Bsi bip 0008 3 2014

tistech ic lysimiar,buthasbe n res ructure in recog ition ofth publc tion ofBS 10 0 :2 14,Evide tialweighta dlegaladmis sibi tyof lecronic in ormation —Specification an c n beconsid re t

identity to information

electronic identity to inf ormation

Code of practice for the implementation of BS 10008

BSISta d rdsLimite

3 9ChiswickHig R a

Lon onW 44A L

©BritishSta d rdsInsitution2 14

A ll rig t reserv ed.Ex ceptaspermite u d r h C pyrig t,Desig sa dP te t A ct 9 8,nopar of his

publcation ma bereprod ce , sore in aretiev al sys emor ra smite ina yformorbya yme ns–elect onic,

photoco yin , recordin oroth rwise–withoutpriorpermisioninwritin f omth publsh r

W his ev erycareh sbe nta e ind v elo in a dcompi n thispublcation,BSIacept nolabi tyfora ylos or

d ma eca se ,arisin directlyorin irectlyincon ection withrela ceon it conte t ex cept oth ex te t h t

suchlabi tyma notbeex clu e inlaw

W hieev eryeffor h sbe nma etotaceal co yrig thold r,a yon claimin co yrig t houldg tintouchwith

th BSI at h ab v ea dres

BSIh snoresp nsibi tyfor h per ise ceorac uracyofURLsf orex tern l or hird-paryintern tw ebsites ef ere

tointhisb ok,a ddoesnotg ara te th ta yconte tonsuchwebsitesis,orwi remain, ac urateor

ap ro riate

T herig t ofP terHow esa d A la Shipma tobeid ntifie as h a thor of hisWorkh sbe nasere byth m

inacord ncewithsections7 a d7 of h C pyrig t, Desig sa d P te t A ct 9 8

TypesetinFrutig rbyL t erpar Limite , et erpar.com

Printe in Gre tBritainbyB rf or Group, www.ber or co.u

BritishLibraryCatalo uin inP blcatio Data

Acatalog erecordf or hisb okisav aiablef omth BritishLibrary

ISBN9 805 08 6 85

A nne AEx ampleelec ronic id ntity manag me tp lcys ateme t 6

Evide tialweighta dlegaladmiss ibi tyoflnkingelecronicide titytoin ormation–Codeofpracice

for h impleme tation ofBS10 00 8( ref er e toin thisdocume tas’th C d ’)isprimariyconcern d

w ith th auth nticity, nte rityan av aiabi tyofelect onicid ntity,toth d monsrablelev elsof

ceraintyre uire byan organiz tion tisparicularlyap lc blew hereelect onicid ntityat a h dto

specif icdocume t oroth rinf ormationmaybeuse asev id ncein disputesinsid an outid th

le alsys em

T hisisth f if he ition ofth C d , w hichw asf irtpublsh d byBSI n 19 8,asPD5 0 T hise ition is

ane itorialrev ision ofth four he ition (2 0 ) tistech ic lysimiar,buthasbe n res ructure in

recog ition ofth publc tion ofBS 10 0 :2 14,Evide tialweighta dlegaladmis sibi tyof lecronic

in ormation —Specification an c n beconsid re tobea g id toth impleme tation ofth British

Stan ardin relation toln in elect onicid ntitytoinf ormation

User ofal prev iouse itionsshould consid r h adv antag sofasesin th irinf ormation

manag me t ys emsinlg tofthisn we ition, an ame d th ir ys emsan /ordocume tation

w hereap ro riate

T hispublc tion is h third par ofBIP0 0 , which ismad upofth f olow in :

• BIP0 0 -1 ( 2014), Evide tialweighta dlegaladmiss ibi tyofin ormation storedelecronicaly—

Codeofpracice forth impleme tation ofBS100 0 8;an

• BIP0 0 -2( 2014), Evide tialweighta dlegaladmiss ibi tyofin ormation ta sferedelecronicaly

—Codeofpraciceforth impleme tation ofBS10 0 0 8

T heC d ispublsh d byBSI n recog ition ofth larg n mberofimpleme tationsofelect onic

inf ormation manag me t ys ems,an of h contin in u cer aintyab ut h le ala ceptabi tyof

anelectonicid ntityln e toelect onicinf ormation tprov id sgo d pra ticeg idancef orth useof

electonicid ntitymanag me t ys ems

T heE itor w ouldespecialylk tothan th BSILe al A dmis ibi tyE itorialBoard an Pan lan

commit e sIDT /1,Docume tmanag me tap lc tionsan IDT /1/ 5,Rev isionsofBS10 0 f or h ir

contibution toth cur e tan prev iouse itionsofthispublc tion, n par icularf orth irbusin s

f oresig tan tireles readin of h man script T heir u g sionsforimprov eme t ad e v alu to

th f inalpublc tions

T hemember ofIDT /1 areMarin Baie , anCurin ton,A an i ns on,MarcFresko,P terHowes, P i p

Jon s,An rewKe n , Bi Mayon-W hite,R g rSPo le, NickPo e, an Wald n,LeonieWat on, An rew

Pibw or h,Nei Pitman,Alan Shipman an TomW ilson

T hemember ofIDT /1/ 5areElsabeth B lsle,B rnieDy r, P terHow es,Richard Jeffre -C ok,Bi

Mayon-W hite,R g rSPo le, Alan Shipman,R d Ston an Tom W ilson

In paricular, w ew ould lk tothan Je nif erCar uth fomBSIf orh rex cele tadv icean

co y-e itin ski sin d v elo in BS10 0 :2 14

P terHow es

A lan Shipman

( Editor)

Group5Trainin Limite

T hef ir te ition ofPD5 0 , publsh din 19 8,w assp nsore byGroup5, nasociation withth

Elect onicOriginal nitiativ e

BSI would lk tothan th f olowin peo lew horev iew ed th f if the ition ofthisb ok:

Joh Av alan t, Managin Director&Principal Cerulean AsociatesL C

Dian Shi ito,QualtySysemsManag r,CDS

Nei Mau e,Ge eralManag r,A re a Group

Elsabeth B lsle,Managin Director, S an ox

Electronic ide tit y

T heimpleme tation an useofelectonicinformation manag me t ys emsan elect onic

commu ic tionssysemsprov id sig ific ntbe ef it toman organiz tions.T hetaditionalproces esof

asociatin id ntityw ithinf ormation toates origin, authorityorco yrig tow nerhipare, how ev er,

nolon ersuff icie tan th proces of‘sig in ’ in in , a paperdocume ttoconfirmw hoprod ce ,

ap rov edorauthorize itmaynolon erbepra tic lya hiev ableoreff icie t.Methodsf orprov idin

ane uiv ale t oth seid ntitymarksn e tobeprov id dbysuch sysems.T heC d d tais

o erationalproce uresan tech olog re uireme t forth see uiv ale tmethods

Man tech iq esareav aiabletoreprese tth inte torconse tofanin iv id alex pres e inan

electonicdocume torelectonictansa tion an toshowthatth elect onicdocume torelect onic

tansa tion w asa tualycreate orap rov edbythatpar icularin iv id al thatis,th elect onic

e uiv ale tofa han writ e sig ature

W hereco yrig tow nerhipc nbeasociate w ithelectonicinf ormation,ad itionalev id nceis

av aiablew ith re ard toth id ntityofth inf ormation ow ner.Ad itionaly,w hereelectonic

inf ormation hasbe ne crypte , th remaybead itional ev id nceof h inf ormation own r

INFORMATION –Ide titytheft: The problem

Ac ordin toAction Frau ,th UK ’snationalf rau an intern tcrimerep r in ce t e, d ntity

th f tisw he peronald taisaresole an id ntityf au is h useof hats ole id ntityin

criminal a tiv itytoo tain go dsor erv icesbyd ception

Frau ser c n useid ntityd tais o:

• o e ban a cou t;

• o tain cre itc rds, oansan s atebe ef it;

• ord rgo dsin th targ te per on’sname;

• tak ov er h targ te peron’sex isin a cou t ;

• tak outmo iephon conta t ;an

• o tain g n in docume t such aspas p r san driv in lce cesinth targ te peron’s

name

Stealn an in iv id al’sid ntityd taisdoesnot,on it ow n,consituteid ntityf rau B tusin

thatid ntityf oran ofth ab v ea tiv itiesdoes

htp:/w ww.actionf a d.p lce.u / a d_protection/id ntity_fra d

Inth UK,CIF AS( th UK’sFrau Prev ention Serv ice)rep re thatth f rau ule tuseofid ntity

d taisisth big es an mos perurbin fau threat

5 % ofal f rau sid ntif ie in th UKd rin 2 12relate toth imperonation ofan in oce t

v ictim orth useofa completelyf alseid ntity Furh rmore,w his th n mberoff rau c ses

id ntif ie roseby5% betwe n2 1 an 2 12th n mberofid ntityf rau c sesid ntif ie rose

by9.1% in th sameperiod

htp:/w ww.cif as.org.u / a dte dswe tytwelv e

Id ntityth f tisa worldw id isu nDecember2 13th JusiceDepar me t’sB reauofJusice

Statisics(BJS)an ou ce thatanesimate 16.6mi ionpeo le,represe tin 7perce tofal

per onsag 16orold rin th Unite States,ex perie ce atleas on incid ntofid ntityth f tin

