Submitted as an Information Sharing Subject (ISS) for the High Interest Subject of ID Management and Identification Systems Open Agenda 6.4 DOCUMENT #:GSC14-PLEN-068 FOR:For Information SOURCE:ANSI AGENDA ITEM:Agenda Item 10, Information Sharing Subjects, ID Management CONTACT(S):Joe Bhatia, ANSI rep to GSC-14

Submitted for Joe Bhatia ANSI representative to GSC-14 ANSIs Identity Theft Prevention and Identity Management Standards Panel (IDSP) Information Sharing Subject From ANSI

IDSP | GSC-14Slide 3 What is IDSP? Cross-sector coordinating body whose objective is to facilitate the development, promulgation and use of standards and guidelines to combat ID theft and fraud Identify existing standards, guidelines and best practices Analyze gaps, need for new standards, leading to improvements Make recommendations widely available to businesses, government, consumers

IDSP | GSC-14Slide 4 IDSP Deliverables Plenary meetings for information sharing on work underway / networking for active members and those new to the Panels work Workshops that evolve from the plenary meetings and Steering Committee discussions that further explore particular aspects of the issues Reports presenting findings and recommendations from the Workshops which in turn may drive future standards development activity IDSP itself does not develop standards

IDSP | GSC-14Slide 5 Steering Committee Composition Chairman James Lee, C2M2 Associates Secretary Jim McCabe, ANSI Sustaining Partners

IDSP | GSC-14Slide 6 Steering Committee Composition Contributing Members Affinion Group ARMA International Coalition for a Secure Drivers License Debix General Services Administration ID Experts ID Watchdog Krolls Fraud Solutions North American Security Products Organization TASCET Identity Network TrustedID, Inc Underwriters Laboratories, Inc.

IDSP | GSC-14Slide 7 Steering Committee Composition At-Large Members Department of Homeland Security Institute for Consumer Financial Education Liberty Alliance National Institute of Standards and Technology

IDSP | GSC-14Slide 8 Funding / Membership IDSP is funded through private and public sector sponsorships and participation fees Sponsorship provides appropriate recognition and a seat on the Panel Steering Committee for those who want a more visible and active role in shaping the Panels direction. Membership is open to all affected parties Representatives of the business community and relevant trade associations, vendors of identity theft protection services, information security specialists, industry analysts, government issuers and regulators, standards developing organizations, consumers and public interest groups, and academia participate, providing a range of perspectives

IDSP | GSC-14Slide 9 ANSI-BBB IDSP – Phase 1 A 16 month effort – September 13, 2006 to January 31, 2008 Co-administered by the American National Standards Institute (ANSI) and the Better Business Bureau (BBB) Founding Partners: AT&T; ChoicePoint; Citi; Dell Inc.; Intersections, Inc.; Microsoft; Staples, Inc.; TransUnion; and Visa Inc. 165 representatives from 78 organizations 3 Working Groups explored life cycle of identity issues Issuance of identity documents by government and commercial entities Acceptance and exchange of identity information Ongoing maintenance and management of identity information

IDSP | GSC-14Slide 10 ANSI-BBB IDSP Report (Jan 31, 2008) Summary Excerpt from Volume I: Findings and Recommendations Volume I: Findings and Recommendations Findings and recommendations for areas needing new or updated standards, guidelines, best practices or compliance systems Volume II: Standards Inventory Catalog of existing standards, guidelines, best practices and compliance systems Available for free download at along with replay of Webinar with industry analystswww.ansi.org/idsp

IDSP | GSC-14Slide 11 Volume I: Findings and Recommendations Enhance security of identity issuance processes to facilitate greater interoperability between govt and commercial sectors Improve integrity of identity credentials Strengthen best practices for authentication Augment data security management best practices, e.g., on the use and storage of Social Security numbers Create uniform guidance for organizations on data breach notification and remediation Increase consumer understanding of ID theft preventative strategies, including benefits and limitations of security freezes

IDSP | GSC-14Slide 12 Volume II: Standards Inventory Catalogues... Existing Standards, Guidelines and Best Practices – PRIVATE AND PUBLIC SECTOR Laws / Regulations Proposed Legislation White Papers Conformity Assessment Programs Glossaries of Identity Terms Research Studies / Reports

IDSP | GSC-14Slide 13 ANSI IDSP - Phase 2 Charter (April 2008) Monitor / facilitate implementation of Panels recommendations Continue to investigate new areas Provide a forum for information-sharing and cross- sector dialogue Produce a progress report in one year

IDSP | GSC-14Slide 14 Workshop 1 – Identity Verification Standards (Launched July 2008) Fraudsters exploit circularity of agencies relying on but not authenticating primary USA identity documents issued by other agencies (birth certificates, Social Security numbers / cards, state- issued drivers licenses / ID cards) Issuers of such documents need a process by which they can achieve a level of assurance whether to accept or reject a persons claim of identity Guidelines on identity verification should be developed with a view toward eventual development of an American National Standard Project team developing guidelines led by NASPO (North American Security Products Organization); members include NIST, DHS, GSA, NAPHSIS, AAMVA, Colorado Dept. of Revenue, Coalition for a Secure Drivers License et al. Workshop report and guidelines anticipated in the near term

IDSP | GSC-14Slide 15 Workshop 2 – Measuring / Reporting on Identity Theft (Launched Feb 2009) Controversies about research methodologies make it difficult to measure how well the marketplace is doing in combating identity theft and fraud, posing a challenge to industry, law enforcement and consumers Workshop question: Is a common standard for measuring / reporting on ID theft desirable and feasible? Same question with respect to methods for measuring data breach trends, ID theft protection services and information security solutions 3 WGs set up to study definitions, research, methodologies Workshop report anticipated soon

IDSP | GSC-14Slide 16 Third IDSP Plenary Meeting (April 2009) A point-in-time look at the state of ID theft prevention and ID managementprogress made / work still needed. Topics: Best practices for measuring identity theft Implementation of FTC red flag rules Customer authentication and use of Social Security numbers The need for identity verification guidelines Identity assurance life-cycle management Biometric implementation use cases Medical identity theft Whats on the horizon for ID theft prevention and ID management. Post-meeting survey circulated on future work program

IDSP | GSC-14Slide 17 Related International Activities – Privacy ISO/TMB task force (TF) exploring standards on privacy, with focus on protection of personally identifiable information and fair information handling IDSP chair leads virtual U.S. TAG which advises ANSIs expert to the TF (Mark MacCarthy, Georgetown University formerly w/Visa Inc.) / reports to ANSI ISO Council (AIC) TF surveyed ISO TCs et al on current / potential privacy work Report targeted for September TMB meeting

IDSP | GSC-14Slide 18 Related International Activities – Counterfeiting / Fraud ISO TMB has established ISO/TC 247 Fraud countermeasures and controls and allocated Secretariat to ANSI ANSI advanced proposal for this new TC based on public comment, IDSP / AIC input Brought by ANSI member North American Security Products Organization (NASPO) Standardization in the field of the detection, prevention and control of identity, financial, product and other forms of social and economic fraud

To participate / For more information Jim McCabe