80 likes | 155 Views
POP Track – July 31, 2012. Directory and Trust Services Policy and Operating Procedures (POP) . Topics for Today’s call. Recap Policy Priorities for Task Group WSC project conclusions related to Priorities Next Steps…. Recap Policy Priorities for Task Group.
E N D
POP Track – July 31, 2012 Directory and Trust Services Policy and Operating Procedures (POP)
Topics for Today’s call • Recap Policy Priorities for Task Group • WSC project conclusions related to Priorities • Next Steps…
Recap Policy Priorities for Task Group • Authenticating Authorized Users • Rephrase: Does the user accessing the SDS need to be authenticated before it responds; if so, how? • Minimum Information required to submit a query • Rephrase: What controls should be in place to constrain the response behavior of the SDS to minimize over-exposure of content from LDSs? • Minimum data requirements to be supplied by an LDS • Rephrase: What does an LDS need to be able to supply in response to query from SDS about its entities and associated end-users to be considered sufficient to participate? • Policies around auditing and disclosure requirements of D&TS operations • What is to be logged where and by whom?
WSC project conclusions related to Priorities • Please see http://taskgroups.caleconnect.org/Western+States+Consortium For detailed summary and artifacts discussed at this 2 day multi-state F2F. • Especially germane to our Priority Policy Topics is the following link: Decisions on the WSC approach to Directory Services • Not surprisingly – the gestalt of the decisions made at this meeting are similar to what this work group has been trending toward.
POP Track Policy Priority 1Authenticating Authorized Users Discussion and Decisions at the Meeting (from WSC wiki Page) • Authorization is required for access to directory services. • States may not be authorized to disclose PII without requiring authorized access. • It will be important to consider performance (i.e., response time for users) in any technical solution. • Authorization will be required in the pilot (not just the long-term solution) in order to begin to assess performance. • Authorized access implies that secure communications are required. • HTTPS with mutual TLS is likely sufficient. • Authorized access will be granted to organizations, and is not required for individuals. • The trust for mechanism was not determined, but authorization may not require an external SAML or OpenID authentication server. • Requests to statewide directory services and their responses should be logged for audit purposes, but need not include information on the specific individuals requesting information. • The originating systems that are ultimately making the requests are required to log individual information for audit purposes.
POP Track Policy Priority 2Minimum Information required to submit a query Discussion and Decisions at the Meeting (from WSC wiki Page) • When responding to an authorized query the SDS will limit the number of results returned to the LDS. • To facilitate trust of the end-users that the data being made available about them via the SDS is constrained to its intended purpose a mechanism will be employed by the SDS to constrain the number of records provided in response to a query. • This mechanism will prevent the query response from providing a number of records inconsistent with appropriate use. • This mechanism shall be approved by the governance body of the SDS • In the event that a users query returns more potential responses then permitted by the mechanism the user will be asked to resubmit their query with more information to narrow the results that are provided by the SDS.
POP Track Policy Priority 3 Discussion and Decisions at the Meeting (from WSC wiki Page) • At a minimum, an LDS will provide sufficient data elements about each end user to be made discoverable by its participation in the SDS. • All data elements required to demonstrate the end-users legitimate eligibility to participate in inter-HIO exchange within the state that the HIO has onboarded. • All data elements required to facilitate discovery of exchange required attributes (i.e., for the scope of the WSC the end-users direct address and related digital credentials) • Sufficient demographic information to support discovery and ranking of potential matches in response to a query from an end user. • The consensus of the Group was to consider HPD+ (a la the IWG) as it intersects with the work of the S&I Frameworks PD Tiger Team recommendations as the guiding reference for determining those data elements that are critical for D&TS behavior.
Next steps? • Need volunteers to take cut at drafting Policy Log entries for the three prioritized Policy items discussed. (assuming we have consensus among this group and there are no showstoppers for anyone) • Other suggestions at this point? • Thank you!