Commercial Service Provider Assurance Framework

Total Page:16

File Type:pdf, Size:1020Kb

Commercial Service Provider Assurance Framework

UNCLASSIFIED

COMMERCIAL SERVICE PROVIDER ASSURANCE FRAMEWORK

Final Draft September 2012

1 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED Contents

2 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

EXECUTIVE SUMMARY There is an emerging commercial provider market for a range of on-line services such as personal data vaults, digital mailboxes, data verification and authentication services. These services have been developed and marketed in what amounts to a caveat emptor (buyer beware) market.

This Assurance Framework therefore provides:

 guidance for agencies to determine the Level of Assurance required to be demonstrated by Providers (Section 4); and

 the criteria to be satisfied by Providers to deliver the required Level of Assurance (Section 3)

The underlying premise of the Framework is that, based on an understanding of Provider assurance levels, individuals will be able to choose to utilise services offered by commercial service providers in order to access online government services. Equally, individuals should not be forced to hold multiple credentials to access the range of required government services.

In the longer term, the government is exploring the viability of an Australia- wide/overarching National Trusted Identities Framework (NTIF). The Assurance Framework identifies potential additional streams of work that will need to be completed within an NTIF context. By applying consistent standards for all participants in this market, an NTIF could allow a digital identity that is trusted by one participant (such as a bank) to be trusted by another (such as a government agency).

Development of the Assurance Framework is underpinned by existing Australian Government security frameworks and informed by existing national identity management policy frameworks.

The value of an individual’s personal information must be recognised by Providers and reflected in the development of privacy and risk based security controls that meet agency requirements. The Assurance Framework addresses each of these concerns.

Consistent with Australian and international government policies, the Framework establishes four Assurance levels for the provision of broadly defined data management and authentication services by commercial providers. For each level of assurance the Framework specifies performance outcomes and standards to be achieved by Providers. As appropriate, and particularly for higher assurance services, the Framework specifies particular conformity assessment requirements that must be met. 3 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED The Framework also flags the potential application of commercial security standards such as the Payment Card Industry Data Security Standard (PCI-DSS) in circumstances where Providers support storage of such information.

The Framework is also cognizant of other related policy initiatives within government, in particular cloud computing and data centre policies and emerging policy in relation to storage and processing of government information. Although not specifically concerned with the provision of identity management services, the principles and strategies inherent in these policies and programs provide valuable input in terms of implementation of the Assurance Framework.

4 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

1. Introduction

Individuals and organisations are increasingly required to “prove who they are” by providing personal and confidential information to multiple organisations to obtain desired services or products. This is in addition to the large volume of personal information that is shared by individuals through social media sites. The outcome is that personal information is transmitted, stored and shared/sold across the globe, often without the knowledge or consent of the “owner” or subject of that information.

However, the rapid rate of technological change and commercialisation in using personal data has the very real potential to undermine end user confidence and trust. Concerns about the misuse of personal data, and lack of adequate security standards by government and business continue to grow. Fundamental questions about privacy, property, global governance, human rights – essentially around who should benefit from the products and services built upon personal data – are major uncertainties. (World Economic Forum 2010 Personal Data: The Emergence of a New Asset Class. See http://www.weforum.org/reports/personal-data-emergence-new-asset-class).

There is no cohesive, nationally recognised framework for managing or coordinating individual digital identities in Australia. While Government has traditionally played a central role there is evidence that the market has matured to the point where commercial providers are offering identity related solutions, for example:

 digital mailbox providers (such as Australia Post and Digital Post Australia) which will enable people to receive correspondence from participating organisations in a single in-box;

 personal identity management (or authentication) providers who provide people with credentials (eg a user name and pass word) to enable access to a variety of services;

 online verification services (such as GreenID), which enable people to verify their identity online; and

5 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED  personal data management or data vault services, which enable people to store and retrieve their personal data electronically, including personal records like birth certificates.

This Framework is an initial, practical response to the need identified in the Reliance Framework to develop an Assurance Framework that will facilitate the exchange of people’s personal data with commercial operators of authentication, secure mail or data management (data vault) services.

Development of the Assurance Framework is:

 underpinned by existing Australian Government security frameworks – the Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM) as well as current and planned privacy legislation ; and

 informed by existing policy frameworks such as the National e-Authentication Framework, the Gatekeeper Public Key Infrastructure (PKI) Framework, the National Identity Security Strategy and activities currently underway in relation to matters such as data sovereignty, cloud computing and Data-Centres-as-a- Service (DCaaS).

The government is exploring the viability of an Australia-wide/overarching National Trusted Identities Framework (NTIF). This Framework will help to inform the viability study of an NTIF. If implemented, an NTIF would create an Australia-wide framework which would support the development of an innovative and competitive private- sector led identity market — allowing better and easier links between citizens, organisations, businesses and governments.

Definitions

Digital Mailbox

A digital mailbox is effectively a third-party email address that individuals can use to receive electronic communications (eg from businesses and government). Mailboxes may have additional storage capacity where individuals can choose to store important information – these are often referred to as data vaults.

Data Vault

A data vault is a third-party secure storage capability that individuals can use to store sensitive information. It is often, but not always associated with a digital mailbox.

Data Verification

6 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Data verification is a process wherein data is checked for accuracy and authenticity. In the context of this Assurance Framework it means verifying with an authoritative source that personal information (eg name, date of birth) submitted by an individual is correct.

Identity Provider

The Organization for the Advancement of Structured Information Standards (OASIS) defines an Identity Provider (IdP) as “A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.” (see https://www.oasis-open.org/org)

7 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED 2. Purpose and Principles

The purpose of the Assurance Framework is to guide commercial service providers (Providers) and government agencies on the various policies and standards that apply, within a risk management context, to the provision of digital mailbox, data management and authentication services to Government. The Framework identifies those policies and standards with which compliance is mandatory as well as mechanisms for demonstrating such compliance.

The Framework provides:

 guidance for agencies to determine the Level of Assurance required to be demonstrated by Providers; and

 the criteria to be satisfied by Providers to deliver the required Level of Assurance.

This Assurance Framework has regard to:

 technical and performance standards, with the objective that people can choose Providers who are able to demonstrate compliance with such standards in order to access Government services;

 the need to demonstrate compliance with privacy legislation and maintain risk- managed levels of security in relation to people’s personal data;

 advice concerning procurement options with reference to the Commonwealth Procurement Rules and liability policy; and

 the need for any advice to consumers in relation to Provider service offerings.

The Framework establishes the following core principles:

 Agencies will specify their requirements in relation to data integrity, security and identity assurance levels;

 People will eventually be able to choose from a range of Providers in order to access a suite of Government services;

 Providers will adopt robust risk management approaches that consider risks of aggregated personal information to deliver the levels of privacy and security required by agencies in relation to people’s personal data;

 Agencies may:

8 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

o choose to engage directly with Providers for the delivery of specific services in which case accountability for the performance of the service or function and responsibility for outcomes remains with the agency;

o act as a relying party in which case accountability for the performance of the service or function and responsibility for outcomes remains with the Provider.

3. Compliance Checklist Data Vault/Mailbox Requirements Levels of Assurance – Data Management Services (data vaults, mailboxes etc)

Minimal assurance Low assurance Moderate High assurance assurance

Level 1 Level 2 Level 3 Level 4

Minimal confidence Low confidence in Moderate High confidence in in the services the services confidence in the the services offered provided services provided provided.

Important Achieving LoA 4 Assurance requires completion of the requirements for LOA1 – LoA 3.

Where the Provider supports storage of digital copies of government issued credentials (eg passports or motor vehicle licences) these credentials remain the property of the issuing agency.

