First
Previous
Principles
Principles for Electronic Authentication
A Canadian Framework
May 2004
Principle 1: Responsibilities of Parties
Principle 2: Risk Management
Principle 3: Security
Principle 4: Privacy
Principle 5: Disclosure Requirements
Principle 6: Complaints Handling
Principle 1: Responsibilities of Participants
Participants in an authentication process should be aware of the functions they are performing and of the responsibilities associated with those functions. Participants' responsibilities are proportional to the degree of knowledge and control they can reasonably be expected to have and to exercise.
All participants should act prudently and take reasonable steps to inform themselves of the nature of the authentication process, including its requirements and limitations, to protect information associated with the process, and to manage the risks to which they are exposed (see Principle 2).
Participants' specific responsibilities depend on the function or functions they carry out, as follows.
Authentication Administration
The administrator is responsible for following appropriate and trusted measures so that other participants may have confidence in the credibility of claimed attributes. When any part of the administration function is delegated to a third party, the administrator is responsible for ensuring that the third party also follows appropriate and trusted processes.
Specification
The specifying participant is responsible for choosing a system, such as an authentication infrastructure or process, that meets the privacy, security and other policy and legal requirements associated with an electronic communication. This may include the mechanism by which a participant's authority to enter into the electronic communication, and the integrity of the communication itself, can be ascertained.
End Use
The responsibility of end users to inform themselves about the authentication process is limited by the extent of clear and conspicuous information disclosed to them (see Principle 5). The responsibility of end users to protect information relating to the authentication process may be limited by legal or contractual obligations. Such obligations may require disclosure of information concerning the process they use to determine the reliability of electronic communications.
Standards Development
Standards developers are responsible for ensuring that standards are robust, scalable and adaptive to encourage uniformity in authentication implementations. This responsibility extends to incorporating a wide range of views and best practices into proposed standards to ensure they are relevant, up-to-date and continuously applicable. Responsible standards development takes into account both existing and emerging technologies and international practices.
Compliance Assessment
Those who assess compliance are responsible for maintaining and applying a professional and up-to-date level of knowledge and practice so they can provide a reasoned and informed evaluation of authentication processes.
Infrastructure Provision
Infrastructure providers are responsible for following best practices and standards to implement and support the infrastructure that enables authentication.
Principle 2: Risk Management
The risks associated with authentication processes for electronic communications should be identified, assessed and managed in a reasonable, fair and efficient manner.
The responsibilities of participants concerning risk management are proportional to the degree of knowledge and control that each participant can reasonably be expected to have and to exercise. It is recognized that the ability of participants to identify, assess and manage risk varies substantially, and that some types of participants (e.g. consumers and small enterprises) cannot reasonably be expected to identify, assess and manage risk to the same extent as participants that have access to more significant resources or who define the working relationships.
Identification
Risks should be identified to the extent possible. Risks may be financial -- including immediate, direct and consequential damages arising from faulty execution or delay in execution of the communication -- or may relate to, among other things, loss of confidentiality or privacy, damages to reputation, or identity theft.
Assessment
The seriousness and potential impact of risks should be assessed. When assessing risk, special attention should be paid to the circumstances under which the authentication process is relied upon. When evaluating and assessing risk, it can be helpful to take into account the responsibilities associated with each of the six functions (see Principle 1).
Management
Risks should be managed to the point of greatest economic efficiency by being assumed, avoided, re-allocated or mitigated. Risk is economically efficient when the residual risk that a participant bears after prudently managing risk does not outweigh the benefits gained from participating.
Role of Contracts
Contracts may be used to provide a framework for each participant's involvement. Contracts should be clear about the risks that each party is assuming and should allocate risk in a reasonable, fair and efficient manner. For contracts that are not freely negotiated among equal parties,3 efforts may be needed to protect the interests of weaker parties.4
Decision Making
Regardless of the means used to allocate risk, the resulting allocation should be reasonable and fair and take into account the ability of participants to manage risk or absorb losses. It should also create incentives for those developing and implementing authentication processes to ensure that their products and services are secure and reliable.
Principle 3: Security
All participants in an authentication process should be responsible and accountable for security, in proportion to their roles in that process. All participants have a responsibility to contribute to the mitigation of risk through sound security practices. However, infrastructure providers and those involved in authentication administration bear much of the burden to design and maintain systems based on policies and procedures that take into consideration legislation, regulation, policy, industry standards and the socio-cultural environment.5
The purpose of information security is to mitigate the risks inherent in the electronic sharing of information. Infrastructure providers and those involved in the specification and administration of authentication processes often take the initiative when designing and implementing security mechanisms, and therefore have an interest in raising awareness by informing other participants about these mechanisms and participants' role in their maintenance (for example, selecting and safeguarding user passwords). Security mechanisms should conform to generally accepted standards.
Protection, Detection and Response
As appropriate, all participants should be made aware and, at all times, be conscious of security risks, known threats and vulnerabilities, and available safeguards. In an authentication process, a security incident that affects a single participant may have implications for all participants. Participants should therefore act at all times to prevent such incidents, and should be ready and able to respond appropriately. Information about known threats, vulnerabilities and risks should be shared among participants, as appropriate, as an effective preventive measure, to enhance vigilance in detection and to ensure timely response. Effective information security measures should be proportional to the information risk and should respect the rights of participants, in keeping with the democratic principles of an open society.
Information technology evolves rapidly. It is therefore sound security management to ensure that all participants are reliably informed of new and existing threats, and of the role participants are expected to play in the prevention and detection of and response to security incidents.
Review and Assessment
The continual review and assessment of security programs is essential to ensure the ongoing efficacy of a security program. Those who establish authentication processes, and infrastructure providers in particular, in concert with the other participants in the authentication process, should verify and demonstrate their adherence to sound security management practices, each in proportion to the role they play. A person independent of the authentication process should conduct a periodic review of the security practices associated with the process. Such a review should be integral to accreditation and certification against generally accepted standards.
Principle 4: Privacy
Organizations engaged in the design or operation of authentication processes should comply with the data protection standards set out in relevant codes of practice (privacy codes) in addition to complying with applicable legislation and jurisprudence (privacy laws).6 In particular, the collection, use and disclosure of personal information7 in the context of authentication should be minimized.
Identity-based authentication can conflict with privacy considerations. For example, stronger authentication may require the collection and comparison of more personal information. However, minimizing the collection, use and disclosure of personal information in the authentication context is fundamental for security as well as privacy reasons. Privacy safeguards can actually contribute to the security of authentication processes.
Authentication Administration
Authentication administration should involve the collection of personal information only when necessary. Any personal information collected should be used for no purpose other than authentication. Authentication of a business should focus on business attributes rather than personal attributes of individual employees.
If collection of personal information is required, such collection should be minimized. Any use or disclosure of personal information should also be minimized. Personal information should be collected, used or disclosed only with the informed consent of the individual.
Personal information should be retained only for the purpose of authentication.
Specification and Infrastructure Provision
Authentication processes should be designed to require that the least possible amount of personal information be collected, used and disclosed. Process design should take into account the access rights of participants and the obligation of organizations to make information available about their privacy policies. Organizations using authentication processes designed by others have a responsibility to ensure that those processes respect privacy.
End Use
End users of authentication processes and services should take reasonable measures to ensure that personal information within their control is protected from unauthorized collection, use or disclosure.
Standards Development
Authentication standards should be developed in full accordance with the privacy principles set out in privacy laws and codes. Privacy protection should explicitly be built into authentication standards. Standards developers should consider the coincidence of measures that contribute to protection of data privacy with those designed to ensure security of authentication processes.
Compliance Assessment
Compliance assessment should include assessment of whether and how the organization in question is complying with the privacy principles set out in privacy laws and codes. Compliance assessors should protect the confidentiality of personal information they deal with in the context of their assessments, in accordance with privacy laws and codes.
Principle 5: Disclosure Requirements
Participants that offer authentication services should disclose information to the other participants to ensure that all participants are aware of the risks and the responsibilities associated with participation.
The information that is disclosed about authentication services should include policies, practices and procedures, as well as information about whether the services are periodically reviewed or audited. Appropriate disclosure requires the information to be provided in sufficient detail for the purpose, be in plain language and be conspicuous. All three factors will have a bearing on the knowledge other participants can reasonably be expected to have of the disclosed information.
Extent and Nature of Disclosure
Disclosure should not include security-related information that, if disclosed, would introduce vulnerabilities and increase risk. However, the amount and nature of information disclosed should be sufficient for participants to understand their responsibilities and to make informed risk-management decisions concerning reliance on the authentication. The extent and nature of the information may vary depending on whether the end user is an individual or an organization.
Notification
Participants should be notified of the availability of information and of any changes to the information. Evidence of receipt of notification may be required, depending on the nature of the authentication process and associated applications.
Relationship to Other Principles
Participants that offer authentication services should disclose their policy and practices concerning the collection of personal information. Principle 4 more fully addresses personal information and its disclosure. Disclosure requirements should also be considered in conjunction with Principle 1 (Responsibilities of Participants) and Principle 2 (Risk Management).
Principle 6: Complaints Handling
Organizations implementing authentication processes should make available a complaints-handling process that enables participants to resolve complaints efficiently and effectively and to respond appropriately to non-compliance issues.
Complaints-handling processes should reflect the following.
Visibility
Information about how and where to direct complaints should be well publicized to all participants and their personnel and to other interested parties, and should include full information about the complaints-handling process.
Accessibility
The complaints-handling process should be easily accessible to all participants, and the organization should ensure that information is readily available on the details of resolving disputes. The process and supporting information should be easy for individuals with complaints to understand and use, be in plain language and be available in the languages in which the products and services were originally offered.
Responsiveness
Complaints should be dealt with promptly and thoroughly. Complaints should be assessed from a security perspective and resolved in priority, according to their potential negative impact on the participants involved or on the authentication implementation as a whole.
Fairness and Objectivity
Each complaint should be addressed in a balanced manner through the complaints-handling process, which should be fair to the complainant and the participant against whom the complaint is made.
Charges
Access to the complaints-handling process should be free-of-charge to the complainant.
Confidentiality and Privacy
Personal information concerning complainants should be available only where needed within the organization handling the complaint and must be actively protected from disclosure, unless the complainant expressly consents to its disclosure.
Accountability
Organizations should ensure that there is an identified individual or identifiable unit responsible for the systematic recording of complaints and outcomes, and for reporting on the actions and decisions of the organization with respect to complaints handling.
Continual Improvement
Continual improvement of the quality of authentication products and services is facilitated through the complaints-handling process, based on customer and other feedback. The complaints-handling process itself should be monitored on an ongoing basis, and reviewed and assessed in light of feedback.
Unresolved Complaints
When complaints cannot be resolved internally, organizations should be willing to use appropriate third-party dispute resolution processes upon request of the complainant, including those administered by private third parties. However, complainants should continue to have access to the justice system.
3 An example of this is a contract that imposes terms of service on users.
4 Such efforts can be made at the industry sector level through the inclusion of provisions in codes, or at the government level through policy or legislation.
5 This principle accepts and adopts the Organisation for Economic Co-operation and Development's (OECD) OECD Guidelines for the Security of Information Systems and Networks (see page 24). The complete text of the Guidelines is available online at www.oecd.org/dataoecd/16/22/15582260.pdf
6 The Canadian Standards Association's Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) has been incorporated into the federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5, as Schedule 1 to that Act. The Code was developed by a multistakeholder working group and adopted by the Standards Council of Canada as a national standard in 1996. Many industry codes of practice also address data protection.
7 As defined in the Personal Information Protection and Electronic Documents Act: "any information about an identifiable individual."