2 12 d ntityth f tv ictimsrep r e a totalof$2 7bi ion in directan in irectlos esat ribute

toal incid nt ofid ntityth f tex perie ce in 2 12 tisimp r anttorealzethatth selos es

ex ce d d th $14bi ion v ictimslos f rom al oth rpro erycrimes( burglary,motorv ehicleth f t,

an th f t)measure byth USNationalCrimeVictimiz tion Surv eyf orth sameperiod

htp:/w ww.bjs.gov /in ex cfm?ty= bd tai&id=4 21

T heC d d taisproce uresf orth useofcer ific tes hatid ntif yin iv id alsororganiz tionsas

elect onicv erionsofth man al sig in ’ ofdocume t byth sein iv id alsororganiz tions A n

in epe d ntv erif ic tionof uch a cerif ic temaybere uire eith rat h timeofa specifica tion or

proces (e.g.an electoniccommu ic tion bein se torsore ),orsubse u ntly, T hispar ofBIP0 0

d fin sproce uresthat hould beimpleme te wh n usin sucha f aci ty

Forth purp sesofth C d ,anorganiz tion abletov erif ysuch cer if ic tesan sig aturesis efere

toasa ‘t us e third pary’( T T P).AT T Pisan organiz tion thatwi per orm th v erif ic tion of

cerif ic tesuse byanorganiz tion,oris u d toa paricularin iv id al T heT T Pmaybeth original

is u rofth cer if ic tes nsomec ses, howev er,anag ntof h T T Pmayhav ebe n th cerific te

is u r

T heA meric n BarA ssociation publc tion,DigitalSign tureGuideln s :Legal n rastrucurefor

Cerification Authoritiesa dS cureElec ronicCommere,s atesthata T T P’mus hav esuff icie t

f inancialresources:

1 tomaintain it o erationsin conf ormityw ithit d ties,an

2 tobereasonablyabletobearit riskoflabi tytosubscriber an per onsrelyin on cer if ic tes

is u d byth cer if ic tion authority[T T P]

T hisbasicte etshouldbeascerain d byth userofth T T P,especialyasitispla in relancean

tus in th T T P’s erv ices

T hisin turn leads oanoth rimp r antfa tor.T helev elofsuretyre uire f ora paricularcerif ic te

mayv aryd pe din up n th v alu ofth inf ormation bein sig e T heusern e s oe surethat

th labi tya cepte byth T T Pisap ro riatef or h specif icinf ormation bein sig e

INFOR MATION–tS cheme

P o lean organiz tionsn e tohav etus in e-commerce Tothise d,commercialsecurity

serv ices,g n ralyc le ’tus serv ices’ arebein intod ce toh lpd f en agains f rau an

los ofpriv acy tS h mew ascreate tof aci tateconf id ncethat h se’Trus Serv iceProv id r ’

( T SPs), w il d lv erth serv icesth yclaimtooff erhon s lyan ex per ly

tS h meisan in epe d nt,non-pro tmakin , n us ry-le UKb d setuptoap rov eth se

serv icesan prov id thatconf id nce MemberhipoftS h meisa tiv elye courag d a ros al

interese sector ofU in us ry,an abroadran eoforganiz tionsarealread represe te an

contibutin toit d v elo me t

Asaw are es ofe-securitygrow s,anincreasin n mberofe d user an relyin pariesare

lo kin forex tra as urancebef orecommit in toonln t ansa tions n par icularth yw il lo k

f ora w ebseal toshowthata w ebsiteo eratestoparicularsan ards nth samew ay,th

tS h meMarka t asa t us sealtoshowthat h serv iceprov id risf olow in bes pra tice

• th serv icehasbe n thorou hlyev aluate agains rigorouscriteria byin epe d ntex pers;

• th serv iceprov id rhasagre d tok eptoth secriteria;

• th serv iceprov id r ubscribestoth tSch meCodeofConduc;an

• th serv iceprov id rhasagre d toa tpromptlyan f airlytoreme yf ault

ht p:/www.t ch me.org/

T heC d d taisinf ormation thata user hould ch ckbef oreusin a T T P talsod taisis u sthata

T T Pshouldad res

An mberofth seareasw il berelativ elyn wtoman organiz tions Ke an cer ific teisuin

organiz tionsan serv iceprov id r ,howev er, off erprod ct an serv icesthatad res th seareas.T heir

g idancec nbev eryusef ul but, asw ith al serv iceorprod ct up ler ,th on sw il res withth

user( organiz tion orin iv id al)rath rthan w ith th sup ler

Man serv iceprov id r w il inclu ea cerif ic tep lcyan a ’cer ific tion pra ticesateme t’ (CPS)as

par ofth ircommitme ttoth iruser T hese( an th sup ler’sconta t)n e toberev iew edin

d tai agains th organiz tion’sre uireme t if uch a sup lerisuse

P rpose of t he Code

T heC d cov er:

• se d ran recipie tid ntityv erif ic tion;

• ev id ntialyprov ableelectonicsig atures;an

• ln in id ntityofco yrig town r hiptoelect onicinf ormation

T heC d alsocov er th ap lc tionof ech olog toprov id elect onicmesag se d ran recipie t

id ntityv erif ic tion;thisisth asociation ofid ntityw ith a tansere docume t.T hismaybebyth

useofa digitalsig ature; wh reth simiaroras ociate cryptographictech iq esarealsouse f or

conf id ntialty, thisap lc tionisad res e in thispar ofBIP0 0

T heC d doesnotcov er h ap lc tion ofid ntityan id ntitytok nsf ora ces toserv ices.T hese

logic l an ph sic la ces cont olf unctionsmaywel usetech iq esin common w ith thoseuse in th

C d T hef un ame talq es ionask d w he an id ntityisatribute toanin iv id alof‘A reth y

realyw hoth ysayth yare?’ sa common isu thatmus bead res e

T heC d doesnot ecomme d specif ictech ologies–itsimplyd taisre uire atributes,proce ures

an proceses obe ap le ,tog th rw ith th re uireme t forth au itof uch sysems

Manageme t f ramew ork

Chapter 1 to7ofth C d aresructure alon th ln sof h san ardize sructureofISO

Manag me tSysemStan ards,such thatit impleme tationc n besy chronise with oth r

manag me t ys emssuch asBSISO/IEC2 0 1:2 13In ormation tech olo y—S curitytech iq es—

In ormation securityma ageme ts ystem—Req ireme ts,w hereap ro riate

T hispar ofth C d cov er proce uresan proces esrelev anttoth f olow in elect onicinf ormation

auth ntic tionprinciples:

• electonicid ntityv erif ic tion –prov in th g n in n s ofth in iv id al/organiz tion that

prod ce ,t ansf er e an /orsore th electonicdocume t;

• electonicsig ature–th ap lc tion ofth le al e uiv ale tofa ‘pe an in ’sig atureon a

paperdocume t;

• electonicco yrig t–th ap lc tion ofa co yrig tmarktoan electonicinf ormation; an

• ln in th electonicid ntityan /orelectonicsig aturean /orelectonicco yrig t oth

paricularelectonicinf ormation ( an prev entin compromisetoit inte rity)

T heid ntityofth originatoror e d rofelect onicinf ormation mayn e tobed monsrate ,

paricularlyw herepro lemsoffalseid ntityhav ebe n d tecte ,oraresuspecte T hisre uireme tis

paricularlyap lc ble w hereintern tcommu ic tionsareinv olv ed.T pic ly,ro us an tus w or h

electonicv erif ic tionofid ntityisap le usin cryptographictech iq es, byth is u an useof

cerif ic tesinv olv in Priv atean P blcK eytech ologies

W hereelect onicsig aturesareuse ,th C d prov id sg id ln sf ore surin thatsuch sig atures

w il repla eore hancean ex isin w rit e sig ature.Such sig aturesn e tobeselecte an uti ze

w ithoutu ex pecte compromisetoth par iesinv olv edin th ex chan eofsig e inf ormation an it

v erific tion an v aldation.Electonicsig atureswi , n al c ses,n e tobesup or e byan electonic

id ntity

W hereelect onicco yrig tprotection sysemsareuse ,th C d prov id sg id ln sf orth iruse n

th contex tofth C d ,co yrig tdoesnotinclu ecolectionoflce ce f ees,purelyth protection an

ln in ofco yrig tholdin byan e titytoa docume t

INFORMATION –Dig italrig ht manag eme t

Digitalrig t manag me t( DRM)isan umbrela termf orle alybin in tech ic l protection

measuresthatalowow ner ofco yrig te digital conte ttocont oldigitalconte taf teran

ordinarycont a tles saleofth conte t

DRM p seson of h greates chale g sf orconte tcommu itiesin thisdigital ag Traditional

rig t manag me tofph sic l material be ef ite f rom th materialsph sic ltyasthisprov id d

somebar ier tou authorize ex ploitationofconte t.Today, howev er,w e alread se serious

brea h sofco yrig tlawbec useofth easew ithwhich digitalfiesc nbeco ie an

tansmit e

Fir t-g n ration DRM sysemsf ocuse on securityan e cryptionasa meansof olv in th is u

ofu authorize co yin ;thatis, ockth conte tan lmitit disribution toonlythosewhopay

Aw el u d r to d ex ampleofthisisth sup lyofa on -timek ytocompleteinsalation of

dow nload d sof tw arean e force w ebbase re is ration toe sureth sof tw areisnot

repetitiv elyinsale in cont av ention of h lce ce

T hisap roa h was ubsantialynarow erthan th broad rc pabi tiesofsecon -g n ration DRM

sysems.T hesecon g n ration ofDRM cov er th d scription, d ntif ic tion, tadin ,protection,

monitorin an ta kin ofal f ormsofrig t usag sov erb thtan iblean intan ibleas et,

inclu in manag me tofrig t hold r ’relationships.Ad itionaly, tisimp ranttonotethat

DRM isth ‘digital manag me tofrig t ’an notth ‘manag me tofdigitalrig t’ T hatis,

DRM manag sal rig t,notonlyth rig t ap lc bletopermis ionsov erdigitalconte t

DRM sy stems esrictth useofdigitalf ilesinord r oprotect h interes sofco yrig thold r.

