Information Assurance Standard

This Standard provides specific information management controls to ensure information collected is suitable for accurate decisions to be made regarding the eligibility or capability of an Entity.

Identification Standards are technical and intended for practitioners working in identification management.

If you’re new to this area, you can develop your skills and capability through the guidance and training options available under Identification management.

Application of this standard

This standard applies to any Relying Party (RP). The RP is accountable for the controls stated in this standard, even if they have employed or contracted aspects to other parties.

Application of the controls in this standard will contribute to the reduction of identity theft, entitlement fraud, misrepresentation of abilities and the impacts that result.

For more information on the interpretation of each control and how it can be applied, see the related implementation guide.

Implementing the Information Assurance Standard

Effective date and versions

This standard is effective from and replaces the earlier versions.

Version 3 (current version) — amendment to control IA4.01a Level 3 to remove the requirement that security features be physical.

Version 2 (effective ) — creates alternative controls for different types of evidence and establishes a separate objective to contain the counter fraud and investigation controls.

Version 1 (effective ) — first published version of the standard.

Historic versions of the Identification Standards — Department of Internal Affairs

Scope

This standard applies whenever information related to an Entity is collected and stored (whether during enrolment or a subsequent transaction).

Effective information and records management ensures the creation, usability, maintenance, and sustainability of the information and records needed for business operations.

Requirements for good practice information management come from many sources including, but not limited to, the Privacy Act 1993 (currently under review) and the Public Records Act 2005.

This standard does not replace these requirements but provides requirements for identification management in the form of controls that are not explicit elsewhere.

Requirements

Objective 1 — Information risk is understood

Rationale

For entities to trust that their information is sought and used appropriately, the information (IA) assurance level should be consistent with the risk posed.

Relying parties may also need to achieve specific levels of assurance to mitigate risks and potentially to comply with legislation.

IA1.01 Control

The RP MUST carry out an assessment of the information risk posed by any service before offering it.

Additional information — While any risk assessment process can be used, specific guidance is available on assessing identification risk.

Objective 2 — Information is protected

Rationale

A key part of preventing identity theft is to build protections into the collection and storage of information from the beginning.

IA2.01 Control

The RP MUST collect enough distinctive information, related to an entity, for it to be distinguishable from another entity’s information.

Additional information — Otherwise known as Entity information uniqueness. Entity information is likely to be made unique by an internal system number and by the addition of any reference identifier. However, this will be insufficient if these are not known by the claiming entity. The lack of distinctive information will also make it difficult to identify potential fraud where 2 entities attempt to claim the same entity information.

IA2.02 Control

The RP MUST have a justifiable need for every piece of information it collects.

IA2.03 Control

The RP MUST store only the information it requires to carry out its purpose.

Additional information — This includes considering if the full value of a piece of information is needed, a derived value from the information or a reference to some source of the information.

IA2.04 Control

Where information is collected for the sole purpose of verifying required information, the RP MUST discard this information once verification is complete.

Additional information — Under this requirement, the RP may keep a record that the information was collected, and the verification process undertaken — see IA5.02.

Objective 3 — Information is accurate

Rationale

The accuracy of the information being sought is key to its usefulness for decision making or administrative needs.

The level of assurance needed for information is established through undertaking a suitable risk assessment process.

IA3.01 Control

The RP SHOULD use recommended data format standards for the collection and storage of information.

IA3.02 Control

The RP MUST establish the level of information assurance (IA) required for each piece of information collected.

Additional information — The outcome of the risk assessment can be used to determine the level of assurance.

IA3.03 Control

The RP verifies each piece of information using evidence at the established level of information assurance (IA).

For level 1 — The RP SHOULD use the entity as the evidence.

For level 2 — The RP SHOULD select evidence that has at least referenced a copy of an authoritative source as part of their creation.

For level 3 — The RP MUST select evidence that is a copy of an authoritative source, at a minimum.

For level 4 — The RP MUST select evidence that is an authoritative source or has a continuously synchronised link to an authoritative source, such that they are considered equal.

IA3.04 Control

The RP MUST NOT assign a level of assurance to evidence whose level has not been declared.

Objective 4 — Quality of evidence

Rationale

The level of accuracy of information is also dependent on the trustworthiness of the evidence used. Whether the evidence

  1. a credential (physical document, electronic), database or
  2. a statement made by the subject or a trusted 3rd party

IA4.01a Control

The RP establishes the quality of the credential or database evidence is consistent with the level of information assurance (IA) required.

For level 1 and 2 — The RP MUST take the evidence at ‘face value’.

For level 3 — The RP MUST base quality on the evidence being manually identified and/or include security features that require proprietary knowledge to be able to reproduce it.

For level 4 — The RP MUST base quality on the evidence being systematically identified and accessed through a trusted communication channel.

IA4.01b Control

The RP establishes the quality of the subject or 3rd party statement is consistent with the level of information assurance (IA) required.

For level 1 – The RP MUST take the statement at ‘face value’.

For level 2 – The RP MUST ensure the statement maker is aware of the importance of the information being correct.

For level 3 – The RP MUST base the quality of the statement on a declaration or statutory declaration carrying some penalties.

For level 4 – The RP MUST base the quality of the statement on a declaration or statutory declaration associated to severe penalties.

IA4.02a Control

The RP establishes if any credential or database evidence has a registered status (such as suspended or revoked), that makes it unusable.

For level 1 and 2 — The control does not apply.

For level 3 — The RP SHOULD check for registered statuses with evidence issuers or equivalent service providers.

For level 4 — The RP MUST check for registered statuses with evidence issuers or equivalent service providers.

IA4.02b Control

The RP establishes if any subject or 3rd party statement has a contradiction, that makes it unusable.

For level 1 and 2 – The control does not apply.

For level 3 – The RP SHOULD check for contradictory statements.

For level 4 – The RP MUST check for contradictory statements.

Objective 5 – Verification integrity is maintained

Rationale

There are other processes not directly related to the accuracy of information or quality of evidence that can be used to support and augment the process to provide additional confidence that the information is true.

An important element of trust in any identification process is the ability for an Entity or Relying Party to question a process or presentation.

IA5.01 Control

The RP applies counter-fraud techniques, where possible.

For level 1 and 2 – The control does not apply.

For level 3 – The RP SHOULD apply counter-fraud techniques.

For level 4 – The RP MUST apply counter-fraud techniques.

Additional information – More information is available in the guide Counter fraud techniques.

Counter fraud techniques

IA5.02 Control

The RP MUST store appropriate detail about the information verification and evidence to enable queries or investigation in the future.

Contact

Government Digital Delivery Agency (GDDA)
Email: idmstandards@gdda.govt.nz.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated