identifying the baseline idesg security committee discussion 10/23/2014 1

1

Identifying the Baseline

IDESG Security Committee Discussion10/23/2014

10/23/2014

2

Objectives

• Clarify what is meant by “baseline” and how this committee intends to address it…

10/23/2014

3

Baseline References

• Requirements Presentation– Requirements are a foundational component of the Identity

Ecosystem Framework intended to:• define a baseline for participation in the Identity Ecosystem

– What is the baseline? Improving the security, privacy, usability, and interoperability of everyday online transactions

– What benefits could the everyday consumer see if this baseline was established? (e.g., reduced account compromise through increased use of multifactor authentication; greater user control through notice, consent requirements; etc.)

• The Strategy (NSTIC):– The Strategy seeks to promote the existing marketplace,

encourage new solutions where none exist, and establish a baseline of privacy, security, interoperability, and ease of use that will enable the market to flourish.

10/23/2014

4

Proposed “Target of Requirements”

• Identify least “risky” type of transaction that should be “in-scope” and use this as the target of requirements development

• Baseline requirements are intended to define the proper execution of Identity Ecosystem functions that support transactions:

1. That require authentication; and2. Where personal information is collected,

transmitted, retained, processed, disclosed, and/or disposed of

10/23/2014

5

Scoping Baseline Requirements

10/23/2014

6

Baseline Requirements

• Are not:– An incomplete set of requirements– A stop gap or half measure– A copy and paste effort

• Should be as complete as possible to achieve security for the defined target

• Even with self-attestation, IDESG recognition should reflect a service provider is among the “best in market” at following the NSTIC Guiding Principles.

10/23/2014

7

Next Steps

• With this target in mind:– Review current requirements, supplemental

guidance, and references – Provide feedback and input – Update draft requirements

10/23/2014

8

Upcoming Milestones

• Identify recipients for requirements questionnaires (October 29th)

• Complete draft requirements (October 31st)• Develop requirements questionnaires

(November 14th)• Distribute requirements questionnaires

(November 17th)

10/23/2014

9

Questions/Discussion?

10/23/2014