Gatekeeper PKI Framework

February 2009 Threat and Risk Organisation Listing Requirements

Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Commonwealth. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration, Attorney-Generals Department, Robert Garran Offices, National Circuit, Barton ACT 2600 or posted at http://www.ag.gov.au/cca

CONTENTS
1. 2. INTRODUCTION ....................................................................................................4 THREAT AND RISK ASSESSMENT.........................................................................6 2.1 2.2 3. Purpose........................................................................................................6 Elements .....................................................................................................6

EVIDENCE OF IDENTITY INFORMATION .............................................................7 (a) (b) Individual ....................................................................................................7 Organisation...............................................................................................7

4.

SECURITY AND INTEGRITY OF DATA HOLDINGS ...............................................8

Table 1: Policies and procedures for Gatekeeper Listing of Threat / Risk Organisations ...............................................................................................................9

3 Threat and Risk Organisation Listing Requirements February 2009

1. INTRODUCTION
The Gatekeeper Public Key Infrastructure Framework enables an Organisation to establish its internal identity verification and management processes as equivalent to Gatekeeper Evidence of Identity (EOI) requirements (i.e. a face-toface evidence of identity check including photographic and signature verification) by means of an independent threat and risk assessment. Under the Framework, an Organisation can be Listed as a Threat / Risk Organisation (TRO) if it is able to demonstrate via a Threat and Risk Assessment that its internal EOI processes are equivalent (from a risk perspective) to Gatekeeper EOI Policy; and managed in accordance with TRO Listing Requirements.

Further information can be found in the Threat and Risk Assessment Template. The template can be used by both the Organisation seeking to become listed as a TRO and the independent assessor conducting the TRA. TROs are introduced to reduce the administrative burden and cost to applicants for digital certificates by removing the requirement for a face-to-face EOI check at the time an application for a digital certificate is submitted. The TRO approach provides a further opportunity for those Organisations which do not meet Gatekeepers requirements for a Known Customer Organisation but whose internal data holdings are risk assessed as adequate. Subject to the boxed text below, TROs will not be required to undergo a formal accreditation process under Gatekeeper but must be Listed under Gatekeeper. Listing will be a formal acknowledgement that the Organisation has satisfied specific Gatekeeper requirements and will provide the necessary assurance to Relying Parties and Subscribers. All Gatekeeper documents referenced in this document are available at www.gatekeeper.gov.au.

Where a Threat / Risk Organisation performs any of the functions normally associated with either a Certification Authority or an Extended Services Registration Authority, then it must undergo Gatekeeper Accreditation as appropriate.

4 Threat and Risk Organisation Listing Requirements February 2009

In order to be Listed, a TRO is required to demonstrate that it has: 1. undergone an independent Threat and Risk Assessment of its data holdings by a member of the Gatekeeper Audit Panel (selected by the Organisation) for the purpose of evaluating the adequacy of its EOI information holdings as a basis for requesting issuance of a Digital Certificate; 2. implemented and maintained appropriate risk mitigation strategies; 3. established policies and procedures to ensure the on-going security and integrity of its data holdings; 4. committed to the Gatekeeper Core Obligations Policy; 5. a Privacy Management Strategy; and 6. a Liability policy. In addition, Listed TROs are required to undergo an annual compliance audit in accordance with Gatekeeper Policies and Criteria.

5 Threat and Risk Organisation Listing Requirements February 2009

2. THREAT AND RISK ASSESSMENT

The overarching objective is to independently determine if the risks associated with an Organisations internal identity verification and management processes are lesser, equivalent or higher than those risks related to the EOI checks conducted in accordance with Gatekeeper EOI Policy.

Where the threats and risks are assessed as higher, the Organisation will not be listed by Gatekeeper as a TRO until such time as it has implemented appropriate risk mitigation strategies and those measures have been independently assessed as adequate. 2.1 Purpose

The purpose is to: 1. establish whether or not from a risk perspective an Organisations mechanisms for establishing the identity of its clients on an on-going basis is equivalent to a face-to-face EOI check in accordance with Gatekeeper EOI Policy; and 2. ensure that the Organisations internal data management processes are sufficient to meet the requirements for listing as a TRO.

