Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document addresses the privacy assessment criteria that are relevant to IDP's and CSP's certified under the Kantara Identity Assurance Framework (IAF).
Part 1 - General Guidance for Assessors and Auditors (informative)
This section could be a generalization of: the P3WG document, "Draft Criteria for the US Federal Privacy Profile", Version 1.4 dated 9/13/2011; along with consideration of NIST Special Publication 800-53, Appendix J; European Article 29 of the Directive 95/46/EC of the European Parliament; and the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines.
Part 2 - Additional Requirements for Credential Service Providers: US Federal Privacy Criteria (normative)
This section would appear to be sufficiently addressed by the Identity Assurance Working Group (IAWG) document, "Additional Requirements for Credential Service Providers: US Federal Privacy Criteria". This IAWG document contains a reference to the FICAM "Privacy Guidance for Trust Framework Assessors and Auditors", and includes additional criteria, such as "Unique Identity", "Adequate Notice", and "Changes in the Service".
Part 3 - Additional Requirements for Credential Service Providers: Other territorial jurisdiction (Canada, New Zealand, EUEU… ?) Privacy Criteria (normative)
Part 4 - Additional Requirements for Credential Service Providers: Specific Industry Sector (Health Care, Financial?) Privacy Criteria (normative)

Exclusions

This document does not consider the privacy requirements for Relying Parties or Federation Brokers in an Identity Federation. It is assumed that Relying Party applications and Federation Broker Services will operate in compliance with local privacy policies, laws and regulations.

Normative References

Terms and Definitions

Intended Audience

The informative Part 1 of this document is intended to be used as privacy guidelines for Identity Federation component suppliers. The normative Parts 2-N are intended to serve as specific assessment criteria for assessors and auditors in the respective jurisdiction.

Intended Course of Action

This document is intended to be developed as a Privacy and Public Policy Working Group (P3WG) Kantara Report. The P3WG-approved document will be submitted to the Kantara Assurance Review Board (ARB) for adoption into their Identity Assurance Certification Program.