Where the Provider supports storage of financial data such as credit card details, compliance with the Payment Card Industry Data Security Standard (PCI-DSS) will apply (see https://www.pcisecuritystandards.org).

Where a Provider utilises secure data storage services from a third party the security and privacy controls must clearly identify the respective roles and responsibilities of both the Provider and third party.

Note

Providers must specify the physical location of data centres used to store personal information. Where a Provider utilises services outside Australia to store, backup, process, transmit, manage or otherwise support its Australian operations these must be clearly identified and included in the Provider’s security and privacy documentation. Agencies will apply a risk assessment process in making decisions to rely on data or credentials known to be stored by an individual outside Australia.

REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T  Organisation  Fully operational  Published  Annual service  Financial Services legal entity Liability Policy management audit situation sufficient compliant with all  Financial (external) – see for liability exposure relevant legal situation sufficient ASAE 3402: (independent requirements for liability exposure Assurance Reports assessment by a including agency (self assessed). on Controls at a qualified accountant 9 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T specific legislation Service who is a member of and policies (self Organisation a professional assessed).  Audit records accounting body) maintained for 36 months  Privacy  Independent Privacy Impact Assessment (PIA) – see http://www.oaic.gov. au/publications/guid elines/Privacy_Impa ct_Assessment_Gui de.html for further information.  Demonstrated compliance with all National Privacy Principles (NPPs), the Information Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s) should the 2012 Amendment Bill become law.  Destroy an individual’s stored data within a reasonable time of the person terminating their relationship with the Provider  Provide a means for subscribers to securely amend their stored information  Information  Documented  Defined  An independent  DR plan tested Security Security Risk managerial protective security and reviewed Management Management Plan responsibility for all risk review (PSRR) annually System (SRMP) including security policies is performed at  ISMS has been DSD Mitigation  ISMS complies least annually by an certified by JAS- Requires Strategies (see with ISO/IEC 27001 IRAP assessor ANZ accredited specification of http://www.dsd.gov. (self assessment) certification body to relevant technical au/infosec/top35miti  Documented ISO/IEC 27001 and and security gationstrategies.htm is subject to annual standards. ) incident management plan audit – see Appropriate  addressing in http://www.jas- operator access particular security anz.com.au/ for controls and data and privacy breach further information protection management mechanisms (at rest and in motion) are  Effective implemented personnel security controls are in place

10 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T  Adequate Physical Security controls are in place to protect premises and information resources.  2 yearly security audit by an IRAP assessor to ensure documented security controls are being effectively implemented and remain adequate for the services provided  A secure log of all relevant security events is maintained  Shared secrets appropriately secured (physical and logical) Storage and  Use an  Use an electronic encryption product Evaluation transmission of that implements a Assurance Level personal DACA as per ISM (EAL) 2 encryption information requirements product from DSD’s  Where practical, Evaluated Products cryptographic List (EPL) that has products must completed a DCE – provide a means of see data recovery http://www.dsd.gov. au/infosec/ism/inde  Use an x.htm for further encryption product information. that implements a Data centres DACP to  communicate used to store sensitive personal information over information must be public network located in Australia. infrastructure – see http://www.dsd.gov. au/infosec/ism/index .htm for further information1

1 Providers should note that the use of encryption may introduce challenges to meet data availability requirements 11 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T Physical security  Demonstrate an  Compliance with  Physical security appropriate physical the PSPF Physical arrangements security Security Protocol at certified by environment for the http://www.protectiv Gatekeeper protection of esecurity.gov.au/ph Authorised Physical business assets and ysicalsecurity/Pages Security Evaluator – processes /Protocol.aspx see  Documented http://www.finance.g Physical Security ov.au/e- Policy as part of government/security overall SRMP -and- authentication/gatek eeper/physical- security-evaluation- panel.html Personnel Security  Compliance with  Documented  Vetting of PERSEC 1 in the Personnel Security personnel and PSPF (self Management Plan contractors in assessment). including: Positions of Trust in verification of accordance with qualifications, police AS4811-2006: records check, Employment referee checks, Screening including identity verification. appropriate personnel security aftercare arrangements PCI-DSS  Not allowed  Not allowed  Completion of requirements for the Attestation of storage of Compliance with the payment card data Payment Card Industry Data Security Standard (PCI DSS).by a Qualified Security Assessor (QSA).

12 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Authentication Requirements National e-Authentication Framework (NeAF) Levels of Assurance – Identity/Attributes

Minimal assurance Low assurance Moderate assurance High assurance

Level 1 Level 2 Level 3 Level 4

Minimal confidence Low confidence in Moderate High confidence in in the identity the identity confidence in the the identity assertion / assertion / identity assertion / assertion / credential. credential. credential. credential.

Important Achieving LoA 4 Assurance requires completion of the requirements for LOA1 – LoA 3.

Note

Given the sensitivity of the personal information collected and stored, Providers of authentication services at LOA 2 and above must satisfy the security and privacy requirements for mailbox/data vault Providers (above) to a minimum of LOA 3.

13 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T  Identity  Ensure that  Perform all  Electronic  Only face-to- Proofing each applicant‘s identity proofing verification where face identity (Providers to identity record is strictly in possible (DVS2 or proofing. demonstrate unique within the accordance with its other authorised  GSEF processes completion of service‘s community published Identity data verification apply NeAF of subjects and Proofing Policy service provider – Applicant presents: assessment uniquely associable  Applicant see below) of  secondary [reflected in with tokens and/or presented provides name, Government Picture Identity and credentials issued documents with the DOB, address, ID (not the same as Credential to that identity specified issuing email/phone (to be the primary Policies] and Accept a self- authority to  verified with issuing document) or implementatio corroborate date of assertion of identity institutions as credential issued by n of birth, current  Accept self- appropriate) a regulated financial provisions of address of record, attestation of  Maintain institution ISO/IEC 29115) and other personal evidence. appropriate Identity OR information.  Accept and Verification  two items  The Primary pseudonyms – self Records in confirming name, document must be asserted, socially accordance with the and address or a Government validated Archives Act email address, such issued credential as: utility bill, with a biometric professional license Optional ID proofing:  GSEF or membership, or processes may be other evidence of  Known customer considered on a risk equivalent standing basis (see Gatekeeper (see Gatekeeper EOI Policy and EOI Policy) Optional ID AS4860—2007.  All presented Proofing: Knowledge-based credentials and identity  Known information are authentication— Customer where possible Recognizing electronically Known. Customers) verified with  3rd party relevant issuing verification authority (authorised referee)

REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T Credentials Account for the  Published  Cryptographic  Cryptographic following system Credential Policy technology technology threats and apply and Practices deployed through a deployed through a appropriate controls: Statement approved Public Key Public Key by internal Policy Infrastructure – Infrastructure Management “soft” certificates deployed on  the introduction Authority hardware tokens of malicious code;  Strong protected by  compromised passwords as per password or authentication ISM biometric controls arising from insider Non-PKI multi- action;  factor authentication  out-of-band protocols required attacks by other users and system operators (e.g., the ubiquitous shoulder- surfing); 2 Private sector access to the DVS has yet to be finalised 14 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

15 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T Credential  User choice of  Documented  Full Gatekeeper  Gatekeeper High Management UserID that is Credential accreditation Assurance verified to be unique Management accreditation. within the service‘s Policies and  Specifications community of Practices as part of for hardware tokens subjects and bound KMP and consistent from EPL to a single identity with Privacy Policy record. and Security Risk  Permit users to Management Plan. change their PINs/passwords Revocation  User may submit a request for revocation to the Credential Issuer  Issuer to implement appropriate security and verification processes

Data Verification Service Requirements REQUIREMEN LOA 1 LOA 2 LOA 3 LOA 4 T Data verification  Independent services (these Privacy Impact services apply Assessment only at completed authentication assurance LOA3  Published and above) Privacy Policy  Demonstrated compliance with all National Privacy Principles (NPPs), the Information Privacy Principles (IPP’s) as applicable and all Australian Privacy Principles (APP’s) should the 2012 Amendment Bill become law.  Appropriate contractual arrangements established with issuing authorities  If personal information is retained satisfy the requirements for mailbox/data vault providers at LOA3 16 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

17 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED 4. Assurance Framework In accordance with the Protective Security Policy Framework, when an agency contracts services to a third party, accountability for the performance of the service or function and responsibility for outcomes remains with the agency requesting the service. This agency responsibility includes the management of risks to any assets (personnel, physical or information) the agency entrusts to the Provider. Assets need to be considered individually and in aggregate.

