Report of the Identity Theft Prevention and
Shared by: knm21090
Report of the Identity Theft Prevention and Identity Management Standards Panel Webinar on the Release of the IDSP Report January 31, 2008 Webinar Agenda 1. Speaker Introductions – IDSP Chair 2. Overview of IDSP Process and Deliverables – IDSP Chair 3. Findings and Recommendations – IDSP Working Group Co-Chairs 4. Industry Analyst Perspectives . 5. Question & Answer Period Today’s Speakers IDSP Chairman (Master of Ceremonies) Joseph V. Gurreri, III President, CorporatePlanningGroup.NET Former VP, General Manager, Global Solutions Development TransUnion . Today’s Speakers (contd.) Co-Chairs Working Group 1 - Issuance James E. Lee President, C2M2 Associates, LLC Former SVP and Chief Public & Consumer Affairs Officer ChoicePoint James X. Dempsey Policy Director . Center for Democracy and Technology Today’s Speakers (contd.) Co-Chairs Working Group 2 - Exchange Julie Fergerson VP of Emerging Technologies Debix, The Identity Protection Network Working Group 3 - Maintenance George K. “Chip” Tsantes EVP and Chief Technology . Officer Intersections Inc. Today’s Speakers (contd.) Industry Analysts James Van Dyke President and Founder Javelin Strategy & Research Larry Ponemon Founder and Chairman Ponemon Institute . What is the IDSP? Cross-sector coordinating body focused on preventing ID Theft Identify existing standards, guidelines and best practices Analyze gaps, need for new standards, leading to improvements Make catalogue available to businesses, government, consumers Jointly administered by the American National Standards Institute (ANSI) and the Better Business Bureau (BBB) ANSI – coordinator of the U.S. standardization system BBB – advancing trust in the marketplace Launched September 13, 2006 – a 16 month effort 165 representatives from 78 organizations IDSP Webinar | January 31, 2008 Slide 7 Charter In Scope Out of Scope Inventory of existing standards Modification of existing standards Index standards Rank ordering standards Gap Analysis of current standards Developing new standards IDSP Webinar | January 31, 2008 Slide 8 Founding Partners A diverse group of organizations IDSP Webinar | January 31, 2008 Slide 9 Steering Committee Composition Chairman – Joseph V. Gurreri, III Founding Partners At Large Members AARP Fellowes, Inc. Accredited Standards Committee X9 General Services Administration Affinion Group KPMG Alliance for Telecommunications Industry National Institute of Standards and Solutions Technology American Financial Services Assn. North American Security Products AOL LLC Organization ARMA International Pay By Touch Center for Democracy and Technology Telecommunications Industry Assn. Debix Underwriters Laboratories Inc. IDSP Webinar | January 31, 2008 Slide 10 Working Groups Definitions WG 1 Issuance Standards relating to issuance of identity documents by government and commercial entities WG 2 Exchange Standards relating to acceptance and exchange of identity information WG 3 Maintenance Standards relating to ongoing maintenance and management of identity information IDSP Webinar | January 31, 2008 Slide 11 First Deliverable Standards Inventory – Volume II, Final Report Working Groups Catalogued into a SINGLE Resource . . . Existing Standards, Guidelines and Best Practices – PRIVATE AND PUBLIC SECTOR Laws / Regulations Proposed Legislation White Papers Conformity Assessment Programs Glossaries of Identity Terms Research Studies / Reports Market Survey and ANSI Database Search filled out Inventory IDSP Webinar | January 31, 2008 Slide 12 Sample Entry Standards Inventory – Volume II, Final Report Developer/ Designation Title Description/Scope Relevance to Source IDSP Working Group ISO/IEC ISO/IEC Information ISO/IEC 27002:2005 establishes guidelines and general 3 27002:2005 technology - Security principles for initiating, implementing, maintaining, and improving techniques - Code of information security management in an organization. The practice for objectives outlined provide general guidance on the commonly information security accepted goals of information security management. ISO/IEC management 27002:2005 contains best practices of control objectives and controls in the following areas of information security management: securitypolicy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance. IDSP Webinar | January 31, 2008 Slide 13 Second Deliverable Findings and Recommendations – Volume I, Final Report WGs Described / Prioritized Identity Fraud-Related Problems Considered Range of Possible Solutions to Identify Gaps New Account Processing Identified as a Risk Scenario Two Process Flows Created to Facilitate Gap Analysis Birth of a Citizen and Acquisition of ID Credentials Typical New Account Establishment Procedure WGs Performed Gap Analysis Against these Flows / Identified Problem Areas Considered Items Referenced in Standards Inventory Plenary Meeting / Full Panel Discussion Drafting / Review of Report and Recommendations IDSP Webinar | January 31, 2008 Slide 14 Issuance of Identity Credentials Enhance Security of Issuance Process Recommendation #1 Issue standards for birth certificates and Social Security cards National Ctr. for Health Statistics and Social Security Admin. should do so under Intelligence Reform and Terrorism Prevention Act of 2004 Improve communication / cooperation between government agencies and private sector National Assn. for Public Health Statistics & Information Systems should expand to government agencies use of Electronic Verification of Vital Events system IDSP Webinar | January 31, 2008 Slide 15 Issuance of Identity Credentials