DRM tech ologiesc ncontolf ilea ces (n mberofv iewsan /orle gth ofv iew s),alterin ,

sharin ,co yin , printin an sav in T hesetech ologiesmaybecontain d within th o eratin

sys em orprogram sof tware, orin th a tualhardwareofa d v ice

DRM sy stems ak tw oap roa h stosecurin conte t T hef ir tis‘containme t’ an ap roa h

w hereth conte tise crypte in ash l sothatitc n onlybea ces e byauthorize user T he

secon is‘markin ’ th pra ticeofpla in a w atermark, f lag orX ML tag

( BSISO/IEC210 0-5:2 0 ,In ormation tech olo y—Multimediaframework(MP G-21)—Par 5:

RightsExpression La g age)onconte tasa sig altoa d v icethatth me ia isco yprotecte

Information rig t manag me t( IRM),sometimesalsoc le E terpriseDigitalRig t

Manag me t, sa subsetofDRM RM isuse protect e sitiv einf ormation f romu authorize

a ces typic lyin a busin s -to-busin s mod l( e.g f inancialdata, ntelectualpro ery,

ex ecutiv ecommu ic tions) RM alow sf orinf ormation ( moslyin th f ormofdocume t an

emais)tobe‘remotecontole ’ T hismeansthatinf ormationan it contolc n nowbe

separatelycreate , v iew ed,e ite an dis ribute

W his notn ces ariyev id ntial w eig tan le aladmis ibi tyis u s,an bec usesimiarcryptographic

tech iq esareof e use ,th C d alsoprov id sg idanceforprov ision ofconf id ntialtyis u s, by

e surin that h inf ormation c n otbese n byu authorize in iv id als C nfid ntialtyof

inf ormation istypic lyhan le byap lyin cryptographice codin toth inf ormation,sothatitc n

onlybea ces e bysomeon hav in th ap ro riated codin procesesan k ys

COMMENT

Emai hasbecomean es e tialbusin s to l butitmus beuse w ith c reifth se d ror

recipie tistorelyup n emai in th ev entofa dispute tisnottech ic lydiff iculttomak

an emai ap eartocomef omsomeon oth rthanth realse d r.T hisID‘sp o n ’ suse

ex te siv elybyspammer tomaskth irid ntities

Man secureemai serv icesuse’Secure/Multipurp seIntern tMai Ex te sions’ (S/MIME),

w hichprov id a consis e twaytose d an receiv esecureMIMEdata Se th Intern t

E gin erin TaskForce’s(IET F’s)RFC3 51 ( toberepla e by5 51).Base onth w id ly

ado te intern tMIMEsan ard,S/MIMEprov id s h folow in cryptographicsecurity

serv icesf orelectonicmesagin ap lc tions:

• auth ntic tion;

• mesag inte rityan non-repu iation oforigin(usin digitalsig atures);an

• data conf id ntialty(usin e cryption)

Anoteofc ution: toe ableth intern tmai inf rasructuretorouteconfid ntial mes ag s

thatinclu eS/MIME, th rearepar sof h mes ag thatc n otbee crypte ,f orinsance,

th recipie tan se d rid ntityd tais

A ppl cabi ty

T hispar of h C d isap lc bletoelect onicid ntitymanag me tsys emsan c nbeap le to

an f orm ofelect onicid ntitymanag me tsysem, respectiv eof h tech olog use

T he users

T heC d isinte d d for:

• e duserorganiz tionsthatwishtoe surethatelectonicid ntitymanag me tsysemsmaybe

use w ith confid nceasev id nceinan dispute,within orout id a cour oflaw ; an

• inte rator an d v elo er ofelectonicid ntitymanag me t ys emsthatprov id f aci ties o

• max imizeth ev id ntialw eig tthata cour oroth rb d mayas ig toprese te information;

• prov id conf id ncein inter -organiz tion tadin ;an

• prov id conf id ncetoex ternal nspector (f orex ample,re ulator an au itor)an sak hold r

thatth organiz tion’select onicid ntitypra ticesarero us an relable

T heC d maybeuse asa commonref ere cesan ard f orbusin s a tiv itiesw ithin an betw ee

organiz tionsan f orsubcont a tin orprocureme tofITserv icesorprod ct

Compl ance

Ea h chapterofth C d containsa g n rald scription of h isu sbein ad rese ,f olow ed bya

ls of‘k yis u s’ T hesek yisu sin ic teth critic l complancep int thatn e tobetak n into

consid ration, an a te up nwh reap ro riate, bef orecomplancew ith th recomme dationsof h

C d c n beclaime C mplanceisclaime ona v olu tarybasis,byself -cerific tion

Acomplanceworkb ok( BIP0 0 ( 2014),Evide tialweighta dlegaladmissibi tyofelec ronic

in ormation —Compla cework o kforusewithBS10 0 08) hasbe n publsh dtoe ablean

ases me tofcomplancewith BS10 0 tobecomplete W herecritic lcomplancep int f rom th

C d arenotspecific lyinclu e inth British Stan ard,th sep int areinclu e asan o tional

comp n ntin th complancew orkb ok

T pic lcomplance sateme t areshownin 6.7.2.Se also6.7 f orinformation on complanceau it

K ey requireme ts

Inclu e in th contolsf orth C d area n mberofu d rlyin criteria that, w he comple w ith,

prov id asurancesthatelect onicid ntitymanag me tsysemshav ebe n use in a cont ole an

u d r tan ableman er.A ssuch,th yareap lc bletob thth se d ran th recipie tofelectonic

commu ic tions

To ic Re uireme t

Pro fofid ntity E surin thatk ysan cerif ic tesaread e byth ap ro riate

in iv id alan /ororganiz tion

Securityofk ysan cer if ic tes E surin thatk ysarenotcompromise priortoan af ter h y

hav ebe n ad e toelectonicinf ormation

Relableco yrig tprotection

sys ems

E surin thatco yrig tisnotcompromise

Datean timeofatribution Id ntif yin th timeofad in inf ormation at ributes

Usera ceptance E surin thatauthorize recipie t c n relablyinterpretk ys

an cer if ic tes

T ble1 –K eyreq ireme tsf ormax imizin th ev id ntial w eig tofelect ronicid ntit yma a eme t

sy stems

1.1 Gener al

Thiss ecion ofth CoderelatestoClause4ofBS10 0 0 8, ‘Conte tofth orga iz tion’

W ith th mov ef rom paperoriginals oelectonicoriginaldocume t,th useofth elect onic

e uiv ale tofanin sig aturebecomesan imp r antpar ofa docume tauthoriz tion proces.A

sig aturec n alsobeuse asa method f orauth ntic tin th conte t ofa docume t

T ch ologiesc n beimpleme te thatap lyelectonicsig aturesofv ariousf ormstoelect onic

docume t ,with v ariousd gre sofconf id ncean inte rity.Somesys emsalsoalowf orth

v erific tion ofan elect onicsig aturebyanoth rin iv id alororganiz tion (a T T P)

A sw ithman typesofelect onicsysem, how ev er,simplyimpleme tin tech olog maynotprov id

th w eig tofev id ncen ces aryshould an electonicid ntitybechale g d T heimpleme tation of

ap ro riatep lciesan proce uresisn ces aryinord r ocreatesecure, sructure an au itable

electonicid ntitymanag me t ys ems

1.2 Is ues

T heorganiz tion n e s od termin th ex ternalan internal s u s hatarerelev anttoit purp se

an thatmayaff ectth auth nticityan inte rityofth information manag d byth id ntity

manag me t ys ems

T here uireme ttoauth ntic teelect onicinf ormationaset thathav eev id ntialsig if ic ncetoan

organiz tionmaybev ital tocontin e o erations.Such auth ntic tionsys emsarebecomin more

w id spread,an v ariousfeatureshav ebe n esablsh d byorganiz tionsinv olv ed w ith th sesysems

A uth ntic tion in th C d d alsw ith pro fofid ntityin relation todocume tsig atories,an to

co yrig tis u s

INFORMATION –Electonicanddig itals ig natu res

T hetermelectonicsig aturean digitalsig atureareof e use interchan eably–th yarenot

th samean th law, nmos jurisdictions, goes osomele gthtoclearlydis in uish betwe n

th m

Elect ronicsig aturemeansa computerdata compiation ofan symb l or eriesof ymb ls

ex ecute ,ado te , orauthorize byanin iv id altobeth le alybin in e uiv ale tofth

in iv id alshan write sig ature

T hereareman f ormsofelect onicsig ature, man ofw hicharenotpar icularlyresisantto

f rau (butitmus beremembere thatf rau isalsoprev ale tw ithhan w rite ’w et’sig atures)

Electonicsig atureshav eman ofth samepro lemsashan w rite sig aturesbutalsohav e

someoth r toconsid r

Digitalsig ature meansan elect onicsig aturebase up n cryptographicmethodsoforiginator

auth ntic tion,compute byusin a setofrulesan a setofparameter such thatth id ntityof

th sig eran th inte rityof h data c n bev erifie

T hedigital sig atureusesa pairofcryptographick ys; on ofth sek ysisPriv atean th oth r

isP blc.T heP blcKe isshare butth Priv ateKe mus beretain d securely

Ifsomeon elsehasa ces toanin iv id al’sPriv ateKe th nth yc n fau ule tlydigitalysig

f orthatin iv id alasanimp ser.T hisisw hysecurityof h Priv ateKe iscritic l toth

ro us n s an tusw orhin s ofsomethin digitalysig e

T hetw oimp rantatributesofdigitalysig e inf ormationare:

-• th sig eristh per on with th Priv ateKe ;an

• w hatw as ig e hasnotbe n chan e sinceth a tofsig in

Itisese tialatth plan in s ag toconsultw ith ap ro riatethird paries hatw il n e touseor

inspectth result f om auth ntic tion sysemsasd taie inth C d Ex amplesofsuchthird par ies

are:

