF assessment may be seen to broadly translate to the assurance levels
required to be demonstrated by Providers as set out in Section 3:
In very general terms:




High residual risk would warrant LoA 4
Moderate risk would warrant LoA 3
Low risk would warrant LoA 2
Minimal risk would warrant LoA 1
18 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Commercial Providers
Privacy
The Privacy Act 1988 (Cth) (Privacy Act) applies to government and private sector entities that
handle personal information as part of their participation in this Assurance Framework. The new
Australian Privacy Principles (APPs) will apply after the commencement of the amendments in the
Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
Providers must demonstrate their compliance with the National Privacy Principles (NPPs) and , as
applicable, the Information Privacy Principles (IPPs)in the Privacy Act (see
http://www.privacy.gov.au/materials/types/infosheets/view/6583).
When entering a Commonwealth contract, section 95B of the Privacy Act requires an agency to take
contractual measures to ensure that a ‘contracted service provider’ (CSP) for the contract does not
do an act, or engage in a practice, that would breach an Information Privacy Principle (IPP) if done by
the agency.
At a minimum, Providers MUST:


Demonstrated compliance with all National Privacy Principles (NPPs), the Information
Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s) should
the 2012 Amendment Bill become law.
Providers must destroy an individual’s stored data within a reasonable time of the person
terminating their relationship with the Provider.
Termination of Services
NPP 4.2 states – ‘An organisation must take reasonable steps to destroy or permanently de-identify
personal information if it is no longer needed for any purpose for which the information may be
used or disclosed...’
Similarly, APP 11.2 states:
If:
(a)
an APP entity holds personal information about an individual; and
(b)
the entity no longer needs the information for any purpose for which the
information may be used or disclosed by the entity under this Schedule; and
(c)
the information is not contained in a Commonwealth record; and
(d)
the entity is not required by or under an Australian law, or a court/tribunal
order, to retain the information;
19 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
the entity must take such steps as are reasonable in the circumstances to destroy the
information or to ensure that the information is de-identified.
Cross border disclosure
APP 8 states:
Before an APP entity discloses personal information about an individual to a person (the
overseas recipient):
(a)
who is not in Australia or an external Territory; and
(b)
who is not the entity or the individual;
the entity must take such steps as are reasonable in the circumstances to ensure that the
overseas recipient does not breach the Australian Privacy Principles (other than Australian
Privacy Principle 1) in relation to the information.
Exceptions to this requirement include where an individual is informed and consents to the transfer
of the data.
Where an agency enters into a contract with a Provider that may send personal information
offshore, the agency must ensure that the Provider complies with APP 8.
Anonymity and pseudonymity
The Privacy Act and the Amendment Bill require that individuals be given the opportunity to not
identify themselves when entering into transactions. Specifically, National Privacy Principle (NPP) 8
states:
Wherever it is lawful and practicable, individuals must have the option of not identifying
themselves when entering transactions with an organisation.
Similarly, Australian Privacy Principle (APP) 2.1 states:
Individuals must have the option of not identifying themselves, or of using a pseudonym,
when dealing with an APP entity in relation to a particular matter.
APP 2.1 does not apply if the individual is required by law to identify themselves or if it is
impracticable to deal with an individual who has not identified themselves.
Mailbox/data vault Providers should consider offering individuals the option to use their services
anonymously or under a pseudonym where practicable.
Security
The provisions of the Australian Government Protective Security Policy Framework (PSPF) and the
Australian Government Information Security Manual (ISM) establish the over-arching requirements
to be satisfied by Providers under this Framework.
20 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Security is a combination of physical, logical (ICT) and personnel security measures designed and
implemented to provide “defence in depth” appropriate to the perceived threats/risks to the assets
being secured.
At a minimum, Providers MUST:

Have a documented Security Risk Management Plan (SRMP) including as appropriate
implementation of DSD Mitigation Strategies.
Physical Security
Providers must layer physical Zones working in from public access areas and increasing the level of
protection with each new Zone. Multiple layers will give Providers a greater delay to allow response
to any unauthorised entry. Such layering will give the Provider greater time to respond before
unauthorised access to the inner-most Zone (where the most sensitive information is stored).
Further information is available at
http://www.protectivesecurity.gov.au/physicalsecurity/Pages/Supporting-Guidelines.aspx
Information Security
Providers must establish information security controls to ensure (to an acceptable level of residual
risk) the confidentiality, integrity and/or availability of information.
Providers SHOULD, as part of the development and implementation of their Security Risk
Management Plan (SRMP), consider the Top 4 Strategies to Mitigate Targeted Cyber Intrusions5
produced by the Defence Signals Directorate (DSD):




Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate
within two days for high risk vulnerabilities. Use the latest version of applications.
Patch operating system vulnerabilities. Patch or mitigate within two days for high risk
vulnerabilities. Use the latest operating system version.
Minimise the number of users with domain or local administrative privileges. Such users
should use a separate unprivileged account for email and web browsing.
Application whitelisting to help prevent malicious software and other unapproved programs
from running e.g. by using Microsoft Software Restriction Policies or AppLocker
Personnel Security
Providers must ensure (to an acceptable level of residual risk) that their personnel and the personnel
of any sub-contractors are suitable to have access to sensitive information.
5
Further information on DSD Mitigation Strategies is available at
http://www.dsd.gov.au/publications/Top_35_Mitigations.pdf
21 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Access to system information must be managed through appropriate access controls, restricting system
access to authorised and successfully authenticated users. Authorisation is two-fold. Firstly, an
individual needs to be authorised to have access to a system, and secondly they need to be authorised
to access specific applications, databases or information resources on a system.
Authentication Services
These criteria apply to Providers that generate and issue authentication credentials to individuals.
Credentials enable authentication to occur. Issued credentials are only as good as the weakest link
associated with their issue, use, management, and revocation.
This includes:

The credential creation process including protection of any data which may compromise a
credential.
The registration and management processes employed by (or on behalf of) the credential
issuer.
The environment in which the credential is being used and the risks associated with that
environment.
The way the user protects their credential.



