Information Assurance Standard: 2019
This standard provides specific information management controls to ensure information collected is suitable for accurate decisions to be made regarding the eligibility or capability of an Entity.
Have your say on our approach
We’re currently seeking feedback on this content as part of the redevelopment of the identification standards and guidance.
Application of this standard
Application of the controls in this standard will contribute to the reduction of identity theft, entitlement fraud, misrepresentation of abilities and the impacts that result.
This standard will replace the requirements outlined in Table 8 of the Evidence of Identity Standard (EOI) Standard version 2.0 — Dec 2009 relating to Objective A — Identity exists.
An effective date will be provided once a successful implementation of the standard has been completed.
This standard applies whenever information related to an entity is collected and stored (whether during enrolment or a subsequent transaction).
Effective information and records management ensures the creation, usability, maintenance, and sustainability of the information and records needed for business operations.
Requirements for good practice information management come from many sources including, but not limited to, the Privacy Act 1993 (currently under review) and the Public Records Act 2005.
This standard does not replace these requirements but provides requirements for identification management in the form of controls that are not explicit elsewhere.
In relation to the scope of identification management, this standard relates to the quality of 'entity information' as indicated in diagram 1.
Diagram 1: Relationship between elements
> Detailed description of diagram
This diagram shows a triangle representing the connection between Entity (for example, a person) at the top, Entity Information at bottom right