Threat and Risk ion Listing Requirements

8/3/2019 Threat and Risk ion Listing Requirements

http://slidepdf.com/reader/full/threat-and-risk-ion-listing-requirements 1/9

Gatekeeper PKI Framework

February 2009

Threat and Risk Organisation

Listing Requirements



Department of Finance and Deregulation

Australian Government Information Management Office

© Commonwealth of Australia 2009

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part

may be reproduced by any process without prior written permission from the Commonwealth.

Requests and inquiries concerning reproduction and rights should be addressed to the

Commonwealth Copyright Administration, Attorney-General’s Department, Robert Garran

Offices, National Circuit, Barton ACT 2600 or posted at http://www.ag.gov.au/cca



Threat and Risk Organisation Listing Requirements

February 2009

3

CONTENTS

1. INTRODUCTION....................................................................................................4

2. THREAT AND RISK ASSESSMENT.........................................................................6

2.1 Purpose........................................................................................................6

2.2 Elements .....................................................................................................6

3. EVIDENCE OF IDENTITY INFORMATION .............................................................7

(a) Individual ....................................................................................................7

(b) Organisation...............................................................................................7

4. SECURITY AND INTEGRITY OF DATA HOLDINGS ...............................................8

Table 1: Policies and procedures for Gatekeeper Listing of Threat / Risk

Organisations ...............................................................................................................9




February 2009

4

1. INTRODUCTION

The Gatekeeper Public Key Infrastructure Framework enables an Organisation

to establish its internal identity verification and management processes as

equivalent to Gatekeeper Evidence of Identity (EOI) requirements (i.e. a face-to-

face evidence of identity check including photographic and signature

verification) by means of an independent threat and risk assessment.

Under the Framework, an Organisation can be Listed as a Threat / Risk

Organisation (TRO) if it is able to demonstrate via a Threat and Risk Assessment

that its internal EOI processes are

• equivalent (from a risk perspective) to Gatekeeper EOI Policy; and

• managed in accordance with TRO Listing Requirements.

Further information can be found in the Threat and Risk Assessment Template.

The template can be used by both the Organisation seeking to become listed as

a TRO and the independent assessor conducting the TRA.

TROs are introduced to reduce the administrative burden and cost to applicants

for digital certificates by removing the requirement for a face-to-face EOI check

at the time an application for a digital certificate is submitted. The TRO

approach provides a further opportunity for those Organisations which do not

meet Gatekeeper’s requirements for a Known Customer Organisation butwhose internal data holdings are risk assessed as adequate.

Subject to the boxed text below, TROs will not be required to undergo a formal

accreditation process under Gatekeeper but must be Listed under Gatekeeper.

Listing will be a formal acknowledgement that the Organisation has satisfied

specific Gatekeeper requirements and will provide the necessary assurance to

Relying Parties and Subscribers.

All Gatekeeper documents referenced in this document are available at

www.gatekeeper.gov.au.

Where a Threat / Risk Organisation performs any of the functions

normally associated with either a Certification Authority or an

Extended Services Registration Authority, then it must undergo

Gatekeeper Accreditation as appropriate.




February 2009

5

In order to be Listed, a TRO is required to demonstrate that it has:

1. undergone an independent Threat and Risk Assessment of its data

holdings by a member of the Gatekeeper Audit Panel (selected by the

Organisation) for the purpose of evaluating the adequacy of its EOIinformation holdings as a basis for requesting issuance of a Digital

Certificate;

2. implemented and maintained appropriate risk mitigation strategies;

3. established policies and procedures to ensure the on-going security and

integrity of its data holdings;

4. committed to the Gatekeeper Core Obligations Policy;

5. a Privacy Management Strategy; and

6. a Liability policy.

In addition, Listed TROs are required to undergo an annual compliance audit in

accordance with Gatekeeper Policies and Criteria.




February 2009

6

2. THREAT AND RISK ASSESSMENT

The overarching objective is to independently determine if the risks associated

with an Organisation’s internal identity verification and management

processes are lesser, equivalent or higher than those risks related to the EOIchecks conducted in accordance with Gatekeeper EOI Policy.

Where the threats and risks are assessed as higher, the Organisation

will not be listed by Gatekeeper as a TRO until such time as it has

implemented appropriate risk mitigation strategies and those

measures have been independently assessed as adequate.

2.1 Purpose

The purpose is to:

1. establish whether or not from a risk perspective an Organisation’s

mechanisms for establishing the identity of its clients on an on-going

basis is equivalent to a face-to-face EOI check in accordance with

Gatekeeper EOI Policy; and

2. ensure that the Organisation’s internal data management processes are

sufficient to meet the requirements for listing as a TRO.

2.2 Elements

1. Assess nature and integrity of initial identity verification of Clients

against known fraud and identity theft risks.

2. Assess the integrity of the Organisation’s EOI processes (including the

ongoing transactional relationship between the Organisation and its

clients) against known fraud and identity theft risks.

