TFTM Deliverable 01-06 2014 Self Assessment and Attestation Program Discussion Deck TFTM Committee June 25, 2014 6-25-2014IDESG TFTM Committee1.

Slides:

Advertisements

Similar presentations

TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state October.

Advertisements

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.

This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

The New TNI Laboratory Accreditation Standards Requirements for an Accreditation Body.

IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair

B-BBEE VERIFICATION FRAMEWORK.  The BEE Verification process evolved since the release of the B- BBEE strategy in 2003  The dti was requested to provide.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

TFTM Sub-Committee What do we need for the IDESG Trust Mark Program Discussion Deck TFTM Committee April 16, IDESG TFTM Committee1.

Proposed Workflow IDESG Self-Assessment and Attestation Program For TFP’s Discussion Deck TFTM Committee 09/23/

Framework Planning Draft 1 Jack Suess Ian Glazer Peter Alterman Andrew Hughes Michael Garcia.

TFTM Deliverable Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, IDESG TFTM Committee1.

Security Controls – What Works

IS Audit Function Knowledge

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Data Seal of Approval Overview Lightning Talk RDA Plenary 5 – San Diego March 11, 2015 Mary Vardigan University of Michigan Inter-university Consortium.

Quality evaluation and improvement for Internal Audit

Purpose of the Standards

Programmes to increase the uptake of EPC recommendations ADENE, PT.

Self Declaration Protocol EPA Regions 9 & 10 and The Federal Network for Sustainability 2005.

The BIM Project Execution Planning Procedure

Internal Auditing and Outsourcing

TAC July 2, 2003 Market Design Implementation Process Recommendation.

Functional Model Workstream 1: Functional Element Development.

Service Organization Control (SOC) Reporting Options and Information

Identifying the Baseline IDESG Security Committee Discussion 10/23/

TFTM Interim Trust Mark/Listing Approach Paper Accreditation, Certification, and Trust Mark Program Key Administrative and Operational Responsibilities.

Independent School Process Agency of Education State Board of Education Presentation March 25, 2014.

Requirements Development & Template Presentation to All Chairs 8/12/2014.

Data Archiving and Networked Services DANS is an institute of KNAW en NWO Trusted Digital Archives and the Data Seal of Approval Peter Doorn Data Archiving.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state November.

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

Identity Ecosystem Framework and Charter Gap Analysis.

MC Sub-Committee for Workplanning: Recommendations Report Chair/presenter: Paul Laurent.

Meaningful Use Security Risk Analysis Passing Your Audit.

3rd WG meeting, Brussels Proposed Plan for Governance of the Washington Group Prepared by: Jennifer Madans, Barbara Altman, Beth Rasch (USA); Renée Langlois.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.

Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.

IAEA International Atomic Energy Agency. IAEA Outline Learning Objectives Introduction IRRS review of regulations and guides Relevant safety standards.

GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Systems Development Life Cycle

International Atomic Energy Agency Roles and responsibilities for development of disposal facilities Phil Metcalf Workshop on Strategy and Methodologies.

Systems Accreditation Berkeley County School District School Facilitator Training October 7, 2014 Dr. Rodney Thompson Superintendent.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Due Process – ISSAIs and INTOSAI GOVs Roberto José Domínguez Moro Superior Audit Office of Mexico INTOSAI Working Group on Public Debt June 14, 2010.

Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.

Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.

The Value of Creating the Identity Ecosystem. The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices and tools.

Individual Work Plan (IWP). Objectives Describe the purpose of the Individual Work Plan (IWP) Discuss when to submit an IWP The IWP as a living document.

Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation

Internal Audit Quality Assessment Guide

B AJ Bureau of Justice Assistance Global Justice Information Sharing Initiative Global Infrastructure/Standards Working Group (GISWG)

PILOT SCHOOL PRINCIPAL EVALUATION

Hans Nieuwlands CIA CGAP CCSA CEO IIA Netherlands

Global Solar Certification Network

SHAKEN Governance Authority Next Steps

How to Survive an External Quality Assessment

Twelfth Policy Board meeting Lima, Peru 8-9 July 2014

Internal Audit Quality Assurance and Improvement Program

IMPACT OF EASA ON MAINTENANCE ORGANISATIONS IN CANADA J Hall

HDV CO2 certification CoP provisions

Taking the STANDARDS Seriously

Highlights of the 177th WP.29 session and

Africa Centers of Excellence (ACE II) Project Financial & Disbursement Management NAIROBI, May 13 14,2019.

Presentation transcript:

TFTM Deliverable Self Assessment and Attestation Program Discussion Deck TFTM Committee June 25, IDESG TFTM Committee1

2014 Compliance and Conformance Program Goal Meeting Objectives Why Self-attestation? Process and Components Deliverables Next Steps IDESG TFTM Committee2 Meeting Agenda

Discuss the 2014 IDESG self assessment and attestation compliance program Identify program components Identify potential deliverables IDESG TFTM Committee3 Today’s Meeting Objectives

Cost effective – For both IDESG and participants Resource light – For both IDESG and participants Can be implemented quickly – We are already half way through 2014 Provides moderate assurance that participants are operating according to established requirements, guidance, rules, etc. Most realistic option for 2014 Logical first step in the phased implementation of a compliance program – CSA and other organizations have implemented similar phased approaches IDESG TFTM Committee4 Why Self-assessment and Attestation?

