1 / 15

TFTM Deliverable 01-06 2014 Self Assessment and Attestation Program Discussion Deck

TFTM Deliverable 01-06 2014 Self Assessment and Attestation Program Discussion Deck . TFTM Committee June 25 , 2014. Meeting Agenda. 2014 Compliance and Conformance Program Goal Meeting Objectives Why Self-attestation? Process and Components Deliverables N ext Steps.

selene
Download Presentation

TFTM Deliverable 01-06 2014 Self Assessment and Attestation Program Discussion Deck

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TFTM Deliverable 01-062014 Self Assessment and Attestation ProgramDiscussion Deck TFTM Committee June 25, 2014 IDESG TFTM Committee

  2. Meeting Agenda • 2014 Compliance and Conformance Program Goal • Meeting Objectives • Why Self-attestation? • Process and Components • Deliverables • Next Steps IDESG TFTM Committee

  3. Today’s Meeting Objectives • Discuss the 2014 IDESG self assessment and attestation compliance program • Identify program components • Identify potential deliverables IDESG TFTM Committee

  4. Why Self-assessment and Attestation? • Cost effective • For both IDESG and participants • Resource light • For both IDESG and participants • Can be implemented quickly • We are already half way through 2014 • Provides moderate assurance that participants are operating according to established requirements, guidance, rules, etc. • Most realistic option for 2014 • Logical first step in the phased implementation of a compliance program • CSA and other organizations have implemented similar phased approaches IDESG TFTM Committee

  5. 2014 TFTM Compliance and Conformance Goal • Establish a self assessment and attestation compliance program for the Identity Ecosystem. • TFTM consensus decision made on 28 May 2014 • In the future, additional types of conformance will be built upon the self-attestation program Future Compliance Approaches IDESG TFTM Committee

  6. IDESG Conformance Assessment Program NSTIC and IDESG Guiding Principles Other Interop. Privacy Usability Security IE Framework Requirements and Assessment Procedures 3rd-Party Conformance Assessment (2015+) Self-Assessment (2014) Self-Assessment Criteria/Questionnaire Conformance Self-Attestation IDESG TFTM Committee

  7. Process & Components • What do we need for a functional self-assessment and attestation program? • Each step in the process will require a set of defined procedures (internal and external) and owners to ensure an efficient program • A clear, overall process flow should be developed once the processes and components have been identified and agreed to by the TFTM IDESG TFTM Committee

  8. Process and Components • The process through which identity ecosystem participants request to be recognized through the self-assessment and attestation conformance program • Maybe automated or manual procedure • Web form • Emailed/downloaded PDF • Application should contain sufficient info to confirm “Bona Fides” of applying organizations • Legitimate service provider in IE – e.g., IE role/service description • Other certifications (e.g., CSA STAR, PCI DSS, FICAM), DUNs number, etc. • Ownership for collecting applications and supporting documents will need to be assigned to an appropriate entity in IDESG • E.g., Secretariat, TFTM sub-committee, etc. • Potential deliverables/documentation: • IDESG Application Template and Guide • Bona Fides information requirements IDESG TFTM Committee

  9. Process and Components • Process by which applicants determine conformance with appropriate IDESG requirements • Needsa clear, standardized format for expressing applicable requirements • E.g., clear criteria, self-assessment questionnaire • Needs an identified owner in IDESG for collecting and managing assessment template submissions • Maybe Secretariat or TFTM sub-committee • Need to review for completeness and appropriateness of submissions • Dependent upon committee requirements development • TFTM development of requirements template mayassist committees in their own requirements development • Potential deliverables/documentation: • Conformance Criteria/Questionnaire IDESG TFTM Committee

  10. Process and Components • Means to formally bind applicants to the information provided in the self-assessment form • Needs a standardized format with appropriate legal language/review • Ownership • Maybe Secretariat or TFTM sub-committee • Potential deliverables/documentation: • Attestation Forms/Guide IDESG TFTM Committee

  11. Process and Components • IDESG due diligence and confirmation that all necessary and appropriate information has been received from an applicant. • Results inrecommendation for acceptance of self-attestation • At a minimum, should ensure that the proper documents have been fully and appropriately completed • Application (Bona fides check) • Self-assessment forms • Conformance Attestation • Ownership • Responsibility for recommendations for approval should be an IDESG entity, e.g., TFTM,TFTM subcommittee, Management Council/sub-committee • Similarly, Responsibility for formal approval should be an IDESG entity • Potential deliverables/documentation: • Approval process description and policy IDESG TFTM Committee

  12. Process and Components • Process through which IDESG approval of an ecosystem participant’s self-assessment and attestation is publically represented • Expresses conformance with IDESG requirements to other ecosystem participants and the general public • Multiple means to express conformance • Certificate – a formal certification issued by IDESG • Trustmark- a visual/electronic symbol that is licensed for use/display by approved service providers and ecosystem participants • Registry or “Trust” List - an IDESG hosted site that lists approved service providers and approved ecosystem participants • These options will be explored more fully in future discussions… • Deliverables/Documents • Recognition Approach IDESG TFTM Committee

  13. Process and Components • Process by which the IDESG confirms continued compliance with IDESG requirements and rules. • Could be: • Re-assessment and attestation after a set period • Updated attestation of continued compliance • Initial process should be stated up front as part of 2014 attestation process and documents • Could be expressed as an “expiration” or renewal date (e.g., annual, bi-annual) • Deliverables/Documents • Ongoing compliance approach (maybe included in attestation guidance) IDESG TFTM Committee

  14. Potential TFTM Deliverables • Application Template • Bona Fides Requirements • Self Assessment Form/Template • Conformance Criteria, Compliance Questionnaire or something similar • Attestation Forms/Documentation • Approval Process Description and Policy • Recognition Approach • Ongoing Compliance Approach IDESG TFTM Committee

  15. Next Steps Summary Analyze/discuss existing self-certification and self-assessment programs Cloud Security Alliance STAR Program Gain consensus on deliverable list and program components Develop timelines and milestones for deliverables Begin development of self-assessment and attestation deliverables IDESG TFTM Committee

More Related