• receiv in par ies;

• au itor;

• le al ex pers; an

• tech ic lan o erationals aff

T here uireme t ov erif ydigitalorelect onicsig aturesoroth rid ntif ic tionsys emsofelectonic

inf ormation bythirdparies,w ith f ul le al sig if ic nce, sf ar -rea hin Suchv erif ic tion sys emsbase

on digitalcerif ic tesarebecomin moref re u ntlyre uire ,asan in epe d ntch ckon elect onic

inf ormation inte rity, origination,authorityan auth nticity

Simiarly,th suc es f uluseofco yrig tprotection sys emsmaybecritic ltoth suc es ofan

organiz tion

T hus,wh n d sig in an impleme tin proce uresf orth v erific tion ofsuch sys emsinth ev entof

a chale g fom anoth rorganiz tion, tisese tialtoconsultw ith organiz tionsthatprov id

in epe d ntv erif ic tionserv ices( T T Ps)

Diff ere torganiz tionsmaynotbeusin th sameT T P.W herethissituation oc ur, th proce uresfor

th v ariousT T Psmaybediffere t, asmig tth serv icesoff ere ,th rigourofch cksper orme an

labi tiesa cepte St ictcontol w il ben e e u d r h secircumsances

T heuserofa specificT T Pn e stobeaw areofth ‘n tw orkof rus ’thatth irT T Pisa par o an

should e surethatit labi tyf orcer if ic tev erif ic tion ishan le byit T T P( an not‘pas e on’

alon th chaintoales tus w or h organiz tion)

INFOR MATION–Encry tion keys

Sof tware, usualyona user’scomputer,g n ratesth pairofe cryption k ys hatw il beuse in

secure ap lc tions–a P blcan a Priv ateKe

T hePriv ateKe isn v erdisribute or ev eale ;conv erely, th P blcKe isf re lydisribute to

an par ythatn gotiatesa securetansf er

Durin th re isration ore rolme tproces ,th user’sP blcK eyis e tina cerif ic tere u s

toth cer if ic tion authority( CA )orit authorize ag nt,a re isration authority

W he th CAap rov esth re u s, tg n ratesth user’sdigitalcer if ic te.T heuser’scer if ic te

w il hav ebe n digitalysig e byth CA.A f ter h user eceiv eshisorh rcerif ic tean ins als

iton th computer,h orsh c n par icipatein th secure ap lc tion

T heuser’sdigitalcerif ic te( anX 5 9cer if ic te)containsth user’sP blcKe an hasbe n

digitalysig e byth CAaferch ckin thatth userrealyiswhoth ypurp r tobe(thismay

betodiff ere tlev elsofconf id nced pe din onhowth ch cksarecon ucte ).T hedigital

cer if ic teisth n use eith rf ore cryption ordigitalysig in (f re u ntlyth rew il betw oset

ofk ysan tw ocer ific tes;on f ore cryption an a separateon f ordigitalsig in ) T he

digitalcer if ic te,containin th user’sP blcKe , suse bysomeon w ishin toe cryptdata

f orthatuser;th userd crypt thatdata usin th irPriv ateKe Fordigital sig in ,th user’s

Priv ateKe isuse an th P blcKe (in th cer if ic te) isth n abletoconf irmth inte rityof

th sig e conte tan thatitwas ig e byth user(w hoseid ntityw asconf irme byth CA

bef oreth ysig e th user’scerif ic te

INFORMATION –Hierarchyoft u s t

T hereisa conceptofhierarch oftus ;thisis implythatth remus bea CAthatev eryon

agre sist usworh T hisultimateauthorityisc le th ro tCA.T hero tauthorityc n th n

cer if yoth rCA s belowit,w hich c nth n cerif yCA sbelowth m, etc T hisisi usrate in th

diagram ov erleaf

W he a cer if ic teisreceiv ed thathasbe n is u dbya f irtorsecon lev el CA , th userc n

v erif ythat h CAthatsig e th cerif ic tehasbe n cer if ie bya CAatth lev elab v eitan ,

inturn, thatCAhasbe n cerif ie byth on ab v ethat,an soon u ti a chain oftus ex is s

betw ee th low erlev elCA(ora usercer if ic te)an th ro tCA Forex ample, n th diagram,

itc n bev erif ie thatCANo 3wascer if ie byCANo.1,an thatCANo.1 w ascer ifie byth

R otCA

W he a cer if ic tef oma low erlev el CAispas e alon w ith ane crypte mes ag ,al ofth

cer if ic tesin it chain oftus uptoth ro tshould bepase alon with it

T heorganiz tion,th ref ore,n e stoe surethatth agre me t betw ee th member ofth

n tw orkofT T Psaread q atetod lv erth re uire v erif ic tion serv icean that h fisc lg arante s

in th ev entoff aiurearesufficie ttome tit re uireme t

1.3 Requirements

W he esablshin orrev iew in th sysemsan /orproces esthatmanag th ev id ntialw eig tofth

id ntitymanag me tsysem,th organiz tion n e stod termin :

a) s ak hold r thatarerelev anttoth auth nticityan inte rityofinformation;

b) th re uireme t ofth ses ak hold r relev ant othatinf ormation;an

c) th re uireme t f orinf ormation sewardshipwithin th organiz tion

NOT E:T here uireme t of ta e old r ma inclu ele ala dre ulatoryre uireme t a dcont actu l o lg tions

T pic ls ak hold r mayinclu e:

• own r,manag r an saffof h organiz tion;

• third par iesw ith cont a t orsimiaragre me t w ith th organiz tion;

• cle t an cus omer in receiptofserv icesprov id d byth organiz tion;

• th publcw herepublcserv icesareinv olv ed;

Inf ormation sewardshipshould bemanag d byth id ntif ic tion ofinf ormation as etow ner ( IAO’s)

w how il typic lybethoseresp nsiblef orth proces esthatg n rateth inf ormation as etin

q es ion

1.4 Boundar ies and appl cabi it y

T heorganiz tion n e s od termin th b u dariesan ap lc bi tyof h auth nticityan inte rity

ofth inf ormation manag d byth id ntitymanag me tsys emsin ord rtoesablsh it sco e

W he d terminin thissco e, th organiz tionn e stoconsid r:

a) th ex ternal an internal su srefere toin 1.2;

b) th re uireme t refer e toin1.3;an

c) intera esan d pe d nciesbetw ee a tiv itiesperorme byth organiz tion an thosethatare

perf orme byoth rorganiz tions

T hesco en e stobeav aiableaspar ofth p lcydocume t

2.1 L eadership and commit ment

Thiss ec ionofth CoderelatestoClause 5ofBS10 0 0 8, ‘Le ders hip’

To manag me tn e s od monsratelead r hipan commitme tw ith respecttoth manag me t

of h auth nticityan inte rityofinformation manag dbyth id ntitymanag me tsysemby:

a) e surin that h id ntitymanag me tp lciesan o jectiv esarees ablsh d an arecompatible

w ithth srate icdirection ofth organiz tion;

b) e surin th inte ration ofth id ntitymanag me t ysem re uireme t intoth organiz tion’s

proceses;

c) e surin that h resourcesn e e f or h id ntitymanag me t ys em areav aiable;

d) commu ic tin th imp ranceofeffectiv eid ntitymanag me tan ofconf ormin toth

id ntitymanag me tsysemre uireme t;

e) e surin that h id ntitymanag me tsys em a hiev esit inte d d outcome(s);

f ) directin an sup orin peronstocontibutetoth eff ectiv en s ofth id ntitymanag me t

sys em;

g) promotin contin al mprov eme t; an

h) sup orin oth rrelev antmanag me trolestod monsrateth irlead rhipasitap lestoth ir

areasofresp nsibi ty

2.2 Pol cy statement s

2.2.1 Ge eral

Diff ere t ypesofdocume tmaybeelect onic lysig e byan organiz tion orbya w ork ron be alf

ofan organiz tion T hereceiv in organiz tion n e s obeabletov erif yth sesig atures.Toe able

th impleme tation of uch sysems,th organiz tion n e sa p lcys ateme tthatc n beuse to

g id impleme ter ,an tod monsratetooth rpariesthatsysemsuse w erein ln withp lcy

W herean organiz tionusesT T Ps uch asCA s,th p lcysateme tshouldinclu eth p lcyf or h ir

use

2.2.2 Electronic identity pol cy stateme t

2.2.2.1 Stucture

Toimpleme t h C d ,th p lcysateme tprod ce in complancew ithBIP0 0 -1 should be

ex te d d toinclu ep lcyonelectonicid ntitymanag me t

T hep lcys ateme t hould beap rov edbyth to manag me tofth organiz tion an rev iew ed

f orrelev ancean conte tatre ularinterv als.T hef e u ncyof ev iewshould beap ro riatetoth

ap lc tion.T hisperiod wi typic lybeth sameasth normalproce uralau itcyclewithin th

organiz tion, f orex amplean ualorin th ev entofmajorchan es oth sysem

T herew il f re u ntlybemorethan on typeofelectonicid ntitymanag me tsys em inusew ithin

an organiz tion.T he id ntityre uireme t f orea h docume ttypen e toberev iew ed,base on

timeln s an serv icelev els C s mayalsobea consid ration

Inord r oalg electonicid ntityre uireme t with specif icelect onicdocume t, a docume t‘type’

d sig ation should bealoc te T hesetypesmaybed scribe byap lc tion ( e.g f inancialrep r sor

sockls s)orbyinformationconte t(e.g an inv oiceoran ord r)