Establish a self assessment and attestation compliance program for the Identity Ecosystem. – TFTM consensus decision made on 28 May 2014 – In the future, additional types of conformance will be built upon the self- attestation program IDESG TFTM Committee TFTM Compliance and Conformance Goal Self Assessment and Attestation 2014 Peer to Peer Certification TBD Independent 3 rd Party Certification TBD Future Compliance Approaches

IDESG TFTM Committee6 IDESG Conformance Assessment Program NSTIC and IDESG Guiding Principles 3 rd -Party Conformance Assessment (2015+) Privacy Conformance Self- Attestation Security Usability Other IE Framework Requirements and Assessment Procedures Interop. Self-Assessment (2014) Self-Assessment Criteria/Questionnaire

What do we need for a functional self-assessment and attestation program? Each step in the process will require a set of defined procedures (internal and external) and owners to ensure an efficient program A clear, overall process flow should be developed once the processes and components have been identified and agreed to by the TFTM IDESG TFTM Committee7 Process & Components Application Self- Assessment AttestationApprovalRecognition Ongoing Compliance

Application Self- Assessment AttestationApprovalRecognition Ongoing Compliance The process through which identity ecosystem participants request to be recognized through the self-assessment and attestation conformance program May be automated or manual procedure – Web form – ed/downloaded PDF Application should contain sufficient info to confirm “Bona Fides” of applying organizations – Legitimate service provider in IE – e.g., IE role/service description – Other certifications (e.g., CSA STAR, PCI DSS, FICAM), DUNs number, etc. Ownership for collecting applications and supporting documents will need to be assigned to an appropriate entity in IDESG – E.g., Secretariat, TFTM sub-committee, etc. Potential deliverables/documentation: – IDESG Application Template and Guide – Bona Fides information requirements IDESG TFTM Committee8 Process and Components

IDESG TFTM Committee9 Process and Components Application Self- Assessment AttestationApprovalRecognition Ongoing Compliance Process by which applicants determine conformance with appropriate IDESG requirements Needs a clear, standardized format for expressing applicable requirements – E.g., clear criteria, self-assessment questionnaire Needs an identified owner in IDESG for collecting and managing assessment template submissions – May be Secretariat or TFTM sub-committee – Need to review for completeness and appropriateness of submissions Dependent upon committee requirements development – TFTM development of requirements template may assist committees in their own requirements development Potential deliverables/documentation: – Conformance Criteria/Questionnaire

IDESG TFTM Committee10 Process and Components Application Self- Assessment AttestationApprovalRecognition Ongoing Compliance Means to formally bind applicants to the information provided in the self-assessment form Needs a standardized format with appropriate legal language/review Ownership – May be Secretariat or TFTM sub-committee Potential deliverables/documentation: – Attestation Forms/Guide

IDESG TFTM Committee11 Process and Components Application Self- Assessment AttestationApprovalRecognition Ongoing Compliance IDESG due diligence and confirmation that all necessary and appropriate information has been received from an applicant. – Results in recommendation for acceptance of self-attestation At a minimum, should ensure that the proper documents have been fully and appropriately completed – Application (Bona fides check) – Self-assessment forms – Conformance Attestation Ownership – Responsibility for recommendations for approval should be an IDESG entity, e.g., TFTM, TFTM subcommittee, Management Council/sub-committee – Similarly, Responsibility for formal approval should be an IDESG entity Potential deliverables/documentation: – Approval process description and policy

Application Self- Assessment AttestationApprovalRecognition Ongoing Compliance Process through which IDESG approval of an ecosystem participant’s self- assessment and attestation is publically represented – Expresses conformance with IDESG requirements to other ecosystem participants and the general public Multiple means to express conformance – Certificate – a formal certification issued by IDESG – Trustmark- a visual/electronic symbol that is licensed for use/display by approved service providers and ecosystem participants – Registry or “Trust” List - an IDESG hosted site that lists approved service providers and approved ecosystem participants These options will be explored more fully in future discussions… Deliverables/Documents – Recognition Approach IDESG TFTM Committee12 Process and Components

Application Self- Assessment AttestationApprovalRecognition Ongoing Compliance Process by which the IDESG confirms continued compliance with IDESG requirements and rules. Could be: – Re-assessment and attestation after a set period – Updated attestation of continued compliance Initial process should be stated up front as part of 2014 attestation process and documents – Could be expressed as an “expiration” or renewal date (e.g., annual, bi-annual) Deliverables/Documents – Ongoing compliance approach (may be included in attestation guidance) IDESG TFTM Committee13 Process and Components

IDESG TFTM Committee14 Potential TFTM Deliverables Application Template Bona Fides Requirements Self Assessment Form/Template – Conformance Criteria, Compliance Questionnaire or something similar Attestation Forms/Documentation Approval Process Description and Policy Recognition Approach Ongoing Compliance Approach

1.Analyze/discuss existing self-certification and self-assessment programs Cloud Security Alliance STAR Program 2.Gain consensus on deliverable list and program components 3.Develop timelines and milestones for deliverables 4.Begin development of self-assessment and attestation deliverables IDESG TFTM Committee15 Next Steps Summary