Introduction
The purpose of this document (Code of Conduct for Relying Parties) is to give supporting guidance to the controlling documents of the Identity Assurance Framework, as developed by the Kantara Initiative, Inc. In certain contexts or domains involving Attribute Providers, it could be extended and modified for use as well.
The document is not intended to be a complete set of requirements for good behaviour of Relying Parties that might span the full extent of an organization's policies, processes and procedures. To do so would have the negative effect of duplicating much of that existing work. This document does indicate the range of topics that would typically address aspects of such a code of conduct.
A complete Code of Conduct for Relying Parties might include Sections for ...A) Data Protection, B) Admin, Record Keeping and Process, C) Audit and Compliance, D) Exit and Off Boarding E) Marketing, plus other aspects applicable to a given context or domain to make it comprehensive .
Assumptions
This Code of Conduct for Relying Parties assumes (1) a set of agreed definitions/terminology, (2) Scope and specification of the Replying Party activities, (3) a legal contract in force to make all obligations clear for interpretation, (4) that a federated trust framework is operating, (5) that a quality ISMS is operating in the RP/AP environments..
As explained above, this Code of Conduct assumes a comprehensive document that additionally whose Table of Contents might include:
Introduction and Purpose
Executive Summary
Assumptions
Definitions/Terminology
References and bibliography
Activities in scope for the Relying Party
Data Protection
Administration, Record Keeping and processes/procedures
Audit and Compliance
Exit and Off boarding
Marketing
...........................................
References: (more references most welcome!)
GEANT:http://www.geant.net/uri/dataprotection-code-of-conduct/V1/Pages/default.aspx (accessed from https://www.clarin.eu/content/how-can-i-comply-data-protection-code-conduct)
Federal Government of Canada: 'Adding and removing Credential Service Providers under the Credential Broker Service' TBS Canada, CIO Branch, Feb 2015, Version 4.0
Kantara Initiative: Identity Assurance Framework
InCommon: https://www.incommon.org/docs/policies/InCommonFOPP.pdf
IETF: Vectors of Trust: https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/?include_text=1 for the latest version, taken from https://www.ietf.org/mailman/listinfo/vot
NZ RealMe: https://www.realme.govt.nz/ though the MOU from which some text for the Admin, Record-Keeping and Processes/Procedures section is not published
TERENA: https://refeds.terena.org/index.php/Federations
...................................................................................................................................
Data Protection Code of Conduct For Relying Parties/Service Providers ....
(a) [Payment] pay the Charges in accordance with XXXX clause in the Federation Agreement;
(b) [Co-operation] co-operate with Federation/IdP personnel in connection with its background checking/identity proofing of RP/SP responsible officers, registering authorisation policy for and provide access to records and resources, operation and safe-guarding of the Service/s; and advise IdP promptly of any Service anomalies, suspicious or unusual usage, or complaints relating to the Services and provide reasonable assistance to Federation/IdP in the investigation of such anomalies, usage or complaints;
(c) [Standards Compliance] comply with any standards or specifications issued by the Federation/IdP and any reporting obligations required by the IdP/AP from time to time in accordance with any relevant legislation (including those of a contracted third party to the RP/SP)
(d) [Audit] provide appropriate assistance, where reasonably requested by IdP/AP, in carrying out any audit of the Client’s use of the Services or related systems or suppliers; comply with all certification and accreditation requirements
(e) [Federation Reporting] participate in progress reporting as specified in the Service Schedule;
(f) [ transparent relationship ] ensure that the agency Service Provider/RP's website terms and conditions explain the inter-relationship of the Services and the Client’s systems in terms agreed with Federation/IdP; that the RP/Service Provider maintains an accurate and up to date register of its roles and activities
(g) [ Promotion ] use its best endeavours to promote the Services and instructions for use, to its customer base to encourage service uptake and use;
(h) [ Maintenance and notification ] use and maintain the Service Interface including the security between the Client’s systems and the Service System; register/modify/remove/retrieve meta-data, maintain PKI certificates as defined in the XX Federation Documentation XX; notify IdP of any network changes or certification renewals that may impact on any part of the Service, use the Admin interface to register and update details relating to the Service and the officers charged with administering the service
Exit and Off boarding
(a) [Exit and off boarding]: RP must have an explicit written policy to address and mitigate impacts to existing users (e.g portability of accounts if feasible, re-enrollment, credential switching) in the event that the RP terminates or is terminated from its role.
(b) [Exit and off boarding]: RP must have predetermined processes to put into action to update Helpdesk on status, call handling procedures and documentation, website information, test scripts and system flows to reflect the terminated state of the RP
.........................................................................................................................................................................................................