Report of the Identity Theft Prevention and by knm21090

VIEWS: 13 PAGES: 29

									         Report of the
Identity Theft Prevention and
    Identity Management
       Standards Panel



   Webinar on the Release of the IDSP Report
               January 31, 2008
Webinar Agenda

1. Speaker Introductions – IDSP Chair

2. Overview of IDSP Process and Deliverables
   – IDSP Chair

3. Findings and Recommendations – IDSP
   Working Group Co-Chairs

4. Industry Analyst Perspectives
                      .

5. Question & Answer Period
Today’s Speakers

IDSP Chairman (Master of Ceremonies)
Joseph V. Gurreri, III
President, CorporatePlanningGroup.NET
Former VP, General Manager,
Global Solutions Development
TransUnion




                        .
Today’s Speakers (contd.)

Co-Chairs
Working Group 1 - Issuance
James E. Lee
President, C2M2 Associates, LLC
Former SVP and Chief Public
& Consumer Affairs Officer
ChoicePoint

James X. Dempsey
Policy Director           .
Center for Democracy and Technology
Today’s Speakers (contd.)

Co-Chairs
Working Group 2 - Exchange
Julie Fergerson
VP of Emerging Technologies
Debix, The Identity Protection Network


Working Group 3 - Maintenance
George K. “Chip” Tsantes
EVP and Chief Technology .
                         Officer
Intersections Inc.
Today’s Speakers (contd.)

Industry Analysts

James Van Dyke
President and Founder
Javelin Strategy & Research

Larry Ponemon
Founder and Chairman
Ponemon Institute
                          .
What is the IDSP?

   Cross-sector coordinating body focused on preventing ID Theft
       Identify existing standards, guidelines and best practices
       Analyze gaps, need for new standards, leading to improvements
       Make catalogue available to businesses, government, consumers

   Jointly administered by the American National Standards Institute
    (ANSI) and the Better Business Bureau (BBB)
       ANSI – coordinator of the U.S. standardization system
       BBB – advancing trust in the marketplace
       Launched September 13, 2006 – a 16 month effort
       165 representatives from 78 organizations


                               IDSP Webinar | January 31, 2008      Slide 7
Charter

            In Scope                                          Out of Scope
Inventory of existing standards           Modification of existing standards


Index standards                           Rank ordering standards


Gap Analysis of current standards Developing new standards




                            IDSP Webinar | January 31, 2008                  Slide 8
Founding Partners
A diverse group of organizations




                         IDSP Webinar | January 31, 2008   Slide 9
Steering Committee
Composition

       Chairman – Joseph V. Gurreri, III
       Founding Partners
       At Large Members
        AARP                                               Fellowes, Inc.
        Accredited Standards Committee X9                  General Services Administration
        Affinion Group                                     KPMG
        Alliance for Telecommunications Industry           National Institute of Standards and
         Solutions                                           Technology
        American Financial Services Assn.                  North American Security Products
        AOL LLC                                             Organization
        ARMA International                                 Pay By Touch
        Center for Democracy and Technology                Telecommunications Industry Assn.
        Debix                                              Underwriters Laboratories Inc.



                                        IDSP Webinar | January 31, 2008                  Slide 10
Working Groups
Definitions

WG 1 Issuance
  Standards relating to issuance of identity
    documents by government and commercial entities
WG 2 Exchange
  Standards relating to acceptance and exchange of
    identity information
WG 3 Maintenance
  Standards relating to ongoing maintenance and
    management of identity information

                     IDSP Webinar | January 31, 2008   Slide 11
First Deliverable
Standards Inventory – Volume II, Final Report

   Working Groups Catalogued into a SINGLE Resource . . .
       Existing Standards, Guidelines and Best Practices
         – PRIVATE AND PUBLIC SECTOR
       Laws / Regulations
       Proposed Legislation
       White Papers
       Conformity Assessment Programs
       Glossaries of Identity Terms
       Research Studies / Reports


