Information Assurance Standard: 2020
This standard provides specific information management controls to ensure information collected is suitable for accurate decisions to be made regarding the eligibility or capability of an Entity.
Application of this standard
Application of the controls in this standard will contribute to the reduction of identity theft, entitlement fraud, misrepresentation of abilities and the impacts that result.
This standard will replace the requirements outlined in Table 8 of the Evidence of Identity Standard (EOI) Standard version 2.0 — Dec 2009 relating to Objective A — Identity exists.
An effective date will be provided once a successful pilot implementation of the standard has been completed.
This standard applies whenever information related to an entity is collected and stored (whether during enrolment or a subsequent transaction).
Effective information and records management ensures the creation, usability, maintenance, and sustainability of the information and records needed for business operations.
Requirements for good practice information management come from many sources including, but not limited to, the Privacy Act 1993 (currently under review) and the Public Records Act 2005.
This standard does not replace these requirements but provides requirements for identification management in the form of controls that are not explicit elsewhere.
In relation to the scope of identification management, this standard relates to the quality of ‘entity information’ as indicated in diagram 1.
Diagram 1: Relationship between elements
Read the detailed description of diagram
This diagram shows a triangle representing the connection between Entity (represented by a person) at the top of the triangle, Authenticator (represented by a key) at the bottom left, and Entity Information (represented by files of information) at the bottom right.
The connection between Entity and Entity Information is labelled Entity Binding. The connection between Entity Information and Authenticator is labelled Authenticator Registration. The connection between Authenticator and Entity is Authenticator Binding.
There is a red circle around Entity Information to indicate the scope of this content in relation to other elements.
Relationship with other Identification Management Standards
Table 1 describes each of the assurance components and the processes they relate to. A separate standard has been developed for each assurance component. This standard addresses the first of these assurance components — Information Assurance.
|Robustness of the process to establish the quality and accuracy of Entity Information.|
|Robustness of the process to bind the Entity to Entity Information and/or Entity to Authenticator.|
|Robustness of the process to ensure an Authenticator remains solely in control of its holder.|
|Robustness of the processes undertaken to maintain the integrity, security and privacy of an authenticator or credential used in multiple contexts.|
This standard uses the term ‘Party’ to represent the role that will carry out a control, as this may vary depending on the implementation of the identification process.
Objective 1 — Information risk is understood
For entities to trust that their information is sought and used appropriately, the information assurance level should be consistent with the risk posed.
Relying parties may also need to achieve specific levels of assurance to mitigate risks and potentially to comply with legislation.
The Party MUST carry out an assessment of the information risk posed by any service before offering it.
Additional information — While any risk assessment process can be used, specific guidance is available on assessing identification risk.
Objective 2 — Information is protected
A key part of preventing identity theft is to build protections into the collection and storage of information from the beginning.
The Party MUST have a justifiable need for every piece of information it collects.
The Party MUST store only the information it requires to carry out its purpose.
Additional information — This includes considering if the full value of a piece of information is needed, or a derived value from the information. Examples of derived values include:
- Age derived from date of birth
- Adult derived from the date of birth is more than 18 years ago — Yes/No
- Salary range derived from the salary is between $50,000 and $60,000 — Yes/No.
Where information is collected for the sole purpose of verifying required information, the Party MUST discard this information once verification is complete.
Additional information — Under this requirement, the Party may keep a record that the information was collected, and the verification process undertaken.
The Party MUST collect enough distinctive information, related to an entity, for it to be distinguishable from another entity’s information.
Additional information — Entity information is likely to be made unique by an internal system number and by the addition of any reference identifier. However, this will be insufficient if these are not known by the claiming entity.
The lack of distinctive information will also make it difficult to identify potential fraud where 2 entities attempt to claim the same entity information.
Objective 3 — Information is accurate
The quality of the information being sought is key to its usefulness for decision making or administrative needs.
The level of assurance needed for information is established through undertaking a suitable risk assessment process.
The Party SHOULD use recommended data format standards for collection and storage of information.
The Party MUST establish the level of information assurance (IA) required for each piece of information collected.
Additional information — The outcome of the risk assessment can be used to determine the level of assurance.
The Party selects suitable sources, that match the level of information assurance (IA) required for verifying each piece of information.
For level 1 — The Party MUST NOT seek assurance; the entity is the source.
For level 2 — The Party SHOULD seek assurance from a source that used a copy of an authoritative source as verification or verify against sources that may or may not have undertaken any assurance.
For level 3 — The Party SHOULD seek assurance from a source that is a copy of an authoritative source.
For level 4 — The Party SHOULD seek assurance from a source that is authoritative or a continuously synchronised copy of the authoritative source, such that they are considered equal.
The Party MUST verify each piece of information against its selected source.
The Party MUST NOT assign a level of assurance to a source whose level has not been declared.
Objective 4 — Quality of information source
The level of accuracy of information is also dependent on the trustworthiness of the source used. Whether the source is a physical document, electronic credential or database, the party needs to have some assurance that the source is genuine.
The Party establishes the quality of the source is consistent with the level of information assurance (IA) required.
For level 1 — The Party MUST accept the entity as the source
For level 2 — The Party MUST take the source at ‘face value’.
For level 3 — The Party MUST base quality on the source being manually identified and/or include physical security features that require proprietary knowledge to be able to reproduce it.
For level 4 — The Party MUST base quality on the source being systematically identified and accessed through a trusted communication channel.
The Party establishes any presented credentials have not been revoked.
For level 1 and 2 — The control does not apply.
For level 3 — The Party SHOULD check for revocation of the credential with the Credential Provider or equivalent service.
For level 4 — The Party MUST check for revocation of the credential and any incidence of identity theft with the Credential Provider or equivalent service.
What compliance means
In order to comply with this standard ALL the controls will be met at the level required.
Voluntary compliance by any Party wishing to follow good practice for contributing to the prevention of identity theft and fraud, will be against the levels indicated by undertaking a risk assessment.
Compliance with this Standard given through means such as contractual requirements, cabinet mandate, legislation etc, will include mechanisms for assessment and certification. The Party will meet the levels determined by the risk assessment and any additional requirements specified.
If the Party is providing information assurance services to other parties, there will be additional controls applied in the Federation Assurance Standard (yet to be published).
The existing Evidence of Identity Standard contains additional guidance that may be used to supplement this standard. The content is being reviewed and updates will be published on Digital.govt.nz.
Email Department of Internal Affairs Te Tari Taiwhenua