Date post: | 07-Apr-2018 |
Category: |
Documents |
Upload: | amirudin-yajid |
View: | 220 times |
Download: | 0 times |
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 1/9
Gatekeeper PKI Framework
February 2009
Threat and Risk Organisation
Listing Requirements
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 2/9
Department of Finance and Deregulation
Australian Government Information Management Office
© Commonwealth of Australia 2009
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part
may be reproduced by any process without prior written permission from the Commonwealth.
Requests and inquiries concerning reproduction and rights should be addressed to the
Commonwealth Copyright Administration, Attorney-General’s Department, Robert Garran
Offices, National Circuit, Barton ACT 2600 or posted at http://www.ag.gov.au/cca
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 3/9
Threat and Risk Organisation Listing Requirements
February 2009
3
CONTENTS
1. INTRODUCTION....................................................................................................4
2. THREAT AND RISK ASSESSMENT.........................................................................6
2.1 Purpose........................................................................................................6
2.2 Elements .....................................................................................................6
3. EVIDENCE OF IDENTITY INFORMATION .............................................................7
(a) Individual ....................................................................................................7
(b) Organisation...............................................................................................7
4. SECURITY AND INTEGRITY OF DATA HOLDINGS ...............................................8
Table 1: Policies and procedures for Gatekeeper Listing of Threat / Risk
Organisations ...............................................................................................................9
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 4/9
Threat and Risk Organisation Listing Requirements
February 2009
4
1. INTRODUCTION
The Gatekeeper Public Key Infrastructure Framework enables an Organisation
to establish its internal identity verification and management processes as
equivalent to Gatekeeper Evidence of Identity (EOI) requirements (i.e. a face-to-
face evidence of identity check including photographic and signature
verification) by means of an independent threat and risk assessment.
Under the Framework, an Organisation can be Listed as a Threat / Risk
Organisation (TRO) if it is able to demonstrate via a Threat and Risk Assessment
that its internal EOI processes are
• equivalent (from a risk perspective) to Gatekeeper EOI Policy; and
• managed in accordance with TRO Listing Requirements.
Further information can be found in the Threat and Risk Assessment Template.
The template can be used by both the Organisation seeking to become listed as
a TRO and the independent assessor conducting the TRA.
TROs are introduced to reduce the administrative burden and cost to applicants
for digital certificates by removing the requirement for a face-to-face EOI check
at the time an application for a digital certificate is submitted. The TRO
approach provides a further opportunity for those Organisations which do not
meet Gatekeeper’s requirements for a Known Customer Organisation butwhose internal data holdings are risk assessed as adequate.
Subject to the boxed text below, TROs will not be required to undergo a formal
accreditation process under Gatekeeper but must be Listed under Gatekeeper.
Listing will be a formal acknowledgement that the Organisation has satisfied
specific Gatekeeper requirements and will provide the necessary assurance to
Relying Parties and Subscribers.
All Gatekeeper documents referenced in this document are available at
www.gatekeeper.gov.au.
Where a Threat / Risk Organisation performs any of the functions
normally associated with either a Certification Authority or an
Extended Services Registration Authority, then it must undergo
Gatekeeper Accreditation as appropriate.
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 5/9
Threat and Risk Organisation Listing Requirements
February 2009
5
In order to be Listed, a TRO is required to demonstrate that it has:
1. undergone an independent Threat and Risk Assessment of its data
holdings by a member of the Gatekeeper Audit Panel (selected by the
Organisation) for the purpose of evaluating the adequacy of its EOIinformation holdings as a basis for requesting issuance of a Digital
Certificate;
2. implemented and maintained appropriate risk mitigation strategies;
3. established policies and procedures to ensure the on-going security and
integrity of its data holdings;
4. committed to the Gatekeeper Core Obligations Policy;
5. a Privacy Management Strategy; and
6. a Liability policy.
In addition, Listed TROs are required to undergo an annual compliance audit in
accordance with Gatekeeper Policies and Criteria.
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 6/9
Threat and Risk Organisation Listing Requirements
February 2009
6
2. THREAT AND RISK ASSESSMENT
The overarching objective is to independently determine if the risks associated
with an Organisation’s internal identity verification and management
processes are lesser, equivalent or higher than those risks related to the EOIchecks conducted in accordance with Gatekeeper EOI Policy.
Where the threats and risks are assessed as higher, the Organisation
will not be listed by Gatekeeper as a TRO until such time as it has
implemented appropriate risk mitigation strategies and those
measures have been independently assessed as adequate.
2.1 Purpose
The purpose is to:
1. establish whether or not from a risk perspective an Organisation’s
mechanisms for establishing the identity of its clients on an on-going
basis is equivalent to a face-to-face EOI check in accordance with
Gatekeeper EOI Policy; and
2. ensure that the Organisation’s internal data management processes are
sufficient to meet the requirements for listing as a TRO.
2.2 Elements
1. Assess nature and integrity of initial identity verification of Clients
against known fraud and identity theft risks.
2. Assess the integrity of the Organisation’s EOI processes (including the
ongoing transactional relationship between the Organisation and its
clients) against known fraud and identity theft risks.
3. Assess above outcomes against known risks associated with Gatekeeper
EOI Policy requirements as specified below:
Face-to-face
• current photograph
• signature verification
• data security – storage / access / transmission as it applies to an
Accredited Registration Authority.
A TRO must commission a member of the Gatekeeper Audit Panel to conduct a
Threat and Risk Assessment (TRA) of its internal data holdings and identity
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 7/9
Threat and Risk Organisation Listing Requirements
February 2009
7
management practices. The TRA must follow the format set out in
AS/NZS4360: 2004 Risk Management.
3. EVIDENCE OF IDENTITY INFORMATION
The TRA must:
• document the Organisation’s procedures for obtaining initial evidence
of identity information;
• document the Organisation’s internal data management practices
including in particular management of name/address changes, data
cleansing programs;
• critically assess the extent to which the Organisation’s data holdings
enable it to demonstrate an equivalent outcome to the Gatekeeper
Binding requirements; and• identify all risk mitigation strategies employed by the Organisation in
relation to its data holdings and assess the extent to which they are
effective.
A central aspect of the TRA will be to determine whether the Organisation’s internal
identity verification and management processes deliver equivalent outcomes in
relation to the Gatekeeper Binding requirements (see Tables below).
(a) Individual
EOI Step Binding MechanismBind the physical person to the documented name
of the individual
Face-to-face EOI
Current photograph
Signature validation
(b) Organisation
EOI Step Binding Mechanism
Bind the Organisation to a documented business
name and to an Australian Business Number (if
appropriate)
Australian Business Register
(ABR) search; Australian
Securities and Investment
Commission (ASIC) search
Bind the physical person to the documented name
of the individual
Face-to-face EOI including
provision of a
current photograph and
signature validation
Bind the employee to the Organisation Letter of Authority signed by
Authoriser
Bind the person (Authoriser – person with a clear
capacity to commit the business) who gives the
employee the authority to apply for or be issuedwith a Certificate on behalf of the Organisation
ASIC check; ABR search;
and/or out of band checks
such as phone verification
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 8/9
Threat and Risk Organisation Listing Requirements
February 2009
8
4. SECURITY AND INTEGRITY OF DATA
HOLDINGS
A TRO has extensive data holdings which are used as the basis for requesting aCertification Authority to issue digital certificates in the General Category to its
clients. The overall security and integrity of these holdings are therefore of
paramount concern. It is essential to provide a level of assurance to Relying
Parties that TROs have established appropriate policies and practices to ensure
the security of their data holdings and also their integrity on an on-going basis.
To meet the Gatekeeper TRO requirements, the Organisation will be required to
demonstrate its compliance with the security requirements set out in Table 1
below.
A TRO will be required to provide the Gatekeeper Competent Authority with
documentation on its policies and procedures for managing data integrity,
privacy and liability for review. Rather than undergoing a formal evaluation of
the security and integrity of the data holdings, the TRO through its Facility
Security Officer will self declare that it has met the necessary security
requirements stipulated in the Table below. Where appropriate, a review by an
approved IT security assessor and/or a Gatekeeper Physical Security Evaluation
Panel Member may be required.
8/3/2019 Threat and Risk ion Listing Requirements
http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 9/9
Table 1: Policies and procedures for Gatekeeper
Listing of Threat / Risk OrganisationsDocumentation / Criteria Compliance
Security
• Vetted employment profiles to at least “PROTECTED" for all
staff with access to client data-holdings
• Compliance with Commonwealth Protective Security
Manual (PSM) Physical Security requirements to INTRUDER
RESISTANT
• Compliance with ISM to Protected Level
• Consistency with ANAO Better Practice Guide on Business
Continuity Management athttp://www.anao.gov.au/uploads/documents/Business_
Continuity_Management.pdf
Facility Security Officer to
declare compliance
following review by:
• Gatekeeper Physical
Security Panel member
and
• an approved IT security
assessor
Operations
Organisations seeking to operate as a Threat and Risk
Organisation under the Gatekeeper PKI Framework will prepare
and submit the following documents to Finance for review:
1. Policies and procedures for maintenance of the accuracy and
integrity of its client information holdings (in particular
management of name/address changes, data cleansing
programs and removal of customers that are no longer
“known” to the Organisation)
2. Privacy Management Strategy
3. Liability Policy in relation to the accuracy of client
information provided to issuing CA
4. Risk Management Strategy
The Threat and Risk Organisation must undergo an annual
compliance audit by a suitably qualified auditor of its operations
against the TRO operational security and privacy criteria.
Review and sign off by the
Gatekeeper Competent
Authority
Legal
Where the TRO is an Agency, it will execute a Memorandum of
Understanding with Finance relating to its on-going compliance
with the security, operational and privacy requirements of
Gatekeeper.
Where the TRO is a commercial Organisation this will require
execution of a Deed of Agreement relating to its on-going
compliance with the security, operational and privacy
requirements of Gatekeeper.