Authentication credentials are generally classified as one (or more) of the following:

Something the user knows – e.g. Username, PIN, passwords and pass-phrases, shared
secrets etc;
Something the user has – e.g. Physical devices such as tokens and smart cards etc;
Something the user is – e.g. Biometric record of a physical attribute e.g. fingerprint6.


At a minimum, Providers MUST:

Have undertaken an identity risk assessment process in accordance with the National
e-Authentication Framework (NeAF) to establish the level of assurance associated with
the issued credential.
Privacy
Providers must demonstrate their compliance with the National Privacy Principles (NPPs) in the
Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583). If Providers are
contracted service providers under the Privacy Act, they MUST also demonstrate their compliance
with the Information Privacy Principles.
6
More recently a new type – “something the user does” (eg gait patterns, keystroke behaviour) – has come under active consideration as
a means of authenticating individuals in certain applications.
22 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
At a minimum, providers MUST:

Demonstrated compliance with all National Privacy Principles (NPPs), the Information
Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s)
should the 2012 Amendment Bill become law and in particular the IPPs and NPPS (and
APPs) in relation to collection, use and disclosure of personal information:
o IPPs 1-3; NPP 1 (APP3, APP 4 and APP 5)
o IPPs 10-11; NPP 2, 10 (APP 6)
o NPP 9 (APP 8)
o IPP 4; NPP 4 (APP 11)
Security
Providers MUST demonstrate a risk-based approach to security that combines physical, logical (ICT)
and personnel security measures to provide “defence in depth” appropriate to the perceived
threats/risks to the assets being secured.
At a minimum, Providers MUST:

Have a documented Security Risk Management Plan (SRMP) including as appropriate
implementation of DSD Mitigation Strategies.
Data Verification Services
In the context of this Assurance Framework the ability to verify the authenticity of documentation or
personal information submitted by an individual assists in providing increased assurance that “the
individual is who they say they are”. There are a number of government and commercial data
verification services available. Where agencies or commercial providers contemplate use of such
services, they should ensure that the particular service satisfies the compliance requirements set out in
Section 3.
Given the structure of the Assurance Framework the use of data verification services will only be
required (where possible) for authentication services operating at LOA3 and above.
Document Verification Service
The national Document Verification Service (DVS) is part of the Australian Government’s commitment to
protecting the identity of Australians7. The DVS is a tool to verify the accuracy and validity of key
Australian identity credentials provided at enrolment into a high value system. It is a secure, on-line
system used to check, in real time, whether the information on a credential (such as document number,
name and date of birth) ‘matches’ information held by the issuing agency. The DVS does not store any
7
Note that the DVS is, at this stage, only available to government agencies.
23 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
personal information. Requests to verify a document are encrypted and sent via a secure
communications pathway to the document issuing agency. No personal data is transferred from the
document-issuing agency.
Privacy
Providers MUST demonstrate their compliance with the National Privacy Principles (NPPs) in the
Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583). If Providers are
contracted service providers under the Privacy Act, they must also demonstrate their compliance
with the Information Privacy Principles.
At a minimum Providers MUST:

Demonstrated compliance with all National Privacy Principles (NPPs), the Information
Privacy Principles (IPP’s as applicable) and all Australian Privacy Principles (APP’s should
the 2012 Amendment Bill become law) and in particular the IPPs and NPPS (and APPs) in
relation to collection, use and disclosure of personal information:
o IPPs 1-3; NPP 1 (APP3, APP 4 and APP 5)
o IPPs 10-11; NPP 2, 10 (APP 6)
o NPP 9 (APP 8)
o IPP 4; NPP 4 (APP 11)
Security
Providers MUST demonstrate a risk-based approach to security that combines physical, logical (ICT)
and personnel security measures to provide “defence in depth” appropriate to the perceived
threats/risks to the assets being secured.
Providers MUST demonstrate that:
o
o
Requests to verify a document are encrypted and sent via a secure communications
pathway to the document issuing agency; and
No personal data is transferred from the document-issuing agency.
Legal
Providers MUST demonstrate that appropriate contractual arrangements have been established
with credential or document issuing authorities that are used in their verification processes.
Conformity Assessment
Conformity assessment is the 'demonstration that specific requirements relating to a product,
process, system, person or body are fulfilled. Conformity assessment procedures, such as testing,
inspection and certification, offer assurance that products fulfil the requirements specified in
regulations and standards (Source: ISO/IEC 17000 Conformity Assessment - Vocabulary and General
Principles).
24 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
In circumstances where Providers offer individuals data storage / management / communication and
associated authentication services that purport to be adequate for reliance by government agencies
delivering services and benefits to individuals it is expected that such services will meet at a
minimum baseline ICT security management standards.
From an information assurance perspective the nature of the conformity assessment process would
be directly proportional to the level of assurance offered/required for such services8.
ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security
management systems – Requirements requires that management:



Systematically examine the organization's information security risks, taking account
of the threats, vulnerabilities, and impacts;
Design and implement a coherent and comprehensive suite of information security
controls and/or other forms of risk treatment (such as risk avoidance or risk
transfer) to address those risks that are deemed unacceptable; and
Adopt an overarching management process to ensure that the information security
controls continue to meet the organization's information security needs on an
ongoing basis.
Mailbox/data vault Providers operating at LoA 4 will be required to:

Have an Information Security Management System (ISMS) that has been certified by a
JAS-ANZ accredited certification body for compliance with ISO/IEC 27001 and which is also
subject to annual audit for ongoing compliance.
Info-Sec Registered Assessor Program (I-RAP)
The DSD Information Security Registered Assessor program (IRAP) provides Australian Government
agencies with a pool of registered Australian IT security professionals who can be engaged to perform
information security assessments on systems and networks.
Audit requirements
Any conformity assessment program is a point-in-time evaluation of a Provider’s capabilities.
Incorporating an external audit requirement would provide an ongoing independent assessment that a
service organisation, is continuing deliver services in a manner that is fit for purpose and to disclose
their activities and processes to customers in a uniform manner.
In Australia the Auditing and Assurance Standards Board (AUASB) is developing a new standard on
controls engagement. It will address engagements to report on financial reporting, compliance or
operational controls at the entity and compliance or operational controls at a service organisation. This
new standard should be available in December 2012.
8
This is the approach adopted in the US for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
25 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Information Assurance – Capability Maturity
An important component of any trust framework aimed at facilitating provision of services to
Government by commercial entities is an understanding of the capability maturity of participating
entities (ie developing a measure of how capable the organisation is in terms of its delivery of specific
services). Where such services involve the storage and/or transmission of personal information,
objective measures of maturity will assist agencies in terms of their reliance on such services.
A Maturity Model (see Attachment 3) is:




A framework to measure and support the Information Assurance maturity of an
organisation.
A tool for organisations to use to progress the maturity of Information Assurance processes.
A means of facilitating Provider participation in the Assurance Framework as they move
through the maturity process.
A way of measuring how well developed enterprise capabilities are. As organisations learn
and grow they transition through maturity levels. At each maturity level there are increased
controls and therefore reduced risk.
26 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
5. Technical Standards
The objective of this section is to provide a brief overview of the architectural approach for the
integration and authentication tiers of the Reliance Framework, and the set of WS-Profiles to be used.9
Compliance with these standards will be required for Providers under this Assurance Framework.
The ability for data and messages to be shared between organisations in a timely, secure, reliable
manner is a key capability for the Assurance Framework. Given the diverse nature of the infrastructure
of the participating organisations the integration layer must be vendor- and host-system- neutral. In
order to ensure interoperability and ease of integration for participating organisations and individuals it
must be based on widely used open industry standards. The industry standards by themselves are not
enough to ensure interoperability; detailed profiles must be used that specify not only which standards
must be used, but how they must be used, to a sufficient level of detail.
Some key enabling factors include:

Use of open industry standards.

Establishment of detailed Web Service Profiles.

Strong architectural governance.

Establishment of a certification process to ensure interoperability.
Implementation of these will serve to maximise the ease of integration with multiple third-part
providers. This in turn provides pathways for citizen choice, improves portability, and avoids the
establishment or perception of a single consumer database, as well as supporting innovation and
development in emerging commercial markets.
Department of Human Services WebServices (DHS WS) Profiles
A Profile is a set of guidelines for the use of WebServices specifications beyond the core protocols.
These guidelines are necessary because the specifications are designed for general-purpose and they are
not always enough to satisfy enterprise level requirements. Interoperability Profiles also resolve
ambiguities in areas where the WebServices specifications are not clear enough to ensure that all
implementations process SOAP messages in the same way.
The DHS WS-Profiles are a critical tool in establishing interoperability between participating
organisations in the Reliance Framework.
9
Full detail on the DHS WS-Profiles is contained in the DHS External Web Services Profile document. Full detail on the
Authentication protocol is contained in the Australian Government Authentication Hub Protocol - v2.0 document
27 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Some key features of the DHS Web Service Profiles include:

Standards based: Wherever possible and appropriate, industry web services standards are
adopted.

Interoperability: The profiles are designed to maximise interoperability across different
technology platforms.

Support Delegated Trust Model: The security profiles support inclusion of user attributes in
the Web Service requests that can be used by the Web Service provider to perform
authorisations based on a delegated trust model.

Support for Integrated Audit: Inclusion of user attributes in the Web Service requests to
support audit requirements including the ability to correlate audit events across the
portfolio systems.

Extensible: The security profiles cater both for the use of internal web services being used to
access in-confidence portfolio data and the configuration of additional security mechanisms
for access to more sensitive data, or access by trusted external consumers.
The set of DHS WS-Profiles contains multiple profiles to address different integration requirements,
including:

DHS Basic Profile 1.0: This profile is a set of basic standards needed for every web service
transaction. At its core is the WS-I Basic Profile 1.0, with some enhancements to support
more recent standards such as SOAP 1.2 and WSDL 1.1, and some DHS-specific conventions
where required to cover areas not addressed by the WS-I Basic Profile.