In the case of the Assurance Framework these assets may include:

o government issued documents or credentials

o sensitive personal information

o sensitive correspondence to and from agencies

In addition Providers may also support storage of other information including:

o financial information eg credit card details

o routine transactions with non-government service providers such as utilities and telecommunications companies.

Agencies should therefore establish service level agreements with Providers that, at a minimum specify assurance requirements as set out in Section 3. Such agreements should clearly specify the nature of the services to be provided and the compliance requirements that must be demonstrated for the particular service offering.

The nature and extent of data storage supported by the Provider will provide a necessary input into an agency’s risk assessment. This is because the quantity and sensitivity of stored information will increase the attractiveness of the service as a target for cyber-criminals, and therefore the potential for compromise to agency operations.

Risk Management Agencies must undertake a protective security risk assessment to determine the required level of assurance that Providers must demonstrate in order for the agency to rely on the services offered.

The PSPF states:

“Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the

18 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management.” (see http://www.protectivesecurity.gov.au/pspf/Documents/Protective%20Security %20Policy%20Framework.pdf )

Implementation of this Assurance Framework will require:

 Agencies intending to rely on services provided by commercial operators to undertake a thorough risk assessment (as per the PSPF) to determine the level of assurance required to be demonstrated by Providers.

o The outcome of the risk assessment including all protective security measures and resultant residual risks must be signed-off by the agency head.

Note that some services, such as the ability of individuals to store personal information and copies of documents may not be directly applicable to an agency’s engagement with a Provider.

For example an individual may choose to store a digital copy of their Passport in their mailbox. The fact that the individual has a copy of their passport stored in the mailbox may have no bearing on their interaction with a given agency. However, the fact that the Passport remains the property of the issuing agency will have implications for the security controls implemented by the Provider.

The risk assessment should focus on the possible threats to the agency arising from reliance on the services to be offered by the Provider on which the agency intends to rely and consider:

Mailbox/vault services

 the potential type and quantity of information that an individual may choose to store in their vault (eg electronic copies of personal documents, digital credentials, answers to shared secrets etc) as well as the aggregate volume of such data holdings

Authentication services

19 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED  the type and volume of personal information/documentation that is collected and stored in order to issue an authentication credential (individual and aggregate), whether such data is verified and if so whether the verification outcomes are also stored.

Data verification services

 the type and volume of personal information/documentation that is collected and stored

The risk assessment should include:

(i) a protective security risk review

GOV-6: Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management. See http://www.protectivesecurity.gov.au/informationsecurity/Documents/inform ation%20security%20management%20protocol.pdf

(ii) a National e-Authentication Framework (NeAF) assessment as appropriate.

The NeAF provides agencies with a methodology to undertake identity-risk assessments and thereby determine the level of authentication assurance required for a particular online transaction (or set of similar transactions). See http://www.finance.gov.au/e-government/security-and- authentication/authentication-framework.html.

The Australian Government Business Impact Levels (BILs)3 form a part of the PSPF. They provide agencies with common set of rules that leads to a consistent approach to assessing business impact from an Australian Government perspective. BILs will vary greatly between agencies, based on their functions and size. BILs in themselves do not measure the size of the risk associated with the information. Security Risk Management Risk can be identified and analysed in terms of:

 What could happen? How could resources and activities central to the operation of an agency be affected?

3http://www.ag.gov.au/Documents/Australian%20Government%20protective%20security %20governance%20management%20guidelines%20-%20Australian%20Government%20Business %20impact%20levels.pdf. See Annex 6 (Background Material) for details. 20 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

 How would it happen? What weaknesses could be exploited to make this happen? What security controls are already in place? Are they adequate?

 How likely is it to happen? Is there opportunity and intent? How frequent is it likely to be?

 What would the consequence be?

 What possible effect could it have on an agency’s operations, services or credibility

21 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED Risk Assessment Framework

A sample security risk assessment framework for considering Provider mailbox/data vault services may look like the following:

LIKELIHOOD Description Almost Certain An attempt will inevitably be made to effect the threat Likely Will probably occur in most circumstances Possible Might not occur, but on balance more likely to occur at some time Unlikely Not generally expected to occur at some time Rare May occur only in exceptional circumstances Figure 1 : Threat likelihood ratings

1 (LOW) 2 (MEDIUM) 3 (HIGH) 4 (VERY HIGH) 5 (EXTREME) 6 (CATASTROPHIC)

Could be Could be Could be Could be Could be Could be expected expected to expected to expected to expected to expected to to cause harm cause limited damage damage seriously exceptionally grave government damage to government national damage damage to national agency national agency security national security operations, security, operations, security commercial government commercial entities or agency entities or members of operations, members of the public commercial the public entities or members of the public

Figure 2 : Summary PSPF Business Impact Levels 4

Rare Unlikely Possible Likely Almost Certain

Catastrophic Moderate Moderate High High High

Extreme Moderate Moderate Moderate High High

Very High Low Low Low Moderate Moderate

High Minimal Minimal Minimal Low Low

Medium Minimal Minimal Minimal Low Low

Low Nil Nil Nil Nil Nil

Figure 3 : Sample Risk Ratings

4 Further detail is available at http://www.protectivesecurity.gov.au/governance/Documents/Business %20impact%20levels.pdf Note: An alternative approach is set out in ISO/IEC 31000:2009 Risk Management Principles and Guidelines 22 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

The outcome of this risk assessment can be broadly mapped to assurance requirements for mailbox/data vault Providers in Section 3:

In very general terms:

 High residual risk would warrant LoA 4

 Moderate risk would warrant LoA 3

 Low risk would warrant LoA 2

 Minimal risk would warrant LoA 1

NeAF Assessment

The second of the risk assessments that agencies may need to undertake relates to the provision of authentication services. The NeAF assessment will determine the Level of Assurance required for any authentication credentials issued by Providers that will be relied on by agencies to access services.

A NeAF assessment involves the following broad steps to determine assurance level requirements. The first step involves a comprehensive and multi-dimensional assessment of the type and severity of identity-related threats and risks for a transaction (or transaction set). A sample of the type of threats and risks is set out below (further detail is available at http://www.finance.gov.au/e-government/security-and-authentication/authentication- framework.html). NeAF Illustrative consequences and severity

23 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED Consequence Severity Consequence Insignificant Minor Moderate Major Severe rating

Risk to any party’s personal No risk No risk No risk Any risk to Threaten life directly safety personal safety

Release of personally or No impact Would Measurable impact, Release of Would have severe commercially sensitive data to have little breach of regulations information consequences to a third parties without consent impact or commitment to would have a person, agency or confidentiality significant business impact

Financial loss to any client of No loss Minimal Minor Significant Substantial the service provider or other third party

Financial loss to Agency / No loss Minimal Minor Significant Substantial service provider < 2% of 2% to < 5% of 5% to < 10% of ≥ 10% of monthly monthly monthly agency monthly agency agency budget agency budget budget budget

Impact on government finances No impact No impact Cause financial loss Work Substantial Damage or economic and commercial or loss of earning significantly interests potential against

Damage to any party’s standing No damage No damage Minor: short-term Limited long- Substantial long-term or reputation damage term damage damage

The second step involves mapping the likelihood of these occurring in order to determine overall risk levels and from there the required assurance level can be determined.

NeAF Indicative assurance level requirements based upon likelihood and consequences

Consequences Likelihood Insignificant Minor Moderate Major Severe Almost Nil Low Moderate High High certain Likely Nil Low Moderate High High Possible Nil Minimal Low Moderate High Unlikely Nil Minimal Low Moderate Moderate

Rare Nil Minimal Low Moderate Moderate

Note

24 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

The threats and likelihood ratings above and those in the NeAF documents are indicative only and agencies must apply the principles set out in the NeAF in the context of their own business and risk environment.

The outcomes of this NeAF assessment may be seen to broadly translate to the assurance levels required to be demonstrated by Providers as set out in Section 3:

In very general terms:

 High residual risk would warrant LoA 4

 Moderate risk would warrant LoA 3

 Low risk would warrant LoA 2

 Minimal risk would warrant LoA 1

25 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED Commercial Providers

Privacy

The Privacy Act 1988 (Cth) (Privacy Act) applies to government and private sector entities that handle personal information as part of their participation in this Assurance Framework. The new Australian Privacy Principles (APPs) will apply after the commencement of the amendments in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.

Providers must demonstrate their compliance with the National Privacy Principles (NPPs) and , as applicable, the Information Privacy Principles (IPPs)in the Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583).

When entering a Commonwealth contract, section 95B of the Privacy Act requires an agency to take contractual measures to ensure that a ‘contracted service provider’ (CSP) for the contract does not do an act, or engage in a practice, that would breach an Information Privacy Principle (IPP) if done by the agency.

Termination of Services

NPP 4.2 states – ‘An organisation must take reasonable steps to destroy or permanently deidentify personal information if it is no longer needed for any purpose for which the information may be used or disclosed...’

Similarly, APP 11.2 states:

If:

(a) an APP entity holds personal information about an individual; and

(b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and

(c) the information is not contained in a Commonwealth record; and 26 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

(d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;

the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

Cross border disclosure

APP 8 states:

Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

(a) who is not in Australia or an external Territory; and

(b) who is not the entity or the individual;

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Exceptions to this requirement include where an individual is informed and consents to the transfer of the data.

Where an agency enters into a contract with a Provider that may send personal information offshore, the agency must ensure that the Provider complies with APP 8.

Anonymity and pseudonymity

The Privacy Act and the Amendment Bill require that individuals be given the opportunity to not identify themselves when entering into transactions. Specifically, National Privacy Principle (NPP) 8 states:

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

Similarly, Australian Privacy Principle (APP) 2.1 states:

Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.

APP 2.1 does not apply if the individual is required by law to identify themselves or if it is impracticable to deal with an individual who has not identified themselves.

Mailbox/data vault Providers should consider offering individuals the option to use their services anonymously or under a pseudonym where practicable.

27 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED Security

The provisions of the Australian Government Protective Security Policy Framework (PSPF) and the Australian Government Information Security Manual (ISM) establish the over-arching requirements to be satisfied by Providers under this Framework.

Security is a combination of physical, logical (ICT) and personnel security measures designed and implemented to provide “defence in depth” appropriate to the perceived threats/risks to the assets being secured.

Physical Security

Providers must layer physical Zones working in from public access areas and increasing the level of protection with each new Zone. Multiple layers will give Providers a greater delay to allow response to any unauthorised entry. Such layering will give the Provider greater time to respond before unauthorised access to the inner-most Zone (where the most sensitive information is stored).

Further information is available at http://www.protectivesecurity.gov.au/physicalsecurity/Pages/Supporting- Guidelines.aspx

Information Security

Providers must establish information security controls to ensure (to an acceptable level of residual risk) the confidentiality, integrity and/or availability of information.

Providers SHOULD, as part of the development and implementation of their Security Risk Management Plan (SRMP), consider the Top 4 Strategies to Mitigate Targeted Cyber Intrusions5 produced by the Defence Signals Directorate (DSD):

 Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

 Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

5 Further information on DSD Mitigation Strategies is available at http://www.dsd.gov.au/publications/Top_35_Mitigations.pdf 28 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

 Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.

 Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker

Personnel Security

Providers must ensure (to an acceptable level of residual risk) that their personnel and the personnel of any sub-contractors are suitable to have access to sensitive information.

Access to system information must be managed through appropriate access controls, restricting system access to authorised and successfully authenticated users. Authorisation is two-fold. Firstly, an individual needs to be authorised to have access to a system, and secondly they need to be authorised to access specific applications, databases or information resources on a system. Authentication Services These criteria apply to Providers that generate and issue authentication credentials to individuals.

Credentials enable authentication to occur. Issued credentials are only as good as the weakest link associated with their issue, use, management, and revocation.

This includes:

 The credential creation process including protection of any data which may compromise a credential.

 The registration and management processes employed by (or on behalf of) the credential issuer.

 The environment in which the credential is being used and the risks associated with that environment.

 The way the user protects their credential.

Authentication credentials are generally classified as one (or more) of the following:

 Something the user knows – e.g. Username, PIN, passwords and pass- phrases, shared secrets etc;

 Something the user has – e.g. Physical devices such as tokens and smart cards etc;

29 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED  Something the user is – e.g. Biometric record of a physical attribute e.g. fingerprint6.

Privacy

Providers must demonstrate their compliance with the National Privacy Principles (NPPs) in the Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583). If Providers are contracted service providers under the Privacy Act, they MUST also demonstrate their compliance with the Information Privacy Principles.

6 More recently a new type – “something the user does” (eg gait patterns, keystroke behaviour) – has come under active consideration as a means of authenticating individuals in certain applications. 30 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Security

Providers MUST demonstrate a risk-based approach to security that combines physical, logical (ICT) and personnel security measures to provide “defence in depth” appropriate to the perceived threats/risks to the assets being secured.

Data Verification Services In the context of this Assurance Framework the ability to verify the authenticity of documentation or personal information submitted by an individual assists in providing increased assurance that “the individual is who they say they are”. There are a number of government and commercial data verification services available. Where agencies or commercial providers contemplate use of such services, they should ensure that the particular service satisfies the compliance requirements set out in Section 3. Given the structure of the Assurance Framework the use of data verification services will only be required (where possible) for authentication services operating at LOA3 and above. Document Verification Service The national Document Verification Service (DVS) is part of the Australian Government’s commitment to protecting the identity of Australians7. The DVS is a tool to verify the accuracy and validity of key Australian identity credentials provided at enrolment into a high value system. It is a secure, on-line system used to check, in real time, whether the information on a credential (such as document number, name and date of birth) ‘matches’ information held by the issuing agency. The DVS does not store

7 Note that the DVS is, at this stage, only available to government agencies. 31 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED any personal information. Requests to verify a document are encrypted and sent via a secure communications pathway to the document issuing agency. No personal data is transferred from the document-issuing agency.

Privacy

Providers MUST demonstrate their compliance with the National Privacy Principles (NPPs) in the Privacy Act (see http://www.privacy.gov.au/materials/types/infosheets/view/6583). If Providers are contracted service providers under the Privacy Act, they must also demonstrate their compliance with the Information Privacy Principles.

Security

Providers MUST demonstrate a risk-based approach to security that combines physical, logical (ICT) and personnel security measures to provide “defence in depth” appropriate to the perceived threats/risks to the assets being secured.

Legal

Providers MUST demonstrate that appropriate contractual arrangements have been established with credential or document issuing authorities that are used in their verification processes.

Conformity Assessment Conformity assessment is the 'demonstration that specific requirements relating to a product, process, system, person or body are fulfilled. Conformity assessment procedures, such as testing, inspection and certification, offer assurance that 32 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED products fulfil the requirements specified in regulations and standards (Source: ISO/IEC 17000 Conformity Assessment - Vocabulary and General Principles).

In circumstances where Providers offer individuals data storage / management / communication and associated authentication services that purport to be adequate for reliance by government agencies delivering services and benefits to individuals it is expected that such services will meet at a minimum baseline ICT security management standards.

From an information assurance perspective the nature of the conformity assessment process would be directly proportional to the level of assurance offered/required for such services8.

ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements requires that management:  Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;

 Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

 Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

Info-Sec Registered Assessor Program (I-RAP)

The DSD Information Security Registered Assessor program (IRAP) provides Australian Government agencies with a pool of registered Australian IT security professionals who can be engaged to perform information security assessments on systems and networks.

Audit requirements Any conformity assessment program is a point-in-time evaluation of a Provider’s capabilities. Incorporating an external audit requirement would provide an ongoing

8 This is the approach adopted in the US for the National Strategy for Trusted Identities in Cyberspace (NSTIC). 33 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED independent assessment that a service organisation, is continuing deliver services in a manner that is fit for purpose and to disclose their activities and processes to customers in a uniform manner.

In Australia the Auditing and Assurance Standards Board (AUASB) is developing a new standard on controls engagement. It will address engagements to report on financial reporting, compliance or operational controls at the entity and compliance or operational controls at a service organisation. This new standard should be available in December 2012.

Information Assurance – Capability Maturity An important component of any trust framework aimed at facilitating provision of services to Government by commercial entities is an understanding of the capability maturity of participating entities (ie developing a measure of how capable the organisation is in terms of its delivery of specific services). Where such services involve the storage and/or transmission of personal information, objective measures of maturity will assist agencies in terms of their reliance on such services. A Maturity Model (see Attachment 3) is:

 A framework to measure and support the Information Assurance maturity of an organisation.

 A tool for organisations to use to progress the maturity of Information Assurance processes.

 A means of facilitating Provider participation in the Assurance Framework as they move through the maturity process.

 A way of measuring how well developed enterprise capabilities are. As organisations learn and grow they transition through maturity levels. At each maturity level there are increased controls and therefore reduced risk.

34 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

5. Technical Standards

The objective of this section is to provide a brief overview of the architectural approach for the integration and authentication tiers of the Reliance Framework, and the set of WS-Profiles to be used.9 Compliance with these standards will be required for Providers under this Assurance Framework. The ability for data and messages to be shared between organisations in a timely, secure, reliable manner is a key capability for the Assurance Framework. Given the diverse nature of the infrastructure of the participating organisations the integration layer must be vendor- and host-system- neutral. In order to ensure interoperability and ease of integration for participating organisations and individuals it must be based on widely used open industry standards. The industry standards by themselves are not enough to ensure interoperability; detailed profiles must be used that specify not only which standards must be used, but how they must be used, to a sufficient level of detail. Some key enabling factors include:

 Use of open industry standards.  Establishment of detailed Web Service Profiles.  Strong architectural governance.  Establishment of a certification process to ensure interoperability. Implementation of these will serve to maximise the ease of integration with multiple third-part providers. This in turn provides pathways for citizen choice, improves portability, and avoids the establishment or perception of a single consumer database, as well as supporting innovation and development in emerging commercial markets. Department of Human Services WebServices (DHS WS) Profiles A Profile is a set of guidelines for the use of WebServices specifications beyond the core protocols. These guidelines are necessary because the specifications are designed for general-purpose and they are not always enough to satisfy enterprise level requirements. Interoperability Profiles also resolve ambiguities in areas where the WebServices specifications are not clear enough to ensure that all implementations process SOAP messages in the same way.

9 Full detail on the DHS WS-Profiles is contained in the DHS External Web Services Profile document. Full detail on the Authentication protocol is contained in the Australian Government Authentication Hub Protocol - v2.0 document

35 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED The DHS WS-Profiles are a critical tool in establishing interoperability between participating organisations in the Reliance Framework.

36 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Some key features of the DHS Web Service Profiles include:

 Standards based: Wherever possible and appropriate, industry web services standards are adopted.

 Interoperability: The profiles are designed to maximise interoperability across different technology platforms.

 Support Delegated Trust Model: The security profiles support inclusion of user attributes in the Web Service requests that can be used by the Web Service provider to perform authorisations based on a delegated trust model.

 Support for Integrated Audit: Inclusion of user attributes in the Web Service requests to support audit requirements including the ability to correlate audit events across the portfolio systems.

 Extensible: The security profiles cater both for the use of internal web services being used to access in-confidence portfolio data and the configuration of additional security mechanisms for access to more sensitive data, or access by trusted external consumers.

The set of DHS WS-Profiles contains multiple profiles to address different integration requirements, including:

 DHS Basic Profile 1.0: This profile is a set of basic standards needed for every web service transaction. At its core is the WS-I Basic Profile 1.0, with some enhancements to support more recent standards such as SOAP 1.2 and WSDL 1.1, and some DHS-specific conventions where required to cover areas not addressed by the WS-I Basic Profile.

 DHS SOAP Attachment Profile 1.0: This profile is a set of standards needed for services with attachment requirements.

 WS-Security Profile 1.0: This profile is a set of standards needed to secure the WebSevice message using Oasis specification WS-Security profile 1.0.

 TLS Profile 1.0: This profile is a set of standards needed to secure the web service transport layer using IETF RFC2246 specification TLS security profile.

 DHS Signature Profile 1.0: This profile is a set of standards needed to create digital signature. This profile specifies the digital signature syntax and w3c processing recommendations. Standards used in the DHS WS-Profiles The standards used in the DHS WS-Profiles include (but are not limited to).  XML  XSD  SOAP 1.1, 1.2  HTTP 1.0, 1.1

37 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED  WS-Addressing  WSDL 1.1  WS-Security 1.1  WS-Policy 1.5  WS-Policy Attachment  MTOM  XOP  PKI  ATS5820 Taxonomy Business information is encoded into a web service message using XML. The information is broken into data elements within the XML stream with each element given an appropriate, identifying name. The Standard Business Reporting AU (definitional) Taxonomy (SBR Taxonomy) will be the primary reference for naming of XML elements used to pass business information within a web service message10. Reliance Framework Taxonomy will be established based on the SBR Taxonomy and will be added to, where required, to meet the specific needs of the Reliance Framework. Agency-specific taxonomies will only be used where the SBR and Reliance Framework Taxonomy is acknowledged to omit a suitable definition for the information to be encoded. Authentication protocol This protocol details the Web SSO and account linking messages that are exchanged between the Authentication Hub and participating Agencies. It provides an outline of the architecture of the Authentication Hub in order to provide the broad system context for the Authentication Hub protocol. Further the protocols specify the responsibilities and requirements for an Agency to use the Authentication Hub, i.e. to implement the Authentication Hub Protocol The key features of the Authentication Hub Protocol are:

 Standards based. The Authentication hub protocol is based on the SAML 2.0 standard for identity federation.

 Minimise changes for Agencies. The protocol does not require changes to existing application architectures, online services, or security policies.

 Ease of adoption. The Authentication Hub is designed to lower the barriers of entry for an Agency without compromising security. It uses well-defined and accepted standards for authentication and leverages existing Agency process for registration.

10 See http://www.sbr.gov.au/about-sbr/what-is-sbr/sbr-taxonomy for further information. 38 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

 Privacy Enhancing. The Authentication Hub will use anonymous identifiers to link Agency identities, and will not store or use any confidential personal data or Agency- specific identity data including Agency program identifiers.

 Extensibility. The Authentication Hub architecture is designed to support extension in the future to support new authentication credentials and registration business processes.

 Supports NeAF. The Authentication Hub protocol supports the principles of National e-Authentication Framework by providing information about the credentials used by a user during the authentication process to the Agency. The Authentication Hub Protocol utilises various SAML 2.0 profiles to address different requirements, including:

 Web Browser SSO Profile: The Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a web browser user.  Name Identifier Management Profile: This is a simple request-response exchange that can originate at either the identity provider or the service provider and is used as part of the Account Unlinking elements of the Authentication Hub Protocol.

Only a subset of the SAML v2 authentication protocols have been configured for use. Additional protocol support can be adopted to:  Enhance usability for SSO interactions  Support for access via mobile devices Additional credential verification services may be required to support authentication and account linking interactions. These services will use the SAMLv2 standards where possible, but the standard may not support some of these interactions. In this case, interfaces will be defined, adopted as standards, and exposed as in accordance with DHS WS-Profiles. Other authentication protocols such as OpenID and OAuth can be looked at in the future to support interoperability with service providers and identity providers in accordance with the architectural principles outlined. Standards used in the Authentication Protocol The standards used in the Authentication Protocol include (but are not limited to):  SAML v2.0  SSL 3.0/ TLS 1.0 All other standards will be based as per the standards from DHS WS Profiles.

39 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED 6. Governance

Governance authority and responsibility for this Assurance Framework will be vested in the

 Secretaries ICT Governance Board (SIGB).

The SIGB will consult with the Authentication Governance Committee (AGIMO) and the Reliance Framework Board (DHS) including with respect to:

 standardising the interpretation and application of the non- specific measurement statements in Section 3 of the Framework (e.g. appropriate, effective, where possible, etc); and

 development of conformity assessment management regimes as required.

The governance of other technical standards (e.g. those used for data exchange etc.) used in the Reliance Framework will initially be managed by the Reliance Framework Board.

Agencies and Providers should be aware that the Office of the Australian Information Commissioner (OAIC) is the national privacy regulator.

On a day to day basis policy and operational support will be provided by the:

 Department of Finance and Deregulation (AGIMO),

 Attorney-General’s Department (policy and operational support for AGD policies and services e.g. PSPF, NISS and DVS); and

 Defence Signals Directorate.

Development of a business case to establish the viability of an NTIF will address the issue of longer term governance arrangements.

40 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

7. ICT Procurement

The Commonwealth Procurement Rules (CPRs) represent the Government Policy Framework under which agencies govern and undertake their own procurement and combine both Australia's international obligations and good practice. Together, these enable agencies to design processes that are robust, transparent and instil confidence in the Australian Government's procurement. Further detail is available at http://www.finance.gov.au/procurement/procurement- policy-and-guidance/commonwealth-procurement-rules/index.html Limiting Supplier Liability in ICT Contracts with Australian Government Agencies

The Australian Government’s ICT liability policy recognises that requiring unlimited liability and inappropriately high levels of insurance can be a significant impediment to companies wishing to bid for Australian Government contracts. This is particularly the case for small and medium sized ICT firms.

A Guide to Limiting Supplier Liability in Information and Communications Technology (ICT) Contracts with Australian Government Agencies, was issued in May 2010 (second Edition) by the Department of Industry, Innovation, Science, Research and Tertiary Education. This policy relates to Government agencies subject to the Financial Management and Accountability Act 1997 (the FMA Act) and requires that the liability of ICT suppliers contracting with agencies, in most cases, be capped or limited at appropriate levels based on the outcomes of a risk assessment. http://www.innovation.gov.au/Industry/InformationandCommunicationsTechnologies/ Documents/LimitingLiabilityReport.pdf

The ICT liability policy is stated in Finance Circular 2006/03 Limited Liability in Information and Communications Technology Contracts. Procurement related Finance Circulars are located at http://www.finance.gov.au/publications/finance- circulars/procurement.html and 2003/02 - Guidelines for Issuing and Managing Indemnities, Guarantees, Warranties and Letters of Comfort Additional Resources

Finance Circulars link is http://www.finance.gov.au/publications/finance- circulars/index.html

41 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED 8. Future NTIF related Activities

There is a substantial body of work required to give operational effect to the Assurance Framework.

The development of a business case to establish the viability of an NTIF will consider how to enable this work, including:

o Access to the DVS by Providers

o Development of an integrated and robust conformity assessment program for Providers of mailbox/data-vault and authentication services

o Consideration of claim/assertion based authentication.

o Is there in all cases an agency procurement process or do they simply act as a relying party on data / credentials stored and produced by a third party.

o The nature and extent of consumer / agency advice that may be required in relation to 3rd party service providers.

o Proposals for centralised storage of personal information, use of offshore clouds or the use of people’s personal information for marketing purposes.

o Development of appropriate capability maturity models for commercial providers of identity management services.

o Clarify the obligations under the Privacy Act and the proposed obligations under the Amendment Bill with respect to anonymous and pseudonymous transactions.

o Development of appropriate long term governance models including but not limited to responsibilities for conformity assessment, provider service standards, on-going support, upgrade/release/change processes etc.

42 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Attachment 1

Joint Accreditation System of Australia and New Zealand (JAS- ANZ) The Joint Accreditation System of Australia and New Zealand (JAS-ANZ) was established by Treaty in 1991 by the Australian and New Zealand governments to strengthen the trading relationship between the two countries and with other countries. The JAS-ANZ Treaty established the Governing Board, Technical Advisory Council and Accreditation Review Board. The Treaty requires JAS-ANZ to operate a joint accreditation system and to deliver on the following four goals:  Integrity and Confidence: To maintain a joint accreditation system that will give users confidence that goods and services certified by accredited bodies meet established standards.  Trade Support: To obtain and maintain acceptance by Australia’s and New Zealand’s trading partners of domestic management systems and exported goods and services.  Linkages: To link with relevant bodies which establish or recognise standards for goods and services or which provide conformity assessment. Through these linkages, JAS-ANZ can influence outcomes in international and national standards and guidance on conformity assessment so that Australian and New Zealand interests are not disadvantaged.  International Acceptance: To obtain mutual recognition and acceptance of conformity assessment with relevant bodies in other countries. Mutual Recognition Arrangements/Agreements (MRAs) and Multilateral Recognition Arrangements (MLAs) deliver a systematic framework for acceptance of conformity assessment results between trading nations. Structure and Governance

JAS-ANZ operates on a not-for-profit basis. Under the formal direction of a Governing Board, the Technical Advisory Council and Accreditation Review Board support the development and implementation of policies and principles that underpin the operation of the joint accreditation system. Through a network of international ties JAS-ANZ is subject to periodic peer review. JAS-ANZ has a secretariat of 20 to assist the Governing Board fulfil its obligations. Operations

43 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED JAS-ANZ activities are structured around five distinct disciplines or programs: management systems certification, product certification, personnel certification, inspection, and greenhouse gas validation and verification. Under these five programs, JAS-ANZ recognises 125 public and proprietary schemes that have been developed by or in conjunction with public authorities and industry groups. The schemes provide a level of confidence to support exchange of products and services across a wide range of industry sectors. Over 90 certification and inspection bodies are accredited, with the largest number concentrated in management systems. Over 70,000 accredited certificates are issued in over 80 countries to address the need for authoritative attestations of conformity. A high proportion of JAS-ANZ’s effort centres on five areas of economic and social activity: . Business Processes and Innovation; . Health and Human Services; . Food and Biological Systems; . Product Performance and Safety; and . Environmental Management. JAS-ANZ’s operations also extend to providing technical support for the development of infrastructure capabilities in developing nations; current projects involve Laos and Cambodia. International engagement

A key role for JAS-ANZ is establishing international arrangements with other countries to accept one another’s certificates and inspection reports so removing a technical barrier to trade. An important mechanism for this is membership in international organisations which provide the framework of multilateral agreements (MLAs) under which signatories will recognise one another’s accredited certificates and inspection reports. JAS-ANZ is an active member of the key accreditation organisations including the International Accreditation Forum (IAF), the Pacific Accreditation Cooperation (PAC), and the Asia Pacific Laboratory Accreditation Cooperation (APLAC). JAS-ANZ is also a member of the Multilateral Cooperative Accreditation Arrangement (MCAA), a collaborative arrangement between a number of international accreditation bodies that facilitates the sharing of information relating to signatory accredited bodies and cooperation in the servicing of these bodies. Contact details

44 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Tel: +61 2 6232 2000 Fax: +61 2 6262 7980 Postal Address: GPO BOX 170, Canberra ACT 2601 Email: [email protected] www.jas-anz.org

45 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED Attachment 2 Kantara Initiative Identity Assurance Levels: Snapshot View Assessment Assessment Assessment Criteria- Assuranc Example Criteria- Criteria-Identity Credential e Level Organization Proofing Management Minimal Registration to a Minimal criteria – AL 1 Organizational PIN and Password news website Self assertion criteria Change of Single factor; prove Moderate Moderate criteria address of control of token AL 2 organizational – Attestation of record by a through authentication criteria Govt ID beneficiary protocol Stringent criteria – Multi-factor auth: Access to an Stringent stronger cryptographic protocol; AL 3 online brokerage organizational attestation and “soft”, “hard”, or “OTP” account criteria verification of tokens records Multi-factor auth w/ Dispensation of More stringent Stringent hard tokens only; a controlled drug criteria – stronger AL 4 organizational crypto protocol w/ or $1M bank attestation and criteria keys bound to auth wire verification process

Source: http://kantarainitiative.org/idassurance/

46 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

Attachment 3 HMG Information Assurance Maturity Model CRITERIA L1 L2 L3 L4 L5 Initial Established Business Quantitatively Optimised Enabling Managed Leadership and R/A/G R/A/G R/A/G R/A/G R/A/G Governance. Training, Education R/A/G R/A/G R/A/G R/A/G R/A/G and Awareness Information Risk R/A/G R/A/G R/A/G R/A/G R/A/G Management Through-Life IA R/A/G R/A/G R/A/G R/A/G R/A/G Measures Assured Information R/A/G R/A/G R/A/G R/A/G R/A/G Sharing Compliance R/A/G R/A/G R/A/G R/A/G R/A/G

RED – There are crucial deficiencies against the performance required at this level. Major elements of the business Information Risk Management and Information Assurance processes have yet to be addressed. RED/AMBER – There are major deficiencies against the performance required at this level. Major elements of the business Information Risk Management and Information Assurance processes are not being addressed, and there are no credible plans to address the situation. AMBER – There are significant deficiencies against the performance required at this level. Some elements of the business Information Risk Management and Information Assurance processes are not being addressed, or whatever plans exist they have not been formally endorsed by the business. GREEN / AMBER – There are only minor deficiencies against the Business Information Risk Management and Information Assurance processes required at this level. Credible progress is being made against plans endorsed by the business. GREEN – There are negligible deficiencies against the performance required at this level. Business Information Risk Management and Information Assurance processes are fully met.

Levels (cumulative)

1 Initial – awareness of weaknesses and policies established to guide improvement

2 Established – information assurance processes are institutionalised, strategic approach adopted, program of targeted education and awareness raising

3 Business Enabling – measured improvement at all levels of the organisation including commercial suppliers

47 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED 4 Quantitatively Managed– staff attitudes to information assurance are aligned to business needs, metrics are established to support risk management

5 Optimised – information assurance fully integrated as normal business and regarded at all levels as a business enabler

The Capability Maturity Model set out above is drawn from the UK Government (see www.cesg.gov.uk/products_services/iacs/iamm/media/iamm-assessment- framework_v2.pdf) Further examples of such models may be found at http://www.eurim.org.uk/activities/ig/voi/information.php.

Attachment 4 National Identity Security Strategy

(See www.ag.gov.au/identitysecurity) Commonwealth, State and Territory Governments agreed to a National Identity Security Strategy (NISS) in 2007. The NISS provides a framework for inter-governmental cooperation to enhance identification and verification processes, combat identity theft and prevent the misuse of stolen identities. The NISS was reviewed and revised during 2012 to ensure it remain responsive to the rapidly evolving nature of identity crime and misuse.

In seeking to engage commercial providers agencies should have regard for the following guiding principles contained in the NISS 201211:

 Protecting the identity information of Australians is a shared responsibility  The community’s confidence in business and public trust in government is supported by identity security  To deter crime and foster national security, identity security must be based on a risk management approach  Commonly accepted identity credentials must be supported by strong security measures, and  Identity security needs to be a core feature of standard business processes and systems. Enrolment

The Gold Standard Enrolment Framework (GSEF) is a key outcome of the National Identity Security Strategy (NISS). The GSEF was developed for government agencies issuing physical identity credentials.

The GSEF details a ‘gold standard’ that gives agencies confidence in the identity of an individual. It reduces the risk in registrations due to the use of false identities as well as minimising multiple

11 COAG endorsement of the NISS 2012 is anticipated in late 2012. 48 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED enrolments for fraudulent purposes. The GSEF specifies that agencies should verify the validity of identity credentials presented at enrolment. The DVS is a tool that can be used to ‘match’ the information on the credential with information held by the issuing agency.

For level 4 assurance authentication solutions the GSEF processes must be adopted by commercial providers. For lower level assurance, GSEF processes should be considered on a risk basis. It is important that the identities of persons accessing government services, benefits, official documents and positions of trust are verified to a level of assurance appropriate for the service requested.

Data integrity

(See www.ag.gov.au/identitysecurity) Noting agency obligations to maintain the integrity of their own data holdings, commercial providers of authentication services must:

o Ensure that each applicant‘s identity record is unique within the service‘s community of subjects and uniquely associable with tokens and/or credentials issued to that identity

Multiple, incorrect or fraudulent registrations undermine the ability of governments to allocate entitlements, collect revenue, provide services effectively and efficiently and comply with privacy obligations. Poor data integrity also undermines the effectiveness of the DVS. Data cleansing (single-agency focused) and data matching (multi-agency focused) are two tools for improving the integrity of data.

When third parties are establishing identity records they should have regard for the Attorney-General’s Department’s Recording of a name to establish identity – Better practice guidelines for Commonwealth agencies. It provides guidance on consistency and uniformity in use of name policy, procedures and naming conventions. The guidelines are designed as a best practice reference guide for collecting and recording identity information as well as for ongoing management, including amendments to identity information.

National e-Authentication Framework

(See http://www.finance.gov.au/e-government/security-and- authentication/authentication-framework.html)

The National e-Authentication Framework12 (NeAF) provides agencies with a methodology to undertake identity-risk assessments and thereby determine the level of authentication assurance required for a particular online transaction (or set of similar transactions).

12 See http://www.finance.gov.au/e-government/security-and-authentication/authentication- framework.html 49 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED The authentication process provides assurance that a credential was issued to a specified individual. It does not address:

o Whether on subsequent presentation of that credential the individual to whom it was issued remains in control of the credential

o What access rights or authority the individual has to obtain information from an agency

o What services an individual may be entitled to receive from an agency

These processes remain within the control of the relying party (ie the agency from whom the individual is seeking services).

The NeAF is equally applicable to commercial providers of authentication services.

The NeAF defines 5 levels of assurance as follows:

No assurance Minimal Low assurance Moderate High assurance assurance assurance

Level 0 Level 1 Level 2 Level 3 Level 4

No confidence Minimal Low Moderate High is required in confidence is confidence is confidence is confidence is the identity required in the required in the required in the required in the assertion. identity identity identity identity assertion. assertion. assertion. assertion.

By extension the NeAF also allows an assessment of the level of assurance associated with authentication credentials issued by commercial providers (assuming there is a level of transparency associated with registration and enrolment processes and credential management practices).

Noting that identity risks are a subset of an agency’s wider risk environment, application of the NeAF principles should occur in the context of a provider’s overall risk management processes.

The Gatekeeper PKI Framework recognises that, unlike lower assurance authentication credentials (such as username/passwords) public-key digital certificates have specific characteristics that warrant both a policy framework for their use within Government and an accreditation program for providers of such credentials (see www.gatekeeper.gov.au)

The requirements for obtaining Gatekeeper accreditation (including compliance with the ISM and PSPF) apply to commercial and government providers.

50 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED

ISO/IEC 29115 Entity Authentication Assurance

Draft ISO Standard 29115 Entity Authentication Assurance13 states:

Assurance ..... refers to the confidence placed in all of the processes, management activities, and technologies used to establish and manage the identity of an entity for use in authentication transactions.

The Standard specifies four Levels of Assurance (LoA) where LoA is a function of the processes, management activities, and technical controls that have been implemented by the provider:

Level Description 1 – Low Little or no confidence in the claimed or asserted identity 2 – Medium Some confidence in the claimed or asserted identity 3 – High High confidence in the claimed or asserted identity 4 – Very high Very high confidence in the claimed or asserted identity

Given that all elements of a provider’s operations impact the level of assurance associated with a credential, integrated service offerings such as mailboxes, data vaults and/or data management services need to be assessed on a holistic rather than compartmental basis.

As such, consideration of a service provider’s security (physical, logical and personnel) become relevant in addition to controls that are implemented to ensure the privacy of information.

Note that the draft ISO standard links authentication to identity. While the NeAF also makes such a link it also explicitly recognises that authentication applies to any assertion – be it an attribute of identity (eg date of birth) or non-identity attributes (eg a street address).

o To more fully understand the scope of authentication services it is necessary to consider the definition of identity and the extent to which that is both necessary and sufficient in relation to this Assurance Framework.

Storage and processing of Australian Government information in offshore arrangements

New ICT business models such as cloud computing coupled with the ever increasing speed and volume of transactions while providing significant opportunities have highlighted additional risks to the control of Government information in outsourced and offshore arrangements. There is additional complexity when Government

13 Note that the standard is still at the Final Draft stage. 51 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED information transits multiple jurisdictions, including the application of other jurisdictions’ laws and the use of foreign-flagged companies. These additional complexities increase the difficulty in assessing the risk to the storing and processing of Government information outside Australia.

In addition, foreign-owned ICT service providers operating in Australia may also be subject to other laws such as a foreign government’s lawful access to information controlled by the service provider.

APS agencies currently make a risked-based decision on the location and hosting of government information based on the Protective Security Policy Framework, the Information Security Manual and the Privacy Act 1988. The Defence Signals Directorate recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available. DSD strongly encourages agencies to choose either a locally- owned vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australia. Current government policy, as outlined in the Cloud Computing Strategy and supporting documents, is to not store sensitive or personal information in the public cloud.

In the context of people being able to choose to use (as opposed to agencies procuring) commercial data vault or authentication services the responsibility shifts away from agencies (other than as a relying party) to the individual concerned. In such circumstances the Assurance Framework will specify criteria against which agencies can assess such service offerings. Such criteria must be consistent with existing policy frameworks such as the PSPF/ISM and the cloud strategy. Agencies will apply a risk assessment process in making decisions to rely on data or credentials known to be stored by an individual outside Australia.

Cloud Service Provider – Security assurance

(See http://www.finance.gov.au/e-government/strategy-and-governance/cloud- computing.html)

By its very global nature, cloud services, particularly the public cloud, offer numerous potential benefits in terms of cost benefits, efficiency and flexibility. However, it is recognised that in transitioning government services to the cloud, a degree of agency control over the operational environment would be removed. Certain characteristics of cloud – such as resource pooling and its global infrastructure – differentiate its risk profile from that of traditional outsourced arrangements.

Traditional out-sourcing arrangements enables an agency to have a formal contract and service level agreement which establishes the security, operational and

52 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED UNCLASSIFIED governance controls necessary to provide it with the required level of assurance or comfort.

This may not always be the case with cloud services. Cloud services therefore present new challenges, specifically around governance, risk management, standards, security, information management including data portability and interoperability, and service management.

These are issues that need to be considered in any arrangement for mailbox or vault providers.

Data Centre Strategy

See http://www.finance.gov.au/e-government/infrastructure/data-centres.html)

The Australian Government Data Centre Strategy 2010-2025 enables scope for the range of assurance options. Through the Data Centre Facilities Panel, agencies can source data centre facilities. For the highest level of assurance, agencies can securely house their ICT assets in these facilities. The operators of the data centre facilities available through the panel have committed to specific security and audit measures.

Agencies must operate the ICT systems in the data centre facilities. The data centre facilities operator will manage physical environment only. A suitably qualified external service provider might also be able to manage the ICT services.

At the other extreme for data centre sourcing is the ‘cloud services’ contract. While the ICT service is created using ICT systems based in a data centre, the contract is for a specific ICT service, such as e-mail or data vault. These data centres will usually not be on the Data Centre Panel, even though located in Australia.

DCaaS providers may offer commercial services such as mailbox and data vaults to individual citizens. The security and privacy standards that must be met as a result of being a DCaaS provider may or may not be adequate to support the provision of such additional services.

Mobile Strategy

There is a global trend toward the use of mobile technology. Smartphones, tablet computers and app stores are part of a global market worth an estimated AUD$300 billion in 2011. Australian citizens are also increasingly using mobile services.

53 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED The Australian Government is developing a strategy to encourage agencies to exploit this trend to increase the effectiveness of their service delivery, and to increase staff productivity. However, this mobile technology trend is fuelled by consumers. As a consequence, privacy and security have been designed more toward the commercial than government considerations.

As identified earlier in this paper the Assurance Framework must be technology and platform agnostic.

Other Policies

The applicability of other government and some market based policies will be dependent on the types of data that individuals intend to store in their “vault” or transactional information stored in their inbox.

The nature of such information will have a clear impact on the level and type of security controls that providers will necessarily have to implement. If providers do not limit the types of information that can be stored then by default, security requirements will have to be set at the highest level of assurance.

For example:

 storage of financial data is likely to require provider compliance with Payment Card Industry (PCI) rules

o see https://www.pcisecuritystandards.org/

 storage of health data will require compliance with relevant health legislation

 storage of digital (or digitised) credentials (eg passport or licence images) will necessarily require more stringent security arrangements as documents such as licences and passports remain the property of the issuing Government authority.

Consideration may also need to be given to the requirements of the US Sarbanes- Oxley Act of 2002 (SOX) which ushered in a new era of business rules regarding the storage and management of corporate financial data. SOX holds many publicly held companies and all Registered Public Accounting Firms to a rigorous set of standards. These rules set guidelines for how data should be stored, accessed, and retrieved.

54 | P a g e Final Draft Assurance Framework September 2012 UNCLASSIFIED

Recommended publications