SlideShare a Scribd company logo

29115_briefing_2012_rcb 012012.ppt

Download as PPT, PDF
L
Le Duc Anh

This document provides an overview of the Entity Authentication Assurance Framework (EEAF), which specifies four levels of assurance (LoAs) for entity authentication over open networks. The EEAF is based on NIST SP 800-63 and includes a five step process for implementation. It covers the phases, actors, threats and controls related to credential management, enrollment and authentication. Trust framework operators and credential service providers are responsible for establishing criteria and assessing compliance for the specified LoAs.

Software
1 of 13
ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework
Current Status • Goal is 2012 publication of X.1254|ISO/IEC 29115 by both SDO’s • Currently – Undergoing balloting at ISO for Draft International Standard (DIS) – Expected to be “Determined” at ITU-T in February • ITU-T Editor: Dick Brackney, Microsoft • ISO Editor: Erika McCallister, NIST
Background • Challenge: Protect system security and individual privacy during e-authenication over open networks. • Approach: Provide an appropriate level of assurance for those transactions that require e- authentication. • Based on NIST SP 800-63, e-Authentication Guidelines, June 2006 • Implementation: Five Step Process
Five Step Process • Conduct Risk Assessment • Map identified risks to appropriate assurance level • Select appropriate controls • Validate that the implemented controls has met the required assurance level. • Periodically re-assess to determine technology refresh requirements
Contents 1. Scope 2. Normative References 3. Definitions 4. Abbreviations 5. Conventions 6. Levels of Assurance 7. Actors 8. Entity Authentication Assurance Framework Phases 9. Management and Organizational Considerations 10. Threats and Controls 11. Service Assurance Criteria
Clause 1 - Scope • This Recommendation | International Standard provides a framework for managing entity authentication assurance in a given context. In particular, it: – specifies four levels of entity authentication assurance; – specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance; – provides guidance for mapping other authentication assurance schemes to the four LoAs; – provides guidance for exchanging the results of authentication that are based on the four LoAs; and – provides guidance concerning controls that should be used to mitigate authentication threats.
Clause 6 - LoAs • Describes 4 Levels of Assurance (LoAs) Level Description 1 – Low Little or no confidence in the asserted identity 2 – Medium Some confidence in the asserted identity 3 – High High confidence in the asserted identity 4 – Very high Very high confidence in the asserted identity
Clause 7 - Actors • Entity • Credential Service Provider (CSP) • Registration Authority (RA) • Relying Party (RP) • Verifier • Trusted Third Party (TTP)
Clause 8 - EEAF Technical Management & Organizational Credential management phase Enrolment phase Entity authentication phase • Authentication • Record-keeping • Credential creation • Credential pre-processing • Credential initialization • Credential binding • Credential issuance • Credential activation • Application and initiation • Identity proofing • Identity verification • Service establishment • Legal and contractual compliance • Financial provisions • Information security management and audit • External service components • Operational infrastructure • Measuring operational capabilities • Record-keeping recording • Registration • Credential storage • Credential suspension, revocation, and/or destruction • Credential renewal and/or replacement • Record-keeping Normative Informative Clause 10 Threats and Controls are organized around these processes
Clause 9 – Management and Organizational Considerations • Service Establishment • Legal and Contractual Compliance • Financial Provisions • Information Security Management and Audit • External Service Components • Operational Infrastructure • Measuring Operational Capabilities
Clause 10 – Threats and Controls • Organized by phase and process of the EAAF • For humans and non-person entities (NPEs)
Clause 11 – Service Assurance Criteria • Trust framework operators that seek to comply with this Framework shall establish specific criteria fulfilling the requirements of each LoA that they intend to support and shall assess the CSPs that claim compliance with the Framework against those criteria. Likewise, CSPs shall determine the LoA at which their services comply with this Framework by evaluating their overall business processes and technical mechanisms against specific criteria.
Questions? • Contact Information – ITU-T Editor: Dick Brackney • dibrack@microsoft.com – ISO Editor: Erika McCallister • erika.mccallister@nist.gov

Recommended

Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
Donald E. Hester
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
Cyber Security Partners
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
kantarainitiative
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
EnergySec
 
Provider Authentication for Health Information Exchange
Provider Authentication for Health Information ExchangeProvider Authentication for Health Information Exchange
Provider Authentication for Health Information Exchange
Brian Ahier
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
kantarainitiative
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 

Recommended

Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
Donald E. Hester
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
Cyber Security Partners
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
kantarainitiative
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
EnergySec
 
Provider Authentication for Health Information Exchange
Provider Authentication for Health Information ExchangeProvider Authentication for Health Information Exchange
Provider Authentication for Health Information Exchange
Brian Ahier
 
Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15Kantara webinar 800 63-3 approval 2020-07-15
Kantara webinar 800 63-3 approval 2020-07-15
kantarainitiative
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ Velocity
Chef
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
EnergySec
 
CISA Certification : How To Prepare For The Exam?
CISA Certification : How To Prepare For The Exam?CISA Certification : How To Prepare For The Exam?
CISA Certification : How To Prepare For The Exam?
InfosecTrain Education
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
Ray Potter
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
Mahmoud Salaheldin
 
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration TestingProtect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
TraceSecurity
 
test 12222.ppt
test 12222.ppttest 12222.ppt
test 12222.ppt
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 

More Related Content

Similar to 29115_briefing_2012_rcb 012012.ppt

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ Velocity
Chef
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
EnergySec
 
CISA Certification : How To Prepare For The Exam?
CISA Certification : How To Prepare For The Exam?CISA Certification : How To Prepare For The Exam?
CISA Certification : How To Prepare For The Exam?
InfosecTrain Education
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
Ray Potter
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
Mahmoud Salaheldin
 
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration TestingProtect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
TraceSecurity
 

Similar to 29115_briefing_2012_rcb 012012.ppt (20)

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ Velocity
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
 
CISA Certification : How To Prepare For The Exam?
CISA Certification : How To Prepare For The Exam?CISA Certification : How To Prepare For The Exam?
CISA Certification : How To Prepare For The Exam?
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
 
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration TestingProtect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
 

More from Le Duc Anh

test 12222.ppt
test 12222.ppttest 12222.ppt
test 12222.ppt
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
Le Duc Anh
 

More from Le Duc Anh (20)

test 12222.ppt
test 12222.ppttest 12222.ppt
test 12222.ppt
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 
abc2.pptx
abc2.pptxabc2.pptx
abc2.pptx
 

Recently uploaded

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
Google
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 

Recently uploaded (20)

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 

29115_briefing_2012_rcb 012012.ppt

  • 1. ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework
  • 2. Current Status • Goal is 2012 publication of X.1254|ISO/IEC 29115 by both SDO’s • Currently – Undergoing balloting at ISO for Draft International Standard (DIS) – Expected to be “Determined” at ITU-T in February • ITU-T Editor: Dick Brackney, Microsoft • ISO Editor: Erika McCallister, NIST
  • 3. Background • Challenge: Protect system security and individual privacy during e-authenication over open networks. • Approach: Provide an appropriate level of assurance for those transactions that require e- authentication. • Based on NIST SP 800-63, e-Authentication Guidelines, June 2006 • Implementation: Five Step Process
  • 4. Five Step Process • Conduct Risk Assessment • Map identified risks to appropriate assurance level • Select appropriate controls • Validate that the implemented controls has met the required assurance level. • Periodically re-assess to determine technology refresh requirements
  • 5. Contents 1. Scope 2. Normative References 3. Definitions 4. Abbreviations 5. Conventions 6. Levels of Assurance 7. Actors 8. Entity Authentication Assurance Framework Phases 9. Management and Organizational Considerations 10. Threats and Controls 11. Service Assurance Criteria
  • 6. Clause 1 - Scope • This Recommendation | International Standard provides a framework for managing entity authentication assurance in a given context. In particular, it: – specifies four levels of entity authentication assurance; – specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance; – provides guidance for mapping other authentication assurance schemes to the four LoAs; – provides guidance for exchanging the results of authentication that are based on the four LoAs; and – provides guidance concerning controls that should be used to mitigate authentication threats.
  • 7. Clause 6 - LoAs • Describes 4 Levels of Assurance (LoAs) Level Description 1 – Low Little or no confidence in the asserted identity 2 – Medium Some confidence in the asserted identity 3 – High High confidence in the asserted identity 4 – Very high Very high confidence in the asserted identity
  • 8. Clause 7 - Actors • Entity • Credential Service Provider (CSP) • Registration Authority (RA) • Relying Party (RP) • Verifier • Trusted Third Party (TTP)
  • 9. Clause 8 - EEAF Technical Management & Organizational Credential management phase Enrolment phase Entity authentication phase • Authentication • Record-keeping • Credential creation • Credential pre-processing • Credential initialization • Credential binding • Credential issuance • Credential activation • Application and initiation • Identity proofing • Identity verification • Service establishment • Legal and contractual compliance • Financial provisions • Information security management and audit • External service components • Operational infrastructure • Measuring operational capabilities • Record-keeping recording • Registration • Credential storage • Credential suspension, revocation, and/or destruction • Credential renewal and/or replacement • Record-keeping Normative Informative Clause 10 Threats and Controls are organized around these processes
  • 10. Clause 9 – Management and Organizational Considerations • Service Establishment • Legal and Contractual Compliance • Financial Provisions • Information Security Management and Audit • External Service Components • Operational Infrastructure • Measuring Operational Capabilities
  • 11. Clause 10 – Threats and Controls • Organized by phase and process of the EAAF • For humans and non-person entities (NPEs)
  • 12. Clause 11 – Service Assurance Criteria • Trust framework operators that seek to comply with this Framework shall establish specific criteria fulfilling the requirements of each LoA that they intend to support and shall assess the CSPs that claim compliance with the Framework against those criteria. Likewise, CSPs shall determine the LoA at which their services comply with this Framework by evaluating their overall business processes and technical mechanisms against specific criteria.
  • 13. Questions? • Contact Information – ITU-T Editor: Dick Brackney • dibrack@microsoft.com – ISO Editor: Erika McCallister • erika.mccallister@nist.gov