Get documents about "Report of the Identity Theft Prevention and
Document Sample
Report of the
Identity Theft Prevention and
Identity Management
Standards Panel
Webinar on the Release of the IDSP Report
January 31, 2008
Webinar Agenda
1. Speaker Introductions – IDSP Chair
2. Overview of IDSP Process and Deliverables
– IDSP Chair
3. Findings and Recommendations – IDSP
Working Group Co-Chairs
4. Industry Analyst Perspectives
.
5. Question & Answer Period
Today’s Speakers
IDSP Chairman (Master of Ceremonies)
Joseph V. Gurreri, III
President, CorporatePlanningGroup.NET
Former VP, General Manager,
Global Solutions Development
TransUnion
.
Today’s Speakers (contd.)
Co-Chairs
Working Group 1 - Issuance
James E. Lee
President, C2M2 Associates, LLC
Former SVP and Chief Public
& Consumer Affairs Officer
ChoicePoint
James X. Dempsey
Policy Director .
Center for Democracy and Technology
Today’s Speakers (contd.)
Co-Chairs
Working Group 2 - Exchange
Julie Fergerson
VP of Emerging Technologies
Debix, The Identity Protection Network
Working Group 3 - Maintenance
George K. “Chip” Tsantes
EVP and Chief Technology .
Officer
Intersections Inc.
Today’s Speakers (contd.)
Industry Analysts
James Van Dyke
President and Founder
Javelin Strategy & Research
Larry Ponemon
Founder and Chairman
Ponemon Institute
.
What is the IDSP?
Cross-sector coordinating body focused on preventing ID Theft
Identify existing standards, guidelines and best practices
Analyze gaps, need for new standards, leading to improvements
Make catalogue available to businesses, government, consumers
Jointly administered by the American National Standards Institute
(ANSI) and the Better Business Bureau (BBB)
ANSI – coordinator of the U.S. standardization system
BBB – advancing trust in the marketplace
Launched September 13, 2006 – a 16 month effort
165 representatives from 78 organizations
IDSP Webinar | January 31, 2008 Slide 7
Charter
In Scope Out of Scope
Inventory of existing standards Modification of existing standards
Index standards Rank ordering standards
Gap Analysis of current standards Developing new standards
IDSP Webinar | January 31, 2008 Slide 8
Founding Partners
A diverse group of organizations
IDSP Webinar | January 31, 2008 Slide 9
Steering Committee
Composition
Chairman – Joseph V. Gurreri, III
Founding Partners
At Large Members
AARP Fellowes, Inc.
Accredited Standards Committee X9 General Services Administration
Affinion Group KPMG
Alliance for Telecommunications Industry National Institute of Standards and
Solutions Technology
American Financial Services Assn. North American Security Products
AOL LLC Organization
ARMA International Pay By Touch
Center for Democracy and Technology Telecommunications Industry Assn.
Debix Underwriters Laboratories Inc.
IDSP Webinar | January 31, 2008 Slide 10
Working Groups
Definitions
WG 1 Issuance
Standards relating to issuance of identity
documents by government and commercial entities
WG 2 Exchange
Standards relating to acceptance and exchange of
identity information
WG 3 Maintenance
Standards relating to ongoing maintenance and
management of identity information
IDSP Webinar | January 31, 2008 Slide 11
First Deliverable
Standards Inventory – Volume II, Final Report
Working Groups Catalogued into a SINGLE Resource . . .
Existing Standards, Guidelines and Best Practices
– PRIVATE AND PUBLIC SECTOR
Laws / Regulations
Proposed Legislation
White Papers
Conformity Assessment Programs
Glossaries of Identity Terms
Research Studies / Reports
Market Survey and ANSI Database Search filled out Inventory
IDSP Webinar | January 31, 2008 Slide 12
Sample Entry
Standards Inventory – Volume II, Final Report
Developer/ Designation Title Description/Scope Relevance to
Source IDSP Working
Group
ISO/IEC ISO/IEC Information ISO/IEC 27002:2005 establishes guidelines and general 3
27002:2005 technology - Security principles for initiating, implementing, maintaining, and improving
techniques - Code of information security management in an organization. The
practice for objectives outlined provide general guidance on the commonly
information security accepted goals of information security management. ISO/IEC
management 27002:2005 contains best practices of control objectives and
controls in the following areas of information security
management:
securitypolicy;
organization of information security;
asset management;
human resources security;
physical and environmental security;
communications and operations management;
access control;
information systems acquisition, development and
maintenance;
information security incident management;
business continuity management;
compliance.
IDSP Webinar | January 31, 2008 Slide 13
Second Deliverable
Findings and Recommendations – Volume I, Final Report
WGs Described / Prioritized Identity Fraud-Related Problems
Considered Range of Possible Solutions to Identify Gaps
New Account Processing Identified as a Risk Scenario
Two Process Flows Created to Facilitate Gap Analysis
Birth of a Citizen and Acquisition of ID Credentials
Typical New Account Establishment Procedure
WGs Performed Gap Analysis Against these Flows / Identified
Problem Areas
Considered Items Referenced in Standards Inventory
Plenary Meeting / Full Panel Discussion
Drafting / Review of Report and Recommendations
IDSP Webinar | January 31, 2008 Slide 14
Issuance of Identity Credentials
Enhance Security of Issuance Process
Recommendation #1
Issue standards for birth certificates and Social Security
cards
National Ctr. for Health Statistics and Social Security
Admin. should do so under Intelligence Reform and
Terrorism Prevention Act of 2004
Improve communication / cooperation between
government agencies and private sector
National Assn. for Public Health Statistics & Information
Systems should expand to government agencies use of
Electronic Verification of Vital Events system
IDSP Webinar | January 31, 2008 Slide 15
Issuance of Identity Credentials
Enhance Security of Issuance Process (contd.)
Recommendation #1
Government / industry should dialogue about cross-
application of existing security standards for identity
issuance processes, and new standards development as
appropriate
Government / commercial ID issuers should give further
attention to secure delivery of credentials to end user
IDSP Webinar | January 31, 2008 Slide 16
Issuance of Identity Credentials
Augment Private Sector Commercial Issuance Processes
Recommendation #2
Government / industry need to dialogue about greater
interoperability between public / private sector ID theft
prevention mechanisms
Private sector could benefit from appropriate and secure
access to government vital records systems
IDSP Webinar | January 31, 2008 Slide 17
Issuance of Identity Credentials
Improve the Integrity of Identity Credentials
Recommendation #3
Document Security Alliance and North American
Security Products Organization (NASPO) should
proceed with project to measure effectiveness of
document security technologies
Department of Homeland Security should work with
issue stakeholders to develop adversarial testing
standards
NASPO, SIA and SEMI in North America – and CEN in
Europe – should proceed with standards for secure
serialization anti-counterfeiting technology
IDSP Webinar | January 31, 2008 Slide 18
Exchange of Identity Data
Strengthen Best Practices for Authentication
Recommendation #4
Financial Institutions and credit grantors should take
into account level of risk, cost and convenience when
determining an appropriate authentication procedure
Should not use easily-obtainable personal information
such as Social Security numbers as sole authenticators
Financial regulatory agencies and FFIEC are
encouraged to review the sufficiency of authentication
practices for online banking
IDSP Webinar | January 31, 2008 Slide 19
Exchange of Identity Data
Strengthen Best Practices for Authentication (contd.)
Recommendation #4
Industry and standards developers are encouraged to
continue to develop trusted networks for multi-factor
mutual authentication
Public and private sectors should implement systems to
allow physical ID documents to be validated in real time
FTC and financial regulatory agencies should provide
guidance on best practices for credit grantors
responding to fraud alerts
IDSP Webinar | January 31, 2008 Slide 20
Exchange of Identity Data
Strengthen Best Practices for Authentication (contd.)
Recommendation #4
Social Security Admin. should work with private sector
on a mechanism that enables companies to verify if a
Social Security number belongs to a minor
Stakeholders should consider best practices / consumer
education to help protect the elderly and terminally ill
from fiduciary abuse
Social Security Admin. should work with states and
private sector to improve notification when someone is
classified as deceased
FTC should consider enhanced ID theft protection for
active duty military
IDSP Webinar | January 31, 2008 Slide 21
Exchange of Identity Data
Increase Understanding / Usability of Security Freezes
Recommendation #5
Lenders, government agencies, consumer advocacy
groups, credit reporting agencies and others should
continue to support consumer education on benefits and
limitations of security freezes
IDSP Webinar | January 31, 2008 Slide 22
Maintenance of Identity Information
Enhance Data Security Management Best Practices
Recommendation #6
ISO/IEC, PCI Security Standards Council, NASPO and
other standards developers should review / augment
existing data security management standards (or
develop new ones) to:
Define the frequency of periodic employee security
training and content of an employee awareness program
Clarify requirements for data access credentialing and
background checks
Provide guidance on continuous review of access
credentials and privileges
IDSP Webinar | January 31, 2008 Slide 23
Maintenance of Identity Information
Enhance Data Security Management Best Practices (contd.)
Recommendation #6
Develop targeted guidance for industry sectors that are not
regulated or that do not have standards
Provide guidance to ensure downstream vendors are secure
Implement an ongoing program of security re-evaluation
Develop a security breach risk assessment for insurance
purposes
IDSP Webinar | January 31, 2008 Slide 24
Maintenance of Identity Information
Augment Best Practices for Sensitive Data Collection,
Retention and Access
Recommendation #7
Industry, Small Business Admin., Chambers of
Commerce and similar organizations need to develop
and distribute practical guidance for small businesses
on data collection, retention and access
Industry and key government stakeholders (FTC, OMB,
SSA) need to develop uniform guidance on the
collection, use and retention of Social Security numbers
IDSP Webinar | January 31, 2008 Slide 25
Maintenance of Identity Information
Create Uniform Guidance on Data Breach Notification and
Remediation
Recommendation #8
Issue stakeholders need to dialogue on the desirability /
feasibility of developing a private sector standard for
data breach notification, recognizing there are tradeoffs
Industry should assemble a cross-sector forum to
develop uniform guidance on consumer remediation in
the event of a data compromise
Issue stakeholders should educate / reinforce ID theft
prevention strategies to consumers
IDSP Webinar | January 31, 2008 Slide 26
Industry Analyst
Perspectives
James Van Dyke
President and Founder
Javelin Strategy & Research
.
Larry Ponemon
Founder and Chairman
Ponemon Institute
Question & Answer
Period
.
For more information,
or to download the Report,
please visit
www.ansi.org/idsp
.
Thank You!
Related docs