2.2

Elements
1. Assess nature and integrity of initial identity verification of Clients against known fraud and identity theft risks. 2. Assess the integrity of the Organisations EOI processes (including the ongoing transactional relationship between the Organisation and its clients) against known fraud and identity theft risks. 3. Assess above outcomes against known risks associated with Gatekeeper EOI Policy requirements as specified below:

Face-to-face current photograph signature verification data security storage / access / transmission as it applies to an
Accredited Registration Authority. A TRO must commission a member of the Gatekeeper Audit Panel to conduct a Threat and Risk Assessment (TRA) of its internal data holdings and identity
6 Threat and Risk Organisation Listing Requirements February 2009

management practices. The TRA must follow the format set out in AS/NZS4360: 2004 Risk Management.

3. EVIDENCE OF IDENTITY INFORMATION

The TRA must:

document the Organisations procedures for obtaining initial evidence

of identity information;

document the Organisations internal data management practices

including in particular management of name/address changes, data cleansing programs;

critically assess the extent to which the Organisations data holdings

enable it to demonstrate an equivalent outcome to the Gatekeeper Binding requirements; and

identify all risk mitigation strategies employed by the Organisation in

relation to its data holdings and assess the extent to which they are effective. A central aspect of the TRA will be to determine whether the Organisations internal identity verification and management processes deliver equivalent outcomes in relation to the Gatekeeper Binding requirements (see Tables below). (a) Individual EOI Step Binding Mechanism Bind the physical person to the documented name Face-to-face EOI of the individual Current photograph Signature validation (b) Organisation

EOI Step Bind the Organisation to a documented business name and to an Australian Business Number (if appropriate)

Binding Mechanism Australian Business Register (ABR) search; Australian Securities and Investment Commission (ASIC) search Bind the physical person to the documented name Face-to-face EOI including of the individual provision of a current photograph and signature validation Bind the employee to the Organisation Letter of Authority signed by Authoriser Bind the person (Authoriser person with a clear ASIC check; ABR search; capacity to commit the business) who gives the and/or out of band checks employee the authority to apply for or be issued such as phone verification with a Certificate on behalf of the Organisation
7 Threat and Risk Organisation Listing Requirements February 2009

4. SECURITY AND INTEGRITY OF DATA HOLDINGS

A TRO has extensive data holdings which are used as the basis for requesting a Certification Authority to issue digital certificates in the General Category to its clients. The overall security and integrity of these holdings are therefore of paramount concern. It is essential to provide a level of assurance to Relying Parties that TROs have established appropriate policies and practices to ensure the security of their data holdings and also their integrity on an on-going basis. To meet the Gatekeeper TRO requirements, the Organisation will be required to demonstrate its compliance with the security requirements set out in Table 1 below. A TRO will be required to provide the Gatekeeper Competent Authority with documentation on its policies and procedures for managing data integrity, privacy and liability for review. Rather than undergoing a formal evaluation of the security and integrity of the data holdings, the TRO through its Facility Security Officer will self declare that it has met the necessary security requirements stipulated in the Table below. Where appropriate, a review by an approved IT security assessor and/or a Gatekeeper Physical Security Evaluation Panel Member may be required.

8 Threat and Risk Organisation Listing Requirements February 2009

Table 1: Policies and procedures for Gatekeeper Listing of Threat / Risk Organisations
Documentation / Criteria
Security Vetted employment profiles to at least PROTECTED" for all staff with access to client data-holdings Compliance with Commonwealth Protective Security Manual (PSM) Physical Security requirements to INTRUDER RESISTANT Compliance with ISM to Protected Level Consistency with ANAO Better Practice Guide on Business Continuity Management at http://www.anao.gov.au/uploads/documents/Business_ Continuity_Management.pdf Operations Organisations seeking to operate as a Threat and Risk Organisation under the Gatekeeper PKI Framework will prepare and submit the following documents to Finance for review: 1. Policies and procedures for maintenance of the accuracy and integrity of its client information holdings (in particular management of name/address changes, data cleansing programs and removal of customers that are no longer known to the Organisation) 2. Privacy Management Strategy 3. Liability Policy in relation to the accuracy of client information provided to issuing CA 4. Risk Management Strategy The Threat and Risk Organisation must undergo an annual compliance audit by a suitably qualified auditor of its operations against the TRO operational security and privacy criteria. Legal Where the TRO is an Agency, it will execute a Memorandum of Understanding with Finance relating to its on-going compliance with the security, operational and privacy requirements of Gatekeeper. Where the TRO is a commercial Organisation this will require execution of a Deed of Agreement relating to its on-going compliance with the security, operational and privacy requirements of Gatekeeper.

Compliance
Facility Security Officer to declare compliance following review by: Gatekeeper Physical Security Panel member and an approved IT security assessor

Review and sign off by the Gatekeeper Competent Authority