ISO IEC 24760-3:2016 download free.Informalion technology — Security techniques — A framework for Identity management — Part .3: Practice.
Data processing systems commonly gather a range of Information on their users, be It a person, piece of equipment, or piece of software connected to it and make decisions based on the gathered information. Such identity-based decisions may concern access to applications or other resources.
To address the need to efficiently and effectively implement systems that make identity-based decisions. ISO/IEC 24760 specifies a framework for the issuance, administration, and use of data that serves to characterize individuals, organizations or information technology components, which operate on behalf of individuals or organizations.
For many organizations, the proper management of identity information Is crucial to maintain security of the organizational processes. For individuals, correct identity management is important to protect privacy.
This part of lSO/IEC 24760 specifies fundamental concepts and operational structures of identity management with the purpose to realize Information system management, so that information systems can meet business, contractual, regulatory and legal obligations.
This part of ISO/EEC 24760 presents practices for identity management. These practices cover assurance in controlling identity information use, controlling the access to identity information and other resources based on identity information, and controlling objectives that should be implemented when establishing and maintaining an identity management system,
This part of lSO/IEC 24760 consists of the following parts:
— ISO/EEC 24760-1: Terminology and concepts;
— ISO/EEC 24760-2: Reference architecture and requirements;
— ISO/EEC 24760-3: PractIce.
ISO/IEC 24760 is intended to provide foundations for other identity management related International Standards induding the following:
— ISO/EEC 29100, PrIvacy framework;
— ISO/IEC 29101. PrIvacy reference architecture;
— ISO/IEC 29115. Entity authentication assurance framework;
— ISO/EEC 29146. A framework for access management.
1 Scope
This part of ISO/IEC 24760 provides guidance (or the management of identity information and (or ensuring that an identity management system conforms to ISO/IEC 24760-1 and lSO/IF.C 24760-2.
This part of ISO/IEC 24760 is applicable to an identity management system where identifiers or Pit relating to entitles are acquired, processed, stored, transferred or used for the purposes of Identifying or authenticating entitles and/or for the purpose of decision making using attributes of entitles. Practices for Identity management can also be addressed In other standards.
2 Normative references
The following documents, in whole or in part. are normatively referenced in this document and are indispensable for its application For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 247601. Information technology — Security techniques — A framework for identity manogement — PUn 1: TermInology and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 24760-1 and the following apply.
3,1
Identity management system
system comprising of policies, procedures, technology and other resources for maintaining Identity
Information Including meta data
ISOURCE: ISO/IEC 24760-2:201S, 3.3J
3.2
Identity profile
Identity containing attributes specified by an identity template
3.3
Identity template
definition of a specific set of attributes
Note 1 to entry: Ttp1caIly the attnbutes In a profile are to support a particular technical or business purpose as needed by relying parties.
3.4
identity theft
result of a successful false claim of identity
An attribute in an identity profile may be associated with a level of assurance. Using an identity profile with associated levels of assurance to present identity Information shall imply that each item of Information has been validated at minimally its associated level of assurance. An identity profile specifying requirements for access to services or resources may be associated with a specific additional entity Identifier that may indicate the activities linked to the specific privileges.
6 Identity information and identifiers
6.1 Overview
Organizations should understand the Information security concerns for their business and for compliance with relevant legislation and should provide management support to meet the business needs. In regard to identity management, organizations should understand their liabilities and ensure that adequate controls are implemented to mitigate the risks and consequences of identity information leakage, corruption and loss of availability when collecting, storing, using, transmitting and disposing of identity information. Organizations should specify control objectives and controls to ensure that information security requirements are met.
6.2 PolIcy on accessing Identity information
The identity information pertaining to an entity should he managed to ensure that the following:
— identity information remains accurate and up-to’date over time;
— only authorized entities have access to the identity information and are accountable for all uses and changes in identity information, guaranteeing traceability of any processing of identity information by any entity, whether a person, a process or a system:
— the organization fulfils its obligations with respect to regulations and contractual agreements:
— principals are protected against the risk of Identity-related theft and other identity related crime.
NOTE ‘Ipicall) an Information security policy highlights the necessity to securely manage identity information. The preservation and protection of any entities identity information Is also required when dealing with third parties as typically documented within the operational procedures.
6.3 Identifiers
6.3.1 General
An Identifier allows distinguishing unambiguously one entity from another entity in a domain of applicability. An entity may have multiple, different Identifiers in the same domain. This may facilitate the representation of the entity in some situations, e.g. hiding the entity’s identity when providing the entity’s identity Information for use in some processes or within some systems. An identifier created in one domain may be reused intentionally in another domain provided the reused identifier continues to provide uniqueness of identity within the other domain.
6.3.2 CaLegorIation of identifier by the type of entity to which the Identifier is linked
6.3.2.1 Person identifiers
A person identifier may be, e.g. a lull name, a date of birth, a place of birth, or various pseudonyms, such as a number assigned by an authority as a reference, e,g. a passport number, a national identity number or an identity-card number.
8.32 Controlling an identity management system
8.3.2.1 ObjectIve
To ensure an identity management system is enclosing mechanisms for preserving and maintaining Identity information.
8.322 AccessIng an Identity management system Control
Access to an identity management system shall be limited to people dedicated to Its maintenance, identity information providers and relying parties, and to individuals for the consultation of information collected on their person in the context of privacy protection.
implementation guidance
An information management system should develop the required Interfaces to provide access to the need-to-have entities, with appropriate rights authonzed by the identity information authority or the identity registration authority.
8.3.2.3 Required components olan identity management system
Control
An identity management system shall include, at a minimum
— repository of identity Information related to the entitles recognized in Its domains, possibly organised using identity templates,
— management system operating under a unified policy, capable of collecting identity information from various validated sources (attributes domains of origins), and deleting the information when the conditions for storing identity information cease to exist,
— management interfaces for providing access to identity Information, and
— storage component archiving the information on entitles that ceased to exist.
Implementation guidance
Identity management systems may vary in components depending on the model developed for its ImplementatIon It is also very common to see an identity management function on a system dedicated of running organizational functions, such as the Human Resource management or the procurement management as these systems represent main authoritative sources for an IMS, However, an Identity management system should remain Independent from any other IT system In a domain as It responds to functional requirements largely different from these other management functions.
8.3.2.4 AudIting an identity management system
Control
An identity management system shall be assessed or audited on a regular basis (annually per default).
Implementation guld2n
The audit or assessment should validate that the identity management system is operating In accordance with its documented policies and procedures and is compliant with legal and other externally Imposed requirements, e.g. privacy requirements.