   Market Survey and ANSI Database Search filled out Inventory


                               IDSP Webinar | January 31, 2008   Slide 12
Sample Entry
Standards Inventory – Volume II, Final Report
Developer/   Designation           Title                                   Description/Scope                              Relevance to
 Source                                                                                                                  IDSP Working
                                                                                                                             Group


 ISO/IEC      ISO/IEC      Information             ISO/IEC   27002:2005 establishes guidelines and general              3
             27002:2005    technology - Security   principles for initiating, implementing, maintaining, and improving
                           techniques - Code of    information security management in an organization. The
                           practice for            objectives outlined provide general guidance on the commonly
                           information security    accepted goals of information security management. ISO/IEC
                           management              27002:2005 contains best practices of control objectives and
                                                   controls in the following areas of information security
                                                   management:

                                                           securitypolicy;
                                                           organization of information security;
                                                           asset management;

                                                           human resources security;

                                                           physical and environmental security;

                                                           communications and operations management;

                                                           access control;

                                                           information systems acquisition, development and
                                                           maintenance;
                                                           information security incident management;

                                                           business continuity management;

                                                           compliance.




                                                   IDSP Webinar | January 31, 2008                                       Slide 13
Second Deliverable
Findings and Recommendations – Volume I, Final Report

   WGs Described / Prioritized Identity Fraud-Related Problems
       Considered Range of Possible Solutions to Identify Gaps
       New Account Processing Identified as a Risk Scenario
   Two Process Flows Created to Facilitate Gap Analysis
       Birth of a Citizen and Acquisition of ID Credentials
       Typical New Account Establishment Procedure
   WGs Performed Gap Analysis Against these Flows / Identified
    Problem Areas
       Considered Items Referenced in Standards Inventory
   Plenary Meeting / Full Panel Discussion
   Drafting / Review of Report and Recommendations

                               IDSP Webinar | January 31, 2008    Slide 14
Issuance of Identity Credentials
Enhance Security of Issuance Process

 Recommendation #1
  Issue standards for birth certificates and Social Security
    cards
        National Ctr. for Health Statistics and Social Security
         Admin. should do so under Intelligence Reform and
         Terrorism Prevention Act of 2004
    Improve communication / cooperation between
     government agencies and private sector
        National Assn. for Public Health Statistics & Information
         Systems should expand to government agencies use of
         Electronic Verification of Vital Events system
                            IDSP Webinar | January 31, 2008   Slide 15
Issuance of Identity Credentials
Enhance Security of Issuance Process (contd.)

 Recommendation #1
  Government / industry should dialogue about cross-
    application of existing security standards for identity
    issuance processes, and new standards development as
    appropriate

    Government / commercial ID issuers should give further
     attention to secure delivery of credentials to end user



                        IDSP Webinar | January 31, 2008   Slide 16
Issuance of Identity Credentials
Augment Private Sector Commercial Issuance Processes

 Recommendation #2
  Government / industry need to dialogue about greater
    interoperability between public / private sector ID theft
    prevention mechanisms
       Private sector could benefit from appropriate and secure
        access to government vital records systems




                          IDSP Webinar | January 31, 2008   Slide 17
Issuance of Identity Credentials
Improve the Integrity of Identity Credentials

  Recommendation #3
   Document Security Alliance and North American
     Security Products Organization (NASPO) should
     proceed with project to measure effectiveness of
     document security technologies
   Department of Homeland Security should work with
     issue stakeholders to develop adversarial testing
     standards
   NASPO, SIA and SEMI in North America – and CEN in
     Europe – should proceed with standards for secure
     serialization anti-counterfeiting technology
                          IDSP Webinar | January 31, 2008   Slide 18
Exchange of Identity Data
Strengthen Best Practices for Authentication

 Recommendation #4
  Financial Institutions and credit grantors should take
    into account level of risk, cost and convenience when
    determining an appropriate authentication procedure
        Should not use easily-obtainable personal information
         such as Social Security numbers as sole authenticators
    Financial regulatory agencies and FFIEC are
     encouraged to review the sufficiency of authentication
     practices for online banking


                           IDSP Webinar | January 31, 2008   Slide 19
Exchange of Identity Data
Strengthen Best Practices for Authentication (contd.)