DHS SOAP Attachment Profile 1.0: This profile is a set of standards needed for services with
attachment requirements.

WS-Security Profile 1.0: This profile is a set of standards needed to secure the WebSevice
message using Oasis specification WS-Security profile 1.0.

TLS Profile 1.0: This profile is a set of standards needed to secure the web service transport
layer using IETF RFC2246 specification TLS security profile.

DHS Signature Profile 1.0: This profile is a set of standards needed to create digital
signature. This profile specifies the digital signature syntax and w3c processing
recommendations.
Standards used in the DHS WS-Profiles
The standards used in the DHS WS-Profiles include (but are not limited to).

XML

XSD
28 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED

SOAP 1.1, 1.2

HTTP 1.0, 1.1

WS-Addressing

WSDL 1.1

WS-Security 1.1

WS-Policy 1.5

WS-Policy Attachment

MTOM

XOP

PKI

ATS5820
Taxonomy
Business information is encoded into a web service message using XML. The information is broken into
data elements within the XML stream with each element given an appropriate, identifying name. The
Standard Business Reporting AU (definitional) Taxonomy (SBR Taxonomy) will be the primary reference
for naming of XML elements used to pass business information within a web service message10. Reliance
Framework Taxonomy will be established based on the SBR Taxonomy and will be added to, where
required, to meet the specific needs of the Reliance Framework. Agency-specific taxonomies will only
be used where the SBR and Reliance Framework Taxonomy is acknowledged to omit a suitable definition
for the information to be encoded.
Authentication protocol
This protocol details the Web SSO and account linking messages that are exchanged between the
Authentication Hub and participating Agencies. It provides an outline of the architecture of the
Authentication Hub in order to provide the broad system context for the Authentication Hub protocol.
Further the protocols specify the responsibilities and requirements for an Agency to use the
Authentication Hub, i.e. to implement the Authentication Hub Protocol
The key features of the Authentication Hub Protocol are:
10

Standards based. The Authentication hub protocol is based on the SAML 2.0 standard for
identity federation.

Minimise changes for Agencies. The protocol does not require changes to existing
application architectures, online services, or security policies.
See http://www.sbr.gov.au/about-sbr/what-is-sbr/sbr-taxonomy for further information.
29 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED

Ease of adoption. The Authentication Hub is designed to lower the barriers of entry for an
Agency without compromising security. It uses well-defined and accepted standards for
authentication and leverages existing Agency process for registration.

Privacy Enhancing. The Authentication Hub will use anonymous identifiers to link Agency
identities, and will not store or use any confidential personal data or Agency-specific identity
data including Agency program identifiers.

Extensibility. The Authentication Hub architecture is designed to support extension in the
future to support new authentication credentials and registration business processes.

Supports NeAF. The Authentication Hub protocol supports the principles of National eAuthentication Framework by providing information about the credentials used by a user
during the authentication process to the Agency.
The Authentication Hub Protocol utilises various SAML 2.0 profiles to address different requirements,
including:

Web Browser SSO Profile: The Web Browser SSO Profile specifies how SAML authentication
assertions are communicated between an identity provider and service provider to enable
single sign-on for a web browser user.

Name Identifier Management Profile: This is a simple request-response exchange that can
originate at either the identity provider or the service provider and is used as part of the
Account Unlinking elements of the Authentication Hub Protocol.
Only a subset of the SAML v2 authentication protocols have been configured for use. Additional protocol
support can be adopted to:

Enhance usability for SSO interactions

Support for access via mobile devices
Additional credential verification services may be required to support authentication and account linking
interactions. These services will use the SAMLv2 standards where possible, but the standard may not
support some of these interactions. In this case, interfaces will be defined, adopted as standards, and
exposed as in accordance with DHS WS-Profiles.
Other authentication protocols such as OpenID and OAuth can be looked at in the future to support
interoperability with service providers and identity providers in accordance with the architectural
principles outlined.
Standards used in the Authentication Protocol
The standards used in the Authentication Protocol include (but are not limited to):

SAML v2.0

SSL 3.0/ TLS 1.0
All other standards will be based as per the standards from DHS WS Profiles.
30 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
6. Governance
Governance authority and responsibility for this Assurance Framework will be vested in the

Secretaries ICT Governance Board (SIGB).
The SIGB will consult with the Authentication Governance Committee (AGIMO) and the Reliance
Framework Board (DHS) including with respect to:


standardising the interpretation and application of the non-specific measurement
statements in Section 3 of the Framework (e.g. appropriate, effective, where possible, etc);
and
development of conformity assessment management regimes as required.
The governance of other technical standards (e.g. those used for data exchange etc.) used in the
Reliance Framework will initially be managed by the Reliance Framework Board.
Agencies and Providers should be aware that the Office of the Australian Information Commissioner
(OAIC) is the national privacy regulator.
On a day to day basis policy and operational support will be provided by the:



Department of Finance and Deregulation (AGIMO),
Attorney-General’s Department (policy and operational support for AGD policies and
services e.g. PSPF, NISS and DVS); and
Defence Signals Directorate.
Development of a business case to establish the viability of an NTIF will address the issue of longer
term governance arrangements.
31 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
7. ICT Procurement
The Commonwealth Procurement Rules (CPRs) represent the Government Policy Framework under
which agencies govern and undertake their own procurement and combine both Australia's
international obligations and good practice. Together, these enable agencies to design processes
that are robust, transparent and instil confidence in the Australian Government's procurement.
Further detail is available at http://www.finance.gov.au/procurement/procurement-policy-andguidance/commonwealth-procurement-rules/index.html
Limiting Supplier Liability in ICT Contracts with Australian Government Agencies
The Australian Government’s ICT liability policy recognises that requiring unlimited liability and
inappropriately high levels of insurance can be a significant impediment to companies wishing to bid
for Australian Government contracts. This is particularly the case for small and medium sized ICT
firms.
A Guide to Limiting Supplier Liability in Information and Communications Technology (ICT) Contracts
with Australian Government Agencies, was issued in May 2010 (second Edition) by the Department
of Industry, Innovation, Science, Research and Tertiary Education. This policy relates to Government
agencies subject to the Financial Management and Accountability Act 1997 (the FMA Act) and
requires that the liability of ICT suppliers contracting with agencies, in most cases, be capped or
limited at appropriate levels based on the outcomes of a risk assessment.
http://www.innovation.gov.au/Industry/InformationandCommunicationsTechnologies/Documents/L
imitingLiabilityReport.pdf
The ICT liability policy is stated in Finance Circular 2006/03 Limited Liability in Information and
Communications Technology Contracts. Procurement related Finance Circulars are located at
http://www.finance.gov.au/publications/finance-circulars/procurement.html and 2003/02 Guidelines for Issuing and Managing Indemnities, Guarantees, Warranties and Letters of Comfort
Additional Resources
Finance Circulars link is http://www.finance.gov.au/publications/finance-circulars/index.html
32 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
8. Future NTIF related Activities
There is a substantial body of work required to give operational effect to the Assurance Framework.
The development of a business case to establish the viability of an NTIF will consider how to enable
this work, including:
o
Access to the DVS by Providers
o
Development of an integrated and robust conformity assessment program for
Providers of mailbox/data-vault and authentication services
o
Consideration of claim/assertion based authentication.
o
Is there in all cases an agency procurement process or do they simply act as a relying
party on data / credentials stored and produced by a third party.
o
The nature and extent of consumer / agency advice that may be required in relation
to 3rd party service providers.
o
Proposals for centralised storage of personal information, use of offshore clouds or
the use of people’s personal information for marketing purposes.
o
Development of appropriate capability maturity models for commercial providers of
identity management services.
o
Clarify the obligations under the Privacy Act and the proposed obligations under the
Amendment Bill with respect to anonymous and pseudonymous transactions.
o
Development of appropriate long term governance models including but not limited
to responsibilities for conformity assessment, provider service standards, on-going
support, upgrade/release/change processes etc.
33 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Attachment 1
Joint Accreditation System of Australia and New Zealand (JAS-ANZ)
The Joint Accreditation System of Australia and New Zealand (JAS-ANZ) was established by Treaty in
1991 by the Australian and New Zealand governments to strengthen the trading relationship
between the two countries and with other countries.
The JAS-ANZ Treaty established the Governing Board, Technical Advisory Council and Accreditation
Review Board. The Treaty requires JAS-ANZ to operate a joint accreditation system and to deliver on
the following four goals:




Integrity and Confidence: To maintain a joint accreditation system that will give users confidence
that goods and services certified by accredited bodies meet established standards.
Trade Support: To obtain and maintain acceptance by Australia’s and New Zealand’s trading
partners of domestic management systems and exported goods and services.
Linkages: To link with relevant bodies which establish or recognise standards for goods and
services or which provide conformity assessment. Through these linkages, JAS-ANZ can influence
outcomes in international and national standards and guidance on conformity assessment so
that Australian and New Zealand interests are not disadvantaged.
International Acceptance: To obtain mutual recognition and acceptance of conformity
assessment with relevant bodies in other countries. Mutual Recognition
Arrangements/Agreements (MRAs) and Multilateral Recognition Arrangements (MLAs) deliver a
systematic framework for acceptance of conformity assessment results between trading nations.
Structure and Governance
JAS-ANZ operates on a not-for-profit basis. Under the formal direction of a Governing Board, the
Technical Advisory Council and Accreditation Review Board support the development and
implementation of policies and principles that underpin the operation of the joint accreditation
system.
Through a network of international ties JAS-ANZ is subject to periodic peer review. JAS-ANZ has a
secretariat of 20 to assist the Governing Board fulfil its obligations.
Operations
JAS-ANZ activities are structured around five distinct disciplines or programs: management systems
certification, product certification, personnel certification, inspection, and greenhouse gas validation
and verification.
Under these five programs, JAS-ANZ recognises 125 public and proprietary schemes that have been
developed by or in conjunction with public authorities and industry groups. The schemes provide a
level of confidence to support exchange of products and services across a wide range of industry
sectors.
34 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Over 90 certification and inspection bodies are accredited, with the largest number concentrated in
management systems. Over 70,000 accredited certificates are issued in over 80 countries to address
the need for authoritative attestations of conformity.
A high proportion of JAS-ANZ’s effort centres on five areas of economic and social activity:

Business Processes and Innovation;

Health and Human Services;

Food and Biological Systems;

Product Performance and Safety; and

Environmental Management.
JAS-ANZ’s operations also extend to providing technical support for the development of
infrastructure capabilities in developing nations; current projects involve Laos and Cambodia.
International engagement
A key role for JAS-ANZ is establishing international arrangements with other countries to accept one
another’s certificates and inspection reports so removing a technical barrier to trade. An important
mechanism for this is membership in international organisations which provide the framework of
multilateral agreements (MLAs) under which signatories will recognise one another’s accredited
certificates and inspection reports.
JAS-ANZ is an active member of the key accreditation organisations including the International
Accreditation Forum (IAF), the Pacific Accreditation Cooperation (PAC), and the Asia Pacific
Laboratory Accreditation Cooperation (APLAC).
JAS-ANZ is also a member of the Multilateral Cooperative Accreditation Arrangement (MCAA), a
collaborative arrangement between a number of international accreditation bodies that facilitates
the sharing of information relating to signatory accredited bodies and cooperation in the servicing of
these bodies.
Contact details
Tel: +61 2 6232 2000
Fax: +61 2 6262 7980
Postal Address: GPO BOX 170, Canberra ACT 2601
Email: contact@jas-anz.org
www.jas-anz.org
35 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Attachment 2
Kantara Initiative Identity Assurance Levels: Snapshot View
Assurance
Example
Level
Assessment
CriteriaOrganization
Assessment
Criteria-Identity
Proofing
Assessment CriteriaCredential Management
Minimal
Organizational
criteria
Minimal criteria –
Self assertion
PIN and Password
AL 1
Registration to a
news website
AL 2
Change of address Moderate
of record by a
organizational
beneficiary
criteria
Moderate criteria –
Attestation of Govt
ID
Single factor; prove
control of token through
authentication protocol
AL 3
Stringent
Access to an online
organizational
brokerage account
criteria
Stringent criteria –
stronger attestation
and verification of
records
Multi-factor auth:
cryptographic protocol;
“soft”, “hard”, or “OTP”
tokens
AL 4
Dispensation of a
controlled drug or
$1M bank wire
More stringent
criteria – stronger
attestation and
verification
Multi-factor auth w/ hard
tokens only; crypto
protocol w/ keys bound
to auth process
Stringent
organizational
criteria
Source: http://kantarainitiative.org/idassurance/
36 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Attachment 3
HMG Information Assurance Maturity Model
CRITERIA
Leadership and
Governance.
Training, Education and
Awareness
Information Risk
Management
Through-Life IA
Measures
Assured Information
Sharing
Compliance
L1
Initial
L2
Established
R/A/G
R/A/G
L3
Business
Enabling
R/A/G
L4
Quantitatively
Managed
R/A/G
L5
Optimised
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
R/A/G
RED – There are crucial deficiencies against the performance required at this level. Major elements
of the business Information Risk Management and Information Assurance processes have yet to be
addressed.
RED/AMBER – There are major deficiencies against the performance required at this level. Major
elements of the business Information Risk Management and Information Assurance processes are
not being addressed, and there are no credible plans to address the situation.
AMBER – There are significant deficiencies against the performance required at this level. Some
elements of the business Information Risk Management and Information Assurance processes are
not being addressed, or whatever plans exist they have not been formally endorsed by the business.
GREEN / AMBER – There are only minor deficiencies against the Business Information Risk
Management and Information Assurance processes required at this level. Credible progress is being
made against plans endorsed by the business.
GREEN – There are negligible deficiencies against the performance required at this level. Business
Information Risk Management and Information Assurance processes are fully met.
Levels (cumulative)
1
2
3
4
5
Initial – awareness of weaknesses and policies established to guide improvement
Established – information assurance processes are institutionalised, strategic approach
adopted, program of targeted education and awareness raising
Business Enabling – measured improvement at all levels of the organisation including
commercial suppliers
Quantitatively Managed– staff attitudes to information assurance are aligned to business
needs, metrics are established to support risk management
Optimised – information assurance fully integrated as normal business and regarded at all
levels as a business enabler
37 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
The Capability Maturity Model set out above is drawn from the UK Government (see
www.cesg.gov.uk/products_services/iacs/iamm/media/iamm-assessment-framework_v2.pdf)
Further examples of such models may be found at
http://www.eurim.org.uk/activities/ig/voi/information.php.
Attachment 4
National Identity Security Strategy
(See www.ag.gov.au/identitysecurity)
Commonwealth, State and Territory Governments agreed to a National Identity Security Strategy
(NISS) in 2007. The NISS provides a framework for inter-governmental cooperation to enhance
identification and verification processes, combat identity theft and prevent the misuse of stolen
identities. The NISS was reviewed and revised during 2012 to ensure it remain responsive to the
rapidly evolving nature of identity crime and misuse.
In seeking to engage commercial providers agencies should have regard for the following guiding
principles contained in the NISS 201211:

Protecting the identity information of Australians is a shared responsibility

The community’s confidence in business and public trust in government is supported by
identity security

To deter crime and foster national security, identity security must be based on a risk
management approach

Commonly accepted identity credentials must be supported by strong security measures,
and

