A complete Code of Conduct for Relying Parties might include Sections for ...A) Data Protection, B) Admin, Record Keeping and Process, C) Audit and Compliance, D) Customer Service E) Marketing, plus other aspects to make it comprehensive .
This Code of Conduct for Relying Parties assumes (1) a set of agreed definitions/terminlogy, (2) Scopem and specification of the Replying Party activities, (3) a legal contract in force to make all obligations clear for interpretation (4) that a federated trust framework is operating, (5) that a quality ISMS is operating in the RP/AP environments..
A typical template Table of Contents might include:
Introduction and Purpose
Executive Summary
Assumptions
Definitions/Terminology
References and bibliography
Activities in scope for the Relying Party
Data Protection
Administration, Record Keeping and data processing
Audit and Compliance
Customer Service
Marketing
Colin: July 2015: A devised template informed by GEANT's Data Protection one.. via Clarin..https://www.clarin.eu/content/how-can-i-comply-data-protection-code-conduct and you can see the various Codes here..Data Protection, etc, non normative informational docs..very good they are too! http://www.geant.net/uri/dataprotection-code-of-conduct/V1/Pages/default.aspx
Data Protection Code of Conduct For Service Providers ... with clauses that might apply to an overall contract removed for clarity./.
(a) [Payment] pay the Charges in accordance with XXXX clause;
(b) [Co-operation] co-operate with IdP personnel in connection with its background checking/identity proofing of RP/SP responsible officers, operation and safe-guarding of the Service/s; and advise IdP promptly of any Service anomalies, suspicious or unusual usage, or complaints relating to the Services and provide reasonable assistance to IdP/AP in the investigation of such anomalies, usage or complaints;
(c) [Standards Compliance] comply with any standards or specifications issued by the XXIdP/APXX and any reporting obligations required by the IdP/AP from time to time in accordance with any relevant legislation (including those of a contracted third party to the RP/SP)
(d) [Audit] provide appropriate assistance, where reasonably requested by IdP/AP, in carrying out any audit of the Client’s use of the Services or related systems or suppliers;
(e) [Federation Reporting] participate in progress reporting as specified in the Service Schedule;
(f) [ transparent relationship ] ensure that the agency Service Provider/RP's website terms and conditions explain the inter-relationship of the Services and the Client’s systems in terms agreed with IdP;
(g) [ Promotion ] use its best endeavours to promote the Services and instructions for use, to its customer base to encourage service uptake and use;
(h) [ Maintenance and notification ] use and maintain the Service Interface including the security between the Client’s systems and the Service System; register/modify/remove/retrieve meta-data, maintain PKI certificates as defined in the XX Federation Documentation XX; notify IdP of any network changes or certification renewals that may impact on any part of the Service, use the Admin interface to register and update details relating to the Service, the officers charged with administering the service
Added on Sept 2nd 2015: Further analysis required of TBS Canada Adding/Removing CSPs under the Credential Broker Service and (hopefully) the Credential Federation Application Integration Guide for departments and agencies.
Text below informed by the paper, 'Adding and removing Credential Service Providers under the Credential Broker Service' TBS Canada, CIO Branch, Feb 2015, Version 4.0
Exit and off boarding: RP must have an explicit written policy to address and mitigate impacts to existing users (e.g portability of accounts if feasible, re-enrollment, credential switching) in the event that the RP terminates or is terminated from its role.
Exit and off boarding: Updating Helpdesk, call handling procedures and documentation, website information, test scripts and system flows to reflect the terminated state of the RP
(add to d) Audit, above) Comply with all certification and accreditation requirements
.........................................................................................................................................................................................................
From the Jan 2015 minutes:
Ken: Some have clearly defined requirements:
1)Governments as relying parties – Are there a common set of requirements that governments have of authoritative parties (Token, Attribute or Identity Providers)? Do authoritative parties (Token, Attribute or Identity Providers) have expectations of governments that consume their assertions?
2) Governments as authoritative parties (Token, Attribute or Identity Providers) – are there concerns / restrictions on governments acting as an authoritative party? To internal government services, other jurisdictions or the private sector.
.......................................................
Keith: As discussed on the call, this page is a wiki comparing the various research and education federations.
https://refeds.terena.org/index.php/Federations
I feel a resource like this for eGov would be a great project for us to undertake and put on the Kantara wiki. It makes comparison of different technologies, models and policies very convenient.
This would take the excellent work done by the BCTF and add more information to the model, with a focus on eGov only.
http://kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey
Excerpt from InCommon FOPPs- sections 6-10 most relevant
https://www.incommon.org/docs/policies/incommonfopp.html
......................................................................................................................................................