 Recommendation #4
  Industry and standards developers are encouraged to
    continue to develop trusted networks for multi-factor
    mutual authentication
  Public and private sectors should implement systems to
    allow physical ID documents to be validated in real time
  FTC and financial regulatory agencies should provide
    guidance on best practices for credit grantors
    responding to fraud alerts


                         IDSP Webinar | January 31, 2008   Slide 20
Exchange of Identity Data
Strengthen Best Practices for Authentication (contd.)

  Recommendation #4
   Social Security Admin. should work with private sector
     on a mechanism that enables companies to verify if a
     Social Security number belongs to a minor
   Stakeholders should consider best practices / consumer
     education to help protect the elderly and terminally ill
     from fiduciary abuse
   Social Security Admin. should work with states and
     private sector to improve notification when someone is
     classified as deceased
   FTC should consider enhanced ID theft protection for
     active duty military
                         IDSP Webinar | January 31, 2008   Slide 21
Exchange of Identity Data
Increase Understanding / Usability of Security Freezes

 Recommendation #5
  Lenders, government agencies, consumer advocacy
    groups, credit reporting agencies and others should
    continue to support consumer education on benefits and
    limitations of security freezes




                         IDSP Webinar | January 31, 2008   Slide 22
Maintenance of Identity Information
Enhance Data Security Management Best Practices

 Recommendation #6
  ISO/IEC, PCI Security Standards Council, NASPO and
    other standards developers should review / augment
    existing data security management standards (or
    develop new ones) to:
       Define the frequency of periodic employee security
        training and content of an employee awareness program
       Clarify requirements for data access credentialing and
        background checks
       Provide guidance on continuous review of access
        credentials and privileges
                         IDSP Webinar | January 31, 2008   Slide 23
Maintenance of Identity Information
Enhance Data Security Management Best Practices (contd.)

 Recommendation #6
       Develop targeted guidance for industry sectors that are not
        regulated or that do not have standards
       Provide guidance to ensure downstream vendors are secure
       Implement an ongoing program of security re-evaluation
       Develop a security breach risk assessment for insurance
        purposes




                          IDSP Webinar | January 31, 2008   Slide 24
Maintenance of Identity Information
Augment Best Practices for Sensitive Data Collection,
Retention and Access

 Recommendation #7
  Industry, Small Business Admin., Chambers of
    Commerce and similar organizations need to develop
    and distribute practical guidance for small businesses
    on data collection, retention and access

    Industry and key government stakeholders (FTC, OMB,
     SSA) need to develop uniform guidance on the
     collection, use and retention of Social Security numbers


                         IDSP Webinar | January 31, 2008   Slide 25
Maintenance of Identity Information
Create Uniform Guidance on Data Breach Notification and
Remediation

 Recommendation #8
  Issue stakeholders need to dialogue on the desirability /
    feasibility of developing a private sector standard for
    data breach notification, recognizing there are tradeoffs
  Industry should assemble a cross-sector forum to
    develop uniform guidance on consumer remediation in
    the event of a data compromise
  Issue stakeholders should educate / reinforce ID theft
    prevention strategies to consumers


                        IDSP Webinar | January 31, 2008   Slide 26
Industry Analyst
  Perspectives

   James Van Dyke
   President and Founder
Javelin Strategy & Research
              .
   Larry Ponemon
  Founder and Chairman
    Ponemon Institute
Question & Answer
      Period

        .
   For more information,
or to download the Report,
        please visit

   www.ansi.org/idsp
          .

       Thank You!

								
To top