Identity security needs to be a core feature of standard business processes and systems.
Enrolment
The Gold Standard Enrolment Framework (GSEF) is a key outcome of the National Identity Security
Strategy (NISS). The GSEF was developed for government agencies issuing physical identity
credentials.
The GSEF details a ‘gold standard’ that gives agencies confidence in the identity of an individual. It
reduces the risk in registrations due to the use of false identities as well as minimising multiple
enrolments for fraudulent purposes. The GSEF specifies that agencies should verify the validity of
identity credentials presented at enrolment. The DVS is a tool that can be used to ‘match’ the
information on the credential with information held by the issuing agency.
For level 4 assurance authentication solutions the GSEF processes must be adopted by commercial
providers. For lower level assurance, GSEF processes should be considered on a risk basis. It is
11
COAG endorsement of the NISS 2012 is anticipated in late 2012.
38 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
important that the identities of persons accessing government services, benefits, official documents
and positions of trust are verified to a level of assurance appropriate for the service requested.
Data integrity
(See www.ag.gov.au/identitysecurity)
Noting agency obligations to maintain the integrity of their own data holdings, commercial providers
of authentication services must:
o
Ensure that each applicant‘s identity record is unique within the service‘s
community of subjects and uniquely associable with tokens and/or credentials
issued to that identity
Multiple, incorrect or fraudulent registrations undermine the ability of governments to allocate
entitlements, collect revenue, provide services effectively and efficiently and comply with privacy
obligations. Poor data integrity also undermines the effectiveness of the DVS. Data cleansing (singleagency focused) and data matching (multi-agency focused) are two tools for improving the integrity
of data.
When third parties are establishing identity records they should have regard for the AttorneyGeneral’s Department’s Recording of a name to establish identity – Better practice guidelines for
Commonwealth agencies. It provides guidance on consistency and uniformity in use of name policy,
procedures and naming conventions. The guidelines are designed as a best practice reference guide
for collecting and recording identity information as well as for ongoing management, including
amendments to identity information.
National e-Authentication Framework
(See http://www.finance.gov.au/e-government/security-and-authentication/authenticationframework.html)
The National e-Authentication Framework12 (NeAF) provides agencies with a methodology to
undertake identity-risk assessments and thereby determine the level of authentication assurance
required for a particular online transaction (or set of similar transactions).
The authentication process provides assurance that a credential was issued to a specified individual.
It does not address:
o
o
o
12
Whether on subsequent presentation of that credential the individual to whom it
was issued remains in control of the credential
What access rights or authority the individual has to obtain information from an
agency
What services an individual may be entitled to receive from an agency
See http://www.finance.gov.au/e-government/security-and-authentication/authentication-framework.html
39 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
These processes remain within the control of the relying party (ie the agency from whom the
individual is seeking services).
The NeAF is equally applicable to commercial providers of authentication services.
The NeAF defines 5 levels of assurance as follows:
No assurance
Level 0
No confidence
is required in
the identity
assertion.
Minimal
assurance
Level 1
Minimal
confidence is
required in the
identity
assertion.
Low assurance
Level 2
Low
confidence is
required in the
identity
assertion.
Moderate
assurance
Level 3
Moderate
confidence is
required in the
identity
assertion.
High
assurance
Level 4
High
confidence is
required in the
identity
assertion.
By extension the NeAF also allows an assessment of the level of assurance associated with
authentication credentials issued by commercial providers (assuming there is a level of transparency
associated with registration and enrolment processes and credential management practices).
Noting that identity risks are a subset of an agency’s wider risk environment, application of the NeAF
principles should occur in the context of a provider’s overall risk management processes.
The Gatekeeper PKI Framework recognises that, unlike lower assurance authentication credentials
(such as username/passwords) public-key digital certificates have specific characteristics that
warrant both a policy framework for their use within Government and an accreditation program for
providers of such credentials (see www.gatekeeper.gov.au)
The requirements for obtaining Gatekeeper accreditation (including compliance with the ISM and
PSPF) apply to commercial and government providers.
ISO/IEC 29115 Entity Authentication Assurance
Draft ISO Standard 29115 Entity Authentication Assurance13 states:
Assurance ..... refers to the confidence placed in all of the processes, management activities,
and technologies used to establish and manage the identity of an entity for use in
authentication transactions.
The Standard specifies four Levels of Assurance (LoA) where LoA is a function of the processes,
management activities, and technical controls that have been implemented by the provider:
Level
1 – Low
2 – Medium
3 – High
4 – Very high
13
Description
Little or no confidence in the claimed or asserted identity
Some confidence in the claimed or asserted identity
High confidence in the claimed or asserted identity
Very high confidence in the claimed or asserted identity
Note that the standard is still at the Final Draft stage.
40 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Given that all elements of a provider’s operations impact the level of assurance associated with a
credential, integrated service offerings such as mailboxes, data vaults and/or data management
services need to be assessed on a holistic rather than compartmental basis.
As such, consideration of a service provider’s security (physical, logical and personnel) become
relevant in addition to controls that are implemented to ensure the privacy of information.
Note that the draft ISO standard links authentication to identity. While the NeAF also makes such a
link it also explicitly recognises that authentication applies to any assertion – be it an attribute of
identity (eg date of birth) or non-identity attributes (eg a street address).
o
To more fully understand the scope of authentication services it is necessary to
consider the definition of identity and the extent to which that is both necessary and
sufficient in relation to this Assurance Framework.
Storage and processing of Australian Government information in offshore
arrangements
New ICT business models such as cloud computing coupled with the ever increasing speed and
volume of transactions - while providing significant opportunities - have highlighted additional risks
to the control of Government information in outsourced and offshore arrangements. There is
additional complexity when Government information transits multiple jurisdictions, including the
application of other jurisdictions’ laws and the use of foreign-flagged companies. These additional
complexities increase the difficulty in assessing the risk to the storing and processing of Government
information outside Australia.
In addition, foreign-owned ICT service providers operating in Australia may also be subject to other
laws such as a foreign government’s lawful access to information controlled by the service provider.
APS agencies currently make a risked-based decision on the location and hosting of government
information based on the Protective Security Policy Framework, the Information Security Manual
and the Privacy Act 1988. The Defence Signals Directorate recommends against outsourcing
information technology services and functions outside of Australia, unless agencies are dealing with
data that is all publicly available. DSD strongly encourages agencies to choose either a locally-owned
vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages
sensitive data only within Australia. Current government policy, as outlined in the Cloud Computing
Strategy and supporting documents, is to not store sensitive or personal information in the public
cloud.
In the context of people being able to choose to use (as opposed to agencies procuring) commercial
data vault or authentication services the responsibility shifts away from agencies (other than as a
relying party) to the individual concerned. In such circumstances the Assurance Framework will
specify criteria against which agencies can assess such service offerings. Such criteria must be
consistent with existing policy frameworks such as the PSPF/ISM and the cloud strategy. Agencies
41 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
will apply a risk assessment process in making decisions to rely on data or credentials known to be
stored by an individual outside Australia.
Cloud Service Provider – Security assurance
(See http://www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html)
By its very global nature, cloud services, particularly the public cloud, offer numerous potential
benefits in terms of cost benefits, efficiency and flexibility. However, it is recognised that in
transitioning government services to the cloud, a degree of agency control over the operational
environment would be removed. Certain characteristics of cloud – such as resource pooling and its
global infrastructure – differentiate its risk profile from that of traditional outsourced arrangements.
Traditional out-sourcing arrangements enables an agency to have a formal contract and service level
agreement which establishes the security, operational and governance controls necessary to provide
it with the required level of assurance or comfort.
This may not always be the case with cloud services. Cloud services therefore present new
challenges, specifically around governance, risk management, standards, security, information
management including data portability and interoperability, and service management.
These are issues that need to be considered in any arrangement for mailbox or vault providers.
Data Centre Strategy
See http://www.finance.gov.au/e-government/infrastructure/data-centres.html)
The Australian Government Data Centre Strategy 2010-2025 enables scope for the range of
assurance options. Through the Data Centre Facilities Panel, agencies can source data centre
facilities. For the highest level of assurance, agencies can securely house their ICT assets in these
facilities. The operators of the data centre facilities available through the panel have committed to
specific security and audit measures.
Agencies must operate the ICT systems in the data centre facilities. The data centre facilities
operator will manage physical environment only. A suitably qualified external service provider might
also be able to manage the ICT services.
At the other extreme for data centre sourcing is the ‘cloud services’ contract. While the ICT service is
created using ICT systems based in a data centre, the contract is for a specific ICT service, such as email or data vault. These data centres will usually not be on the Data Centre Panel, even though
located in Australia.
DCaaS providers may offer commercial services such as mailbox and data vaults to individual
citizens. The security and privacy standards that must be met as a result of being a DCaaS provider
may or may not be adequate to support the provision of such additional services.
42 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
UNCLASSIFIED
Mobile Strategy
There is a global trend toward the use of mobile technology. Smartphones, tablet computers and
app stores are part of a global market worth an estimated AUD$300 billion in 2011. Australian
citizens are also increasingly using mobile services.
The Australian Government is developing a strategy to encourage agencies to exploit this trend to
increase the effectiveness of their service delivery, and to increase staff productivity. However, this
mobile technology trend is fuelled by consumers. As a consequence, privacy and security have been
designed more toward the commercial than government considerations.
As identified earlier in this paper the Assurance Framework must be technology and platform
agnostic.
Other Policies
The applicability of other government and some market based policies will be dependent on the
types of data that individuals intend to store in their “vault” or transactional information stored in
their inbox.
The nature of such information will have a clear impact on the level and type of security controls
that providers will necessarily have to implement. If providers do not limit the types of information
that can be stored then by default, security requirements will have to be set at the highest level of
assurance.
For example:



storage of financial data is likely to require provider compliance with Payment Card
Industry (PCI) rules
o see https://www.pcisecuritystandards.org/
storage of health data will require compliance with relevant health legislation
storage of digital (or digitised) credentials (eg passport or licence images) will necessarily
require more stringent security arrangements as documents such as licences and
passports remain the property of the issuing Government authority.
Consideration may also need to be given to the requirements of the US Sarbanes-Oxley Act of 2002
(SOX) which ushered in a new era of business rules regarding the storage and management of
corporate financial data. SOX holds many publicly held companies and all Registered Public
Accounting Firms to a rigorous set of standards. These rules set guidelines for how data should be
stored, accessed, and retrieved.
43 | P a g e
Final Draft Assurance Framework September 2012
UNCLASSIFIED
Download