T hep lcysateme tshouldsetoutg id ln sf orth ap ro riateap lc tion ofan electonicid ntity

f orea h docume ttype.T hiss ateme tshould inclu eth organiz tionalre uireme t f orid ntity,

authorityan co yrig tprotection

T hep lcysateme tshoulddocume tth lev el an rigourofprotection re uire ,d tai n th

re uireme t f orea h docume t ype

W hereth reisa re uireme t,th p lcys ateme tshould d scribeth d gre ofsecurityre uire ,for

ex amplesomedocume t arenotassig if ic ntasoth r an pro fofth sig atory’sid ntityisofles

imp r ance–f orinsance, an internalmemoaso p se toaconta tualcommitme t

T heu d rlyin is u w ith th seitemsis:w how il bere uire tou d r tan th sig if ic nceofan

electonicid ntityat a h d toa docume t? Ifitisalw ays omeon within th sameorganiz tion, tis

sig ific ntlyles comple than betw ee organiz tionsbec useth organiz tion c n setit ow n rules

Foral inter -organiz tionaldocume t contole with electonicsig aturesorco yrig tprotection, t

isimperativ ethatth recipie torganiz tion isc pableofu d r tan in th sig ific nceofw hatis

commu ic te toit,recog izin , mpleme tin an uti zin th relev antcont ols

A nn xAinclu esan ex ampleelect onicid ntitymanag me tp lcysateme t, w hich maybeuse

d rin th draf tin ofan organiz tion’sp lcysateme t tcontainssome‘typic l sateme t that

maybeap ro riatein man p lcysateme t

EX A MPL E

Forsomeelectonicdocume t , tisimp r antthatth id ntityof h sig atoryisrelable

an c n betus e Foroth relect onicdocume t,th a tual d ntityofth authormaynot

beimp r ant

Forex ample,anelectonicord rf orgo dsofhig v alu mayn e tobesig e byan

authorize memberofs aff T hereceiv in organiz tion w ould hav eals ofap rov ed

sig atories.T heord rwould n e tohav ea v erif iablesig atureat a h d

Anord rf orat ain tick tov erth intern tdoesnot,how ev er,n e tobesig e T he

raiwaycompan ishap ytoreceiv eth v alu ofth tick tbyth e t yofv aldate cre it

c rdd tais.T heid ntityofth t av elerisnotimp ranttoth t ansa tion

2.2.2.2 Co te t

T heuseofth term‘k ysan cer ific tes’ sap le toan ap ro riatean a ceptablecryptographic

tech olog thatc n beuse tov erif y:

INFOR MATION–Biomet ics

Biomet icsaremethodsbyw hich th id ntityofan in iv id al c n beconfirme T he areuse by

comparin a n wlyc pture biomet icatributewith th biometicthatw asc pture d rin a

contole re isration proces ,w he th ln betw ee th biometican th ph sic l d ntity

couldbev erif ie T heatributesaregath re bymeasurin a peron’sap ro riateph siologic l

orbe av ioural f eatures

T heterm ‘biometic’ sd riv ed f rom th ancie tGre kw ords‘bios’f orlfean ‘meton’for

measure

In IT,biometicsusualyref er toth tech ologiesformeasurin an analysin h man

ph siologic lchara terisicssuch asf in erprint,e eretinasan irises,v oicepat erns,f acial

pat ernsan han measureme t ,especialyf orauth ntic tion purp ses.Ex amplesofbe av ioural

chara terisicsthatc nbemeasure inclu esig aturerecog ition,gait ecog itionan typin

recog ition

T hep lcys ateme t hould inclu eth organiz tion’sp lcy( forea h docume ttype)on:

• ap lc bleprotection tech iq esthatmaybeuse ;

• resp nsibi tiesf orth contolan manag me tofth setech iq es;an

• th cont olan manag me tofk ysan cer ific tes( ifuse )

W herethird pariesareinv olv ed,th resp nsibi tiesan labi tiesofthosethird paries hould be

clearlyid ntif ie

T hep lcys ateme t hould alsoinclu eth organiz tion’sp lcyon:

• th v erif ic tionof h v aldityofcer if ic tesan sig atures;

• rea tin tochale g stocer if ic tesan sig atures;

• w hereap ro riate, th selection criteria f orT T Ps;

• arbit ation routesasan in epe d ntmechanism f ore abln th resolutionofdispute

In somejurisdictions, res rictionsap lyastoth typesan complex ityofcryptographick ysthatmay

beuse f ore cryptionan electonicsig aturepurp ses T heseresrictionsshould beev aluate an

comple w ith asap ro riate

In somejurisdictions, e cryptionmaynotbealowe , ormayonlybealow ed toa cer ain lev el

Elect onicsig aturesmay, how ev er,bealow ed nthisev ent, tisimp ranttov erifythatth

tech iq esemploy d c n onlybeuse f or h prov ision ofelectonicsig atures

Ifth reisdoubtab utloc l e islation,th useofa T T Pshouldbeconsid re ,paricularlyw hereitis

abletome tloc l e islativ epra tices

AT T Pn e s obeabletod mons rate it aw are es ofth v alu of h serv icethatitprov id s,w hich

n e stobeex ecute u d rit resp nsibi tiesu d rth d tyofc reprinciple

Tof ulfi thiso jectiv e, th organiz tionshould e surethatth T T Pc n d monsrateit aw are es o

• le islation an re ulatoryb diesperin nttoth T T Pan th organiz tion’sin usry;

• le islation per in nttocou ties( oroth rg ographic lareas)w hereit serv icesared lv ere ;

• th a cou tabi tyan resp nsibi tyre uireme t f ora tiv itiesinv olv in v erif ic tion serv icesatal

lev els; an

• d v elo me t, byk epin in conta tw ith th ap ro riateb diesan organiz tions

KEY ISSUE

> W heree cryption isuse ,an loc l e alresrictionsshould beid ntif ie an comple w ith

> T heuseofloc l T T Psmayas is in thisproces

2.2.2.4 Rolesandrespo sibi ties

T hep lcysateme tshouldinclu ea sateme t,forea hdocume t ype,ofth in iv id alresp nsible

f or h manag me tofth elect onicid ntitymanag me tsysems

T hep lcysateme tshouldinclu ea sateme tofth resp nsibi tyf orth isu ofv erif ic tion

re u ss Suchauthoritymaybev es e inan in iv id al ora groupofin iv id als,specif ie bynameor

byrole.T heorganiz tionshould e surethatth T T Pisaw areofth seresp nsibi ties,an onlya cept

v erific tion re u s s rom authorize in iv id als

KEY ISSUE

> In iv id al resp nsibi tiesf orth elect onicid ntitymanag me tsysems hould bespecif ie

> Resp nsibi tiesfor h isu ofv erif ic tion re u s sshould bespecif ie

2.2.2.5Assignme tofright

T hep lcysateme tshouldinclu ea sateme t,forea hdocume t ypebein sore ,ofhowth

asig me tofrig t toa docume tisv ese in specif icperonsorisgrante tosuch

KEY ISSUE

> In iv id al resp nsibi tiesf orth asig me tofdocume trig t should bespecif ie

2.2.2.6Procedures

T hep lcysateme tshouldprov id g id ln son th re uireme tf orap ro riateproce urestobe

f olowe w he electonicid ntitymanag me tisbein u d rak n.Detaisof h seproce uresc n be

f ou d in Chapter5 T heseproce uresmayn e toln toth organiz tion’sinf ormationsecurityp lcy

asd taie in 2.2.3

KEY ISSUE

> T hep lcydocume tshouldgiv eg id ln son th proce uresn ces arytouseth

organiz tion’select onicid ntitymanag me tsysems

2.2.3 Inf ormation securit y manageme t

2.2.3.1 Manageme to erview

T heorganiz tion should beawareof h v alu ofit elect onicid ntitymanag me tsys ems, an

ex ecuteit resp nsibi tiestothosesysemsu d rth d tyofc reprinciple

W his th organiz tionmayuti zeon orsev eraltuse third-par yserv iceprov id r ,th

organiz tion c n otout ourceit d tyofc reresp nsibi ties

Tof ulfi it d tyofc reo lgations,th organiz tion should:

• beaw areofan d monsrablycomplyw ithle islation an re ulatoryb diesper in nttoit

in usry;

• beaw areofan d monsrablycomplyw ithle islation an re ulatoryb diesper in nttoit

cou t y( oroth rrelev antg ographic larea)oforigin,routin an /orreceiptofelect onicid ntity

docume tatributes;

• esablsh a chain ofa cou tabi tyan as ig resp nsibi tyf oral relev anta tiv ities;an

• k epabreas ofd v elo me t byk epin in conta tw ithth ap ro riateb diesan

organiz tions

2.2.3.2S curitymanageme tg idance

P blc tionsareav aiablethatprov id adv icein d v isin compre e siv eset ofinf ormationsecurity

g id ln s ome tth organiz tion’sn e s.T hesemaybeinclu e in th organiz tion’srev iew

proces.Forsome ap lc tions,th ado tion ofex ternalya cre ite securitysch mesasad itional

confirmation ofcomplancetoth irsecurityp lcymaybeap ro riate

T herearea n mberofnationalan international san ardsthat, fimpleme te , should sup or th

organiz tion’sd mons rationofd tyofc re Stan ardsthatcov erinf ormation securityan serv ice

q altyis u sarepar icularlyap ro riate

COMMENT

T heinternationalya cepte information securitymanag me tsan ardsare:

BSISO/IEC2 0 1:2 13,In ormation tech olo y—S curitytech iq es—In ormations ecurity

ma ageme tsys tems—Req ireme ts ;

BSISO/IEC2 0 2:2 13,In ormation tech olo y—S curitytech iq es—Codeofpracicefor

in ormations ecuritycontols

Informationisth lf eblo d ofal organiz tionsan c nex is in man f orms tc n besore

elect onic lyan t ansmite bymai orbyelect onicmeans n th competitiv ebusin s

e v ironme t,such information isconsantlyu d rthreatf rom man sources.T hesec n be

internal ex ternal a cid ntalormalcious

T heseinf ormation securitys an ardsad res th seisu san hav eth sbe n impleme te in

man majororganiz tions.T he arerefere ce in man pla esan arebecomin th

commonbe chmarkagains w hichinf ormation securityismeasure

W ithin th UK,th reisa formalcer ific tion sch meagains th re uireme t of

BSISO/IEC2 0 1.An mberofUKan ov er easorganiz tionshav ese nth be ef itof

complance, par icularlywh reth yofferITserv icestooth rorganiz tions.Oth r

organiz tionshav euse th twodocume t toas es th irinf ormation securitymanag me t

sys ems,aspar ofth irriskasesme tproceses

Itisimp r antthatan d cisionsmad concernin cer if ic tion orcomplancewith th

san ardsarerecord dbyth organiz tion

KEY ISSUE

> W herean ap ro riatenationalorinternational san ardisimpleme te ,electonicid ntity

manag me tsys emsshouldbe inclu e w ithin th sco eofcomplancew ithth san ard

2.2.3.3 Sco e

Tof ulfi th d tyofc reo jectiv e,th organiz tion n e stoa tion th f olowin

Information security

p lcy

Impleme tan informatio securityp l cy 2.2.3.4

Riskas es me t Car yo ta risk as es me t an impleme t ap ro riate

recomme datio s

Dev elo , mpleme t an tes a b sin s co tin ity plan 5.13

Co t act Ensurean ap ro riatecont act is in placew ith third

par ies

2.2.5

T ble2–A ctionsreq ired t of ulf ilt hecareofd t yo jectiv e

2.2.3.4 Information securityp lcy

A llelect onicid ntitymanag me tsys emsarev uln rabletocompromiseorchan e,w heth r

a cid ntalormalcious Toprotectth sesys ems, ap ro riatesecuritymeasuresn e tobe

impleme te tore uceth riskofsucha compromiseorchan ean th sa suc esfulchale g to

th ireff ectiv en s

Securitymeasuresn e tobeimpleme te w hich e surethatth ap lc tion ofelect onicid ntityis

cont ole , relablean au itable

Simiarly,securitymeasuresn e tobeimpleme te toprotectth inf ormation thatisbein secure

usin k ysan /orcerif ic tes Suchsecuritymeasuresareimp r ant,b th f orth organiz tion an f or

a T T P

Inf ormation security,w heth rinth area ofconf id ntialty, nte rityorav aiabi ty( CIA ), snotsimplya

cons raint obepla e up n computersysems.Securityan a ces toth ph sic l e v ironme t, for

ex amplebuidin san n tw orks,an th impleme tationofp lciesan proce uresbyal saffare

k yeleme t

T heorganiz tion should ado tan information securityp lcyin relation toelectonicid ntity

manag me tsysems.W herean information securityp lcyex is sf oroth rproceses( f orex ample,

sorag ),th useofelectonicid ntityan auth ntic tion tech iq esshould beincorp rate w ithin it

sco e

T heorganiz tion should conf irmthatan T T Psthatituseshav eado te th irow n information

securityp lcies

W heredocume tv erific tion k ys,cer if ic tesan oth rinformation arearchiv ed bya T T P, th yshould

besore incomplancew ith thatT T P’sinf ormation securityp lcy

COMMENT

C mplancewith th recomme dationsofBS ISO/IEC2 0 2isw id lyrecomme d d;

cerif ic tionagains BSISO/IEC2 0 1 isa wayofd mons ratin tooth rorganiz tionsthat

th ab v ere uireme t arebein met

Such in epe d nta cre itation iscommonlyre ard dbyT T Psasa meansofprov in th ir

cre e tialstoth ircusomer.T heref ore,th tS h mepublc tion,Guida ceforAssess me ts ,

ref ere cescomplancew ith inf ormation securitymanag me tan formala cre itation

agains BSISO/IEC17 9 ( nowBS ISO/IEC2 0 1) T hiscer if ic tion isnotman ate ; tisa

busin s d cision ofth T T P

T hetS h meGuida ceforAss essme ts( tSi0 5 )c n befou d in th tS h meLibrary:

htp:/ww w.t ch me.org/lbrary/in ex html# uid ln s

T heinf ormationsecurityp lcyshould contain (f orth electonicid ntityan auth ntic tion

tech iq es),asaminimum:

• a sco e;

• manag me to jectiv es e ardin th useofelectonicid ntityan auth ntic tion tech iq es;

• manag me to jectiv es e ardin inf ormation securityf orth useofk ysan cerif ic tes;

• specif icp lcysateme t ;

• th aloc tionofinf ormation securityresp nsibi ties;

• a d f inition ofelectonicid ntityan auth ntic tion tech iq esan resp nsibi ties;

• a d f inition ofresp nsibi ties ork ysan cerif ic tes;

• tainin in,an aware es o th useofelectonicid ntityan auth ntic tion tech iq es;

• k yan cerif ic tet ainin an aw are es ;

• a p lcyf ord aln w ithp te tialora tualcompromisesofelectonicid ntityan auth ntic tion

tech iq es;

• a p lcyf ord aln w ithp te tialora tualcompromisesofk ysan cer if ic tes;

• a p lcyre ardin complancew ith ap ro riates an ards;an

• an ap rov al an rev iewproces

Diff ere t ypesofinf ormation mayre uirediff ere telectonicid ntityan auth ntic tion tech iq es

T heseshouldbeid ntif ie in th p lcys ateme t(se 2.2.3.4)

W heresecurityre uireme t v aryf ordiff ere tdocume ttypes,th inf ormation securityp lcyshould

id ntifyap ro riaten e s.T hesemeasuresn e tobeconsid re inth lg tofuti zin a T T P

T heorganiz tion should e surethatit ow n inf ormation securityre uireme t aremetbyth chose

T T P T heT T Pmaynotw ish topublcizea tualsecurityproce ures,butn e stobeabletod mons rate

toth organiz tionthatitiscomplantwith thispar ofth C d

Diff ere t ypesofk ysan cer if ic tesmayn e diff ere tsecuritymeasures.T hesen e tobe

KEY ISSUE

> Dev elo , authorizean impleme tan inf ormation securityp lcy

> E surethatth p lcy’ssco einclu esth elect onicid ntitymanag me tsysems

2.2.3.5Riskassessme t

Inf ormation securitymeasuresareof e ap le piecemeal rea tin tosecurityincid nt ortoav aiable

computersof twareto ls.T histypeofap roa h c n f ai torecog izeth v alu ofth information as et

an th risks oth organiz tion f omsecuritycompromise ofelect onicid ntityan auth ntic tion

tech iq es.T hismayleav egapsin security,w hich mayonlybef ile atsomelaterdate,af tera security

brea h

Amoresructure ap roa h istorev iewth inf ormation aset an asig riskf actor ( base on as et

v alu ,sysemv uln rabi tyan lk lho dofata k).T heinf ormation securityp lcyc nth n be

prod ce an ap rov ed agains th v alu mod l

Ex isin securitymeasures hould th nberev iew ed foreff ectiv en s F ctor such asth balance

betw ee th cos ofimpleme tation an th securitya hiev ed should betak nintoconsid ration

d rin th rev iewproces

W herediff ere ttypesofelectonicid ntityan auth ntic tion tech iq esc n beuse ,th irin iv id al

impa ton th riskanalysisresult shouldberev iew ed

Recomme dationsid ntif ie byth riskanalysisshouldbeimpleme te

T heorganiz tion shouldalsou d rak a riskasesme tofth serv icesprov id dbyT T Ps

BS ISO310 0:2 0 ,Riskma ageme t—Principlesa dg ideln sprov id sprinciplesan g n ric

g id ln son riskmanag me t tc n beuse byan publc,priv ateorcommu itye terprise,

asociation,grouporin iv id al Itc n beap le throu hout h lfeofan organiz tion,an toa

w id ran eofa tiv ities, nclu in s rate iesan d cisions,o erations, proceses,f unctions,project,

prod ct ,serv icesan as et tc n beap le toan typeofrisk, w hatev erit nature,wh th rhav in

p sitiv eorn gativ econse u nces

KEY ISSUE

> Useriskasesme t ech iq estoe surethatex is in informationsecuritymeasuresare

ap ro riate,ortoid ntif yan measuresthatn e tobetak n toimprov esecurity

2.2.3.6Information securityinfrastructure

Inord r ocontolan manag information securityisu sw ith k ysan cerific tesf orelectonic

id ntityan auth ntic tion, an inf rasructuren e stobeimpleme te , nclu in relev antsysems

w ithin it sco e

Amanag me tinf ras ructure,orf ramew ork, asd f in d inBIP0 0 -1 shouldinclu ew ithinit sco e

electonicid ntityan auth ntic tion tech iq es

KEY ISSUE

> Planan impleme tan inf ormation securityf ramew ork

2.2.4 Choosing a T T P

A norganiz tionusin ,an h nced pe din up n,a T T Pf or h in epe d ntv erif ic tion ofdigital

sig aturesan /orco yrig tprotection sysemsn e s ou d rtan an a ceptth f ul d taisofit

serv ices

T heorganiz tion should rev iewth proce uresan procesesimpleme te bya p te tialT T P,usin

th recomme dationsofal thre parsofth C d asa be chmarkf or uitabi ty.How ev er,

complancew ith th serecomme dationsmaynotn e tobea n cesarycomp n ntofa conta t

betw ee th organiz tion an a T T P( se 2.2.5)

Trus e thirdparies hould beabletod monsratethatth ya tin an ap ro riateman erbearin in

min th loc tion (e.g.cou ty)an le al sysemin w hichth yan /or h ircle t (an /orth

chale g r)o erate

Durin th initialdiscusionsprior oconta tagre me t,th T T Pshoulddisclosean d tyor

o lgation itisu d rtomak information relatin toit serv icesav aiabletoan oth rpar y, nclu in

gov ernme tan re ulatoryag ncies

T heT T Pshould beabletod mons ratethatproce uresf ordiffere torganiz tionsareap le as

ap ro riate, an thatan information, k ysan cerif ic tesitholdsarese re ate f romthoseofoth r

organiz tionsforw hich itprov id s erv ices

AT T Pw il normalyhav eamon s it san ard docume tation settw ok yf ormaldocume t :a

cerif ic tep lcyan aCPS.Both form par ofit o lgationstoth cusomer,th user T heusershould

notas umethateith r h offerd taie inth cer if ic tep lcyorth CPS oroth r tan ard

docume t me t it re uireme t orthat h CAw il perf ormtoth lev elssate in th morit

conta t T heusershouldconf irm thatit n e sarereflecte an thatsuitableperf ormancecriteria

areprese t, especialyinbusin s-to-busin s situations

T heCPS,an al oth rdocume t concernin th agre me twith th T T P,should beteate as

busin s critic ldocume t ofth organiz tionan beretain d in a cordancew ith BIP0 0 -1

KEYIS UE

> Trus e third paries hould bechose w ith c re,toe surethat h irserv icesareap ro riate

toth re uireme t ofth organiz tion

2.2.5 Contr acts

W herea T T Pisuse aspar ofth proces f orelect onicid ntitymanag me t, an ap ro riately

w ord d cont a tshould beagre d betw ee th organiz tion an th T T P T hiscont a tshould inclu e

d taisofth serv ices hataretobeuse

T heconta t hould beretain d securelybyth organiz tionin complancewithBIP0 0 -1 W his itis

an adv antag forth conta ttoinclu eth re uireme tf orcomplancebyth T T Pw ith al relev ant

recomme dationsofth C d , tisnotes e tial W here th cont a tdoesnotspecif ycomplancew ith

th C d ,serv iceinspection proce uresshould beimpleme te ,toe surethat h complete es,

q altyan a cura yof h serv icesprov id d areas ure

T heorganiz tion n e stoinclu einit agre me twith th T T Pit rig t toal relev antinf ormation

h ld an proce uresuse inth ev entof h T T Pceasin totad , orth cont a tcomin toane d

T hisistoe ableth organiz tion tocontin etod monsratecomplanceov erth lf etimeofth

inf ormation,ev en wh rea chan eofT T Phasoc ure

W hereth T T Pisabletod monsratecomplancew ith th C d , th organiz tionshould hold a co y

orhav esuitablycontole a ces ,wh n re uire ,toth T T P’scomplancedocume tation.T heT T P

shouldalsobeabletod mons ratetoth organiz tion thatitdoes, n f act, o eratein complancew ith

th C d

W his itisnormal f oran organiz tion tod al w ith a sin leT T Pf ora specif icdocume ttype, tshould

berecog ize thatth T T Pmayn e torelyup n a hierarch orn tworkofT T Pstov erif ya cerific te

( se 1.2) W his th organiz tion n e stobeaw areof his, t cont a tualagre me tw ith th T T P

shouldinsulateitf rom an n gativ eimpa t( e.g.compromiseofa k y), wh rep s ible,an id ntif y

w hereth rehasbe n such an impa t

COMMENT

Ifa T T Pcompromisesa Priv ateKe , th nanoth rT T Pmayhav ea claim agains th f ir tT T P

Inthisc se,th secon T T P’scle tn e s obeprotecte f rom this, n ln w ithth third

pary’sagre d conta tual iabi ty T hisimplc tion ofth useofa hierarch orn tw orkof

T T Psn e s obeclearlyu d rto dan a cepte byth organiz tion

KEY ISSUE

> W hereT T Psareuse , cont a t shouldbesig e ,an should inclu eap ro riateC d

complance sateme t ( se 6.7.2)

3.1 A ctions to addres r isk s and oppor t unities

3.1.1 Ge eral

Thiss ec ionofth CoderelatestoClause 6ofBS10 0 0 8, ‘Pla ning’

W he plan in f or h auth nticityan inte rityofinf ormation manag d byan id ntitymanag me t

sys em, th organiz tionn e stoconsid r h isu sref er e toin 1.2an th re uireme t ref ere

toin 1.3an d termin th risksan o p r u ities hatn e tobead rese to:

a) e sureth id ntitymanag me tsysemc na hiev eit inte d d outcome( s);

b) prev ent,or e uce,u d sire eff ect; an

c) a hiev econtin al mprov eme t

T heorganiz tion alson e stoplan:

a) a tionstoad res th serisksan o p ru ities;an

b) howto:

1) inte ratean impleme t h a tionsintoit id ntitymanag me tsysem proces es; an

2) ev aluateth eff ectiv en s of h sea tions

3.1.2 Riskas es me t

Id ntitymanag me tproce uresareofe d v elo e inan u s ructure w ay, byrea tin touser

re uireme t, securityincid nt an /ortoav aiablecomputersof tw areto ls.T hisap roa h on it ow n

c n easiyleav egapsin id ntitymanag me t,whichareonlyf ile at omelaterdate,typic lyafera

securitybrea h.Amores ructure ap roa h is orev iewth id ntitymanag me tsysemso erate by

th organiz tion an as ig riskfa tor (base onasetv alu ,p te tial threat ,sysemv uln rabi ty

an lk lho dofata k),on th basisofw hich ap ro riate, cos-eff ectiv einf ormation tans er

proce uresc n beid ntif ie A nese tialpar ofid ntitymanag me tisth impleme tation ofan

ap ro riatesecurityp lcy,w hich shouldbeprod ce an ap rov ed, base on th riskasesme t,an

agains which securitymeasuresc n bed v elo e an impleme te

NOT E:Arev iewof his ypeg n ralyre uires ecurityex perisea dara g ofap ro riatetech ical ski s

T heorganiz tion should u d r ak an inf ormation securityriskasesme talon th seln s,an

docume tth result o tain d.Ofparicularimp ranceareth securitymeasuresimpleme te toth

manag me tofid ntity T heriskanalysisn e stoinclu ev uln rabi tyriskf actor consis e tw ith th

typeofid ntitysysemuse

On th basisofth result ofth riskasesme t, ex isin securitymeasuresshouldberev iew ed f or

eff ectiv en s.F ctor such as h balancebetw ee th cos ofimpleme tation an th security

a hiev edn e tobetak n intoconsid ration d rin th rev iewproces W hereth rev iewin ic tes

thatchan estosecuritymeasuresareap ro riate, an a tionplanshould bedraw n upwith n wor

ame d d securitymeasuresprioritize forimpleme tation

KEYIS UE

> P rf orm a riskas es me tofex is in securitymeasures,an impleme tcos-effectiv e

tech olog an /orproce urestofi an gapsf ou d

T heriskas es me tw il lead toth a q isition ofinf ormation an th creation ofriskrep r s.T hese

rep r s,ba k d upbyth informationuse tod v elo th conclusionsan recomme dationsinth

rep r s,mayprov id usef ulev id nceinrelation toth manag me tofid ntityd cisionsmad byth

busin s

Itisth simp rant oretaininf ormationrelate toriskasesme t in ln w ith an inf ormation

rete tion sch d le

KEY ISSUE

> Retain recordsofriskasesme tmethodsan result inln w ith th rete tion sch d le

3.1.3 Risk t reatme t

T heresult ofth riskasesme tshould beuse tog id an d termin th ap ro riatemanag me t

a tionan prioritiesf ormanagin inf ormation riskan impleme tin contolsselecte toprotect

agains thoserisks

BSISO/IEC2 0 5:2 1 , In ormation tech olo y—S curitytech iq es—In ormation securityrisk

ma ageme tprov id sinf ormation securityriskmanag me tg idance, nclu in adv iceon risk

ases me t,riskt eatme t,riska ceptance,riskcommu ic tion,riskmonitorin an riskrev iew

BSISO/IEC2 0 5d scribes h inputtoa riskt eatme tproces asa ls ofid ntif ie risks,prioritise

a cordin toth organiz tion’sriskev aluation criteria.Riskteatme tinclu esth id ntif ic tion an

impleme tation ofcontolstore uce,retain, av oid orshareth id ntif ie risks

Riskt eatme tc n beimpleme te byon ormoreof h folow in non-ex clusiv eproces es:

• riskmodif ic tion;

• riskrete tion;

• riskav oidance;

• risksharin

Riskmodif ic tion inv olv es h ad ition,remov al ormodif ic tion ofex is in contolssuch thatth

resid alrisksc n bere-ev aluate

Riskrete tion is h proces ofretainin an id ntif ie riskw ithoutf ur h ra tion.T hisisa ceptable

w hereth id ntif ie riskiswithin th agre d riskcriteria

Riskav oidanceinv olv esth remov alofprocesesrelate toth risk,such that h riskisnolon er

prese t.T hismaybeuse w hereth cos ofoth rf ormsof iskt eatme tareto coslytoimpleme t

Risksharin inv olv esth sharin ofth id ntif ie riskswith oth rpar ies, such asbyinsuranceorby

subcont a tin paricularproces es

3.2 Objectives and achiev ement s

T heorganiz tion n e s oesablshid ntitymanag me to jectiv esatrelev antf unctionsan lev els

T heid ntitymanag me to jectiv esn e to:

a) beconsise tw ithth id ntitymanag me tp lcy;

b) bemeasurable( ifpra tic ble);

c) tak intoa cou tap lc bleid ntitymanag me t e uireme t,an result f rom riskasesme t

an riskteatme t;

d) becommu ic te ;an

e) beupdate asap ro riate

T heorganiz tion shal retaininf ormation onth id ntitymanag me to jectiv es.

W he plan in howtoa hiev eit id ntitymanag me to jectiv es,th organiz tion n e s o

4.1 Resources

Thiss ecion ofth CoderelatestoClause7ofBS10 0 0 8, ‘Su p r’

T heorganiz tion n e s od termin an prov id th resourcesn e e f orth esablshme t,

impleme tation,mainte ancean contin al mprov eme tof h id ntitymanag me t ys em

4.2 Compet ence

T heorganiz tion n e s o:

a) d termin th n ces arycompete ce of h peron( s)doin w orku d rit cont olthataff ect it

id ntitymanag me tperf ormance;

b) e surethatth seperonsarecompete ton th basisofap ro riatee uc tion,t ainin or

ex perie ce;

c) w hereap lc ble, tak a tionstoa q ireth n ces arycompete ce,an ev aluateth effectiv en s

ofth a tionstak n;an

d) retain ap ro riatedocume te inf ormation asev id nceofcompete ce

NOT E: A pplcableactionsma inclu e,forex ample:th prov isionof rainin to,th me torin ofor h

re sig me tofcure twork r ;or h hirin orcontactin ofcompete tperons

Work r doin worku d rth organiz tion’scontol shal beawareo

a) th id ntitymanag me tp lcy;

b) th ircontibutiontoth eff ectiv en s ofth id ntitymanag me tsysem, nclu in th be ef it

ofimprov edid ntitymanag me tperf ormance;an

c) th implc tionsofnotconf ormin w ithth id ntitymanag me t ys em re uireme t

4.4 Repor t ing and communicat ions

Itisimp r antw he d v elo in p lciesan proce urestoe surethat:

• inf ormation relate toth p lciesan proce uresismad av aiabletothosew hoare, ormaybe,

aff ecte byth m;

• th reisa mechanismforf ee ba kf rom th impleme ter ofth p lciesan proce ures;

• th reisa mechanismforrev iew in risksrelate toth p lciesan proce ures;

• d taisofan chale g stoth auth nticityan /orinte rityofinformationisf edba ktothose

resp nsiblef orcomplancew ithth C d ;an

• k yin iv id alsresp nsibleformanagin commu ic tionsareid ntif ie

KEY ISSUE

> E surethata rep r in an commu ic tionsmechanism isin pla e, toe surethatn wor

update p lciesan proce uresareimpleme te byal ap ro riates aff

4.5 Document at ion and records

4.5.1 Ge eral

Docume te information (alsok ow nasrecords)relate toth proces ofmanagin information

sore elect onic lyn e s obecreate an retain df oraslon asisn ces ary Section 4.5.2d tais

proce uraldocume tation thatn e stobecreate an retain d T hissectionalsoinclu esinf ormation

relate toth manag me tofthisinf ormation, nclu in th re uireme tforv er ioncontolan

ap ro riaterete tionperiods

4.5.2 Proce ural docume tation

4.5.2.1 Ge eral

C mplancewithth C d re uiresth av aiabi tyan useofspecif ie docume tation.T his

docume tation consissofth f olowin :

• elect onicid ntityp lcysateme t(se 2.2.2);

• inf ormation securityp lcydocume t( se 2.2.3);

• proce uresman al(se 4.5.2.3);

• sys em d scription man al ( se 4.5.2.4)

T heav aiabi tyofth sedocume t ,an d monsrablead ere cetoth proce uresd scribe th rein,

should, feff ectiv elyconsructe ,prov id th au it rai thatmaybeuse tod monsrateth

auth nticityofth electonicid ntitymanag me t ys ems, an th se hanceth ev id ntialw eig tof

inf ormation contain d th rein

Notethatea h ofth docume t me tion d in th ls maya tualybemaintain d asmultiple

docume t, orth sedocume t maybecombin d.T hek yrecomme dationisthatth docume tation

ex is s, smaintain dan isreadiya ces ibletothoseauthorize w ithin th organiz tiontoa ces it

an toan authorize thirdpar yw homayre uirea ces tmayalsobeap ro riatetocombin this

docume tation w iththatd v elo e f orcomplancew ithth oth rpar sofBIP0 0

A lldocume tation n e s obemaintain d inln w ith ex isin w orkin pra tices,an th sshould be

maintain d u d ra v erion contol sys em (se 5.1 )

A dditional docume tation maybere uire tosup or th daiyo erationof h sysem,f orex ample:

• a sys em mainte ancelog ( se 5.14);

• an au itt ai ( se 4.5.3);

• complances ateme t ( se 6.7.2)

T heconte tof hisdocume tation c neasiybecomeu relablew hereth rearenoproce uresin

pla etoe surethatitk epspa ew ith b th organiz tional an sysemchan es.Unrelable

docume tation mayadv er elyaff ectle alarg me t relatin toth corecto eration ofan electonic

id ntitymanag me tsysem tis,th ref ore, mp r anttoe surethatth d f initiv ev er ionsofsys em

docume t arebrou htu d rconfig ration manag me tcontol an aref irmlyln e toth

organiz tion’schan emanag me tproce ures

W herecomplance w ithth C d isclaime ov era period oftimed rin w hich diff ere te itionsof

th prev iouslylse docume tation w ereap ro riate,th n al e itionsofthisdocume tation should

bek pt, n conf ormancetoth p lcydocume t.T hisistoe surethat, wh reinf ormation re ardin

th sysemata p intin th pas isre uire , tc n beo tain d f romthisdocume t tore

4.5.2.2 Updatingandre iews

Itisimp r anttoe surethatth proce uresimpleme te atan timed rin th sorag lf eofan

specif icelectonicdocume twith an asociate electonicid ntityc nbed termin d.T hisisa hiev ed

bye surin that h proce uresman al sk ptuptodate, an thatal prev iousv erionsarek ptin

complancewith th p lcys ateme t( se 2.2.2)

KEY ISSUE

> A ll chan estoo erationalproce uresshouldbe manag d bya chan econt olproce ure,

inclu in updatin ofth proce uresman al

> Supere e v er ionsofth proce uresman alshould bek ptin complancew ithBIP0 0 -1

> T heproce uresman alshould bere ularlyrev iewe ,toe surethatitisuptodate

> A ll chan esshouldberev iewe toe surethatcomplancew ithth C d isnotcompromise

4.5.2.3 Ide titymanageme tprocedures

T heorganiz tion shouldmaintain a proce uresman al w hichshould docume t(or ef ere ce)

proce uresuse f oro eratin th electonicid ntitymanag me t ys ems,toe sureth irconf ormity

toth contolsd taie in th C d

T hep lcydocume tshould,f orea h docume ttype,d scribeth to lstobeuse f orth asociation

ofea h ofth f olowin atributes,asap lc ble:

• electonicid ntity;

• electonicsig ature;

• electonicco yrig t;

• conf id ntialty

T heseproce uresshould specif yatw hatp intin th inf ormation lf ecycleth seatributesaretobe

ap le an how

Asin ledocume tordata f ilemayhav emorethanon such at ributeap le ,an notn cesariy

contemp ran ously

Asin ledocume tordata f ilemayhav ediff ere tat ributesap le bydiff ere te tities

W herean organiz tion o eratesa q altymanag me t ys em,such asBSENISO9 0 :2 0 ,Qualty

ma ageme tsystems—Fundame talsa dvocab lary,th proce uresman al should beinclu e

w ithin th q altysys em

KEY ISSUE

> Aproce uresman alshould bemad av aiable,containin d taisof( or efere ceto)oth r

relev antdocume tation concernin al proce uresrelev anttoth electonicid ntity

manag me tsys ems

T heproce uresman alshould inclu eth folow in to ics:

Keys an cer ificates Is uance, ac e tance, manag me t, rev ocatio ,

ch ckin , s oragean rete tio , compromisean k y

recov ery is u s

5.3

To ic A ction S c ion

Co yrig t is u s Informatio ow ner hip, protection an managin

chang ofow ner hip ofco yright d cume t

5.4

Is uin auth rity Manag me t ofth auth rityto is u an at rib te

elect onic informatio

5.5

A pplyin

informatio

at rib tes

Is uing proce ures for at rib te elect onicinformatio 5.6

T TPs Dealn w ith T T Ps, nclu ing proce ures,

commu icatio s, v erificatio s, co s raint , Trus e Time,

resp nses, ap eals and s orag is u s

5.15

Ver io co t ol Manag me t ofmultiple v er io s ofd cume t or data

fies

5.1

T ble3–To ic t obeinclu e in t heproce uresma u l

4.5.2.4Ke tech ologycomp n nt

Ad scription ofhardw are, sof twarean n tw orkeleme t thatcompriseanelect onicid ntity

manag me tsysemisre uire T hisshouldinclu ed taisofsys em conf ig ration.T he

docume tation should bes ructure sothatd taisof h sysematan timed rin th period ofit

usemaybereadiya cese T hismaybea hiev edbycreatin a n wv erion ofth man alev erytime

th reisa chan e,orbyinclu in a ‘chan econtol section inth man al W hatisimp rantis hat

th reisa cleard scription ofth sys emasitw asata par iculartimeinth pas

Forsys emsalread ino eration, an elect onicid ntityes ablsh d priortoth int od ctionof h

C d c n otbeconsid re asme tin it prov isionsu les th contolsan proce uresd scribe in

th C d hav ebe n inpla efomth timeofesablshin th id ntity

W hereth elect onicid ntityp lcysateme t( se 2.2.2)re uirescomplancew ith par icularnational

an /orinternationalsan ards,th sys em d scription man alshould inclu ea section d monsratin

complancew ith thosesan ards.T hise ables ys em au itor toch ckth perf ormancean relabi ty

of h sysemagains th sesan ards

KEYIS UE

> Asysem d scription man alshould bemad av aiable,containin d taisof( or ef ere ceto

oth r elev antdocume tationcontainin d taisof )al tech olog -relate isu srelev anttoan

elect onicid ntitymanag me tsysematan p intin time