Enhance Security of Issuance Process (contd.) Recommendation #1 Government / industry should dialogue about cross- application of existing security standards for identity issuance processes, and new standards development as appropriate Government / commercial ID issuers should give further attention to secure delivery of credentials to end user IDSP Webinar | January 31, 2008 Slide 16 Issuance of Identity Credentials Augment Private Sector Commercial Issuance Processes Recommendation #2 Government / industry need to dialogue about greater interoperability between public / private sector ID theft prevention mechanisms Private sector could benefit from appropriate and secure access to government vital records systems IDSP Webinar | January 31, 2008 Slide 17 Issuance of Identity Credentials Improve the Integrity of Identity Credentials Recommendation #3 Document Security Alliance and North American Security Products Organization (NASPO) should proceed with project to measure effectiveness of document security technologies Department of Homeland Security should work with issue stakeholders to develop adversarial testing standards NASPO, SIA and SEMI in North America – and CEN in Europe – should proceed with standards for secure serialization anti-counterfeiting technology IDSP Webinar | January 31, 2008 Slide 18 Exchange of Identity Data Strengthen Best Practices for Authentication Recommendation #4 Financial Institutions and credit grantors should take into account level of risk, cost and convenience when determining an appropriate authentication procedure Should not use easily-obtainable personal information such as Social Security numbers as sole authenticators Financial regulatory agencies and FFIEC are encouraged to review the sufficiency of authentication practices for online banking IDSP Webinar | January 31, 2008 Slide 19 Exchange of Identity Data Strengthen Best Practices for Authentication (contd.) Recommendation #4 Industry and standards developers are encouraged to continue to develop trusted networks for multi-factor mutual authentication Public and private sectors should implement systems to allow physical ID documents to be validated in real time FTC and financial regulatory agencies should provide guidance on best practices for credit grantors responding to fraud alerts IDSP Webinar | January 31, 2008 Slide 20 Exchange of Identity Data Strengthen Best Practices for Authentication (contd.) Recommendation #4 Social Security Admin. should work with private sector on a mechanism that enables companies to verify if a Social Security number belongs to a minor Stakeholders should consider best practices / consumer education to help protect the elderly and terminally ill from fiduciary abuse Social Security Admin. should work with states and private sector to improve notification when someone is classified as deceased FTC should consider enhanced ID theft protection for active duty military IDSP Webinar | January 31, 2008 Slide 21 Exchange of Identity Data Increase Understanding / Usability of Security Freezes Recommendation #5 Lenders, government agencies, consumer advocacy groups, credit reporting agencies and others should continue to support consumer education on benefits and limitations of security freezes IDSP Webinar | January 31, 2008 Slide 22 Maintenance of Identity Information Enhance Data Security Management Best Practices Recommendation #6 ISO/IEC, PCI Security Standards Council, NASPO and other standards developers should review / augment existing data security management standards (or develop new ones) to: Define the frequency of periodic employee security training and content of an employee awareness program Clarify requirements for data access credentialing and background checks Provide guidance on continuous review of access credentials and privileges IDSP Webinar | January 31, 2008 Slide 23 Maintenance of Identity Information Enhance Data Security Management Best Practices (contd.) Recommendation #6 Develop targeted guidance for industry sectors that are not regulated or that do not have standards Provide guidance to ensure downstream vendors are secure Implement an ongoing program of security re-evaluation Develop a security breach risk assessment for insurance purposes IDSP Webinar | January 31, 2008 Slide 24 Maintenance of Identity Information Augment Best Practices for Sensitive Data Collection, Retention and Access Recommendation #7 Industry, Small Business Admin., Chambers of Commerce and similar organizations need to develop and distribute practical guidance for small businesses on data collection, retention and access Industry and key government stakeholders (FTC, OMB, SSA) need to develop uniform guidance on the collection, use and retention of Social Security numbers IDSP Webinar | January 31, 2008 Slide 25 Maintenance of Identity Information Create Uniform Guidance on Data Breach Notification and Remediation Recommendation #8 Issue stakeholders need to dialogue on the desirability / feasibility of developing a private sector standard for data breach notification, recognizing there are tradeoffs Industry should assemble a cross-sector forum to develop uniform guidance on consumer remediation in the event of a data compromise Issue stakeholders should educate / reinforce ID theft prevention strategies to consumers IDSP Webinar | January 31, 2008 Slide 26 Industry Analyst Perspectives James Van Dyke President and Founder Javelin Strategy & Research . Larry Ponemon Founder and Chairman Ponemon Institute Question & Answer Period . For more information, or to download the Report, please visit www.ansi.org/idsp . Thank You!