3. Assess above outcomes against known risks associated with Gatekeeper

EOI Policy requirements as specified below:

Face-to-face

• current photograph

• signature verification

• data security – storage / access / transmission as it applies to an

Accredited Registration Authority.

A TRO must commission a member of the Gatekeeper Audit Panel to conduct a

Threat and Risk Assessment (TRA) of its internal data holdings and identity




February 2009

7

management practices. The TRA must follow the format set out in

AS/NZS4360: 2004 Risk Management.

3. EVIDENCE OF IDENTITY INFORMATION

The TRA must:

• document the Organisation’s procedures for obtaining initial evidence

of identity information;

• document the Organisation’s internal data management practices

including in particular management of name/address changes, data

cleansing programs;

• critically assess the extent to which the Organisation’s data holdings

enable it to demonstrate an equivalent outcome to the Gatekeeper

Binding requirements; and• identify all risk mitigation strategies employed by the Organisation in

relation to its data holdings and assess the extent to which they are

effective.

A central aspect of the TRA will be to determine whether the Organisation’s internal

identity verification and management processes deliver equivalent outcomes in

relation to the Gatekeeper Binding requirements (see Tables below).

(a) Individual

EOI Step Binding MechanismBind the physical person to the documented name

of the individual

Face-to-face EOI

Current photograph

Signature validation

(b) Organisation

EOI Step Binding Mechanism

Bind the Organisation to a documented business

name and to an Australian Business Number (if

appropriate)

Australian Business Register

(ABR) search; Australian

Securities and Investment

Commission (ASIC) search

Bind the physical person to the documented name

of the individual

Face-to-face EOI including

provision of a

current photograph and

signature validation

Bind the employee to the Organisation Letter of Authority signed by

Authoriser

Bind the person (Authoriser – person with a clear

capacity to commit the business) who gives the

employee the authority to apply for or be issuedwith a Certificate on behalf of the Organisation

ASIC check; ABR search;

and/or out of band checks

such as phone verification




February 2009

8

4. SECURITY AND INTEGRITY OF DATA

HOLDINGS

A TRO has extensive data holdings which are used as the basis for requesting aCertification Authority to issue digital certificates in the General Category to its

clients. The overall security and integrity of these holdings are therefore of

paramount concern. It is essential to provide a level of assurance to Relying

Parties that TROs have established appropriate policies and practices to ensure

the security of their data holdings and also their integrity on an on-going basis.

To meet the Gatekeeper TRO requirements, the Organisation will be required to

demonstrate its compliance with the security requirements set out in Table 1

below.

A TRO will be required to provide the Gatekeeper Competent Authority with

documentation on its policies and procedures for managing data integrity,

privacy and liability for review. Rather than undergoing a formal evaluation of

the security and integrity of the data holdings, the TRO through its Facility

Security Officer will self declare that it has met the necessary security

requirements stipulated in the Table below. Where appropriate, a review by an

approved IT security assessor and/or a Gatekeeper Physical Security Evaluation

Panel Member may be required.



Table 1: Policies and procedures for Gatekeeper

Listing of Threat / Risk OrganisationsDocumentation / Criteria Compliance

Security

• Vetted employment profiles to at least “PROTECTED" for all

staff with access to client data-holdings

• Compliance with Commonwealth Protective Security

Manual (PSM) Physical Security requirements to INTRUDER

RESISTANT

• Compliance with ISM to Protected Level

• Consistency with ANAO Better Practice Guide on Business

Continuity Management athttp://www.anao.gov.au/uploads/documents/Business_

Continuity_Management.pdf

Facility Security Officer to

declare compliance

following review by:

• Gatekeeper Physical

Security Panel member

and

• an approved IT security

assessor

Operations

Organisations seeking to operate as a Threat and Risk

Organisation under the Gatekeeper PKI Framework will prepare

and submit the following documents to Finance for review:

1. Policies and procedures for maintenance of the accuracy and

integrity of its client information holdings (in particular

management of name/address changes, data cleansing

programs and removal of customers that are no longer

“known” to the Organisation)

2. Privacy Management Strategy

3. Liability Policy in relation to the accuracy of client

information provided to issuing CA

4. Risk Management Strategy

The Threat and Risk Organisation must undergo an annual

compliance audit by a suitably qualified auditor of its operations

against the TRO operational security and privacy criteria.

Review and sign off by the

Gatekeeper Competent

Authority

Legal

Where the TRO is an Agency, it will execute a Memorandum of

Understanding with Finance relating to its on-going compliance

with the security, operational and privacy requirements of

Gatekeeper.

Where the TRO is a commercial Organisation this will require

execution of a Deed of Agreement relating to its on-going

compliance with the security, operational and privacy

requirements of Gatekeeper.

Date post:	07-Apr-2018
Category:	Documents
Upload:	amirudin-yajid
View:	220 times
Download:	0 times

Threat and Risk ion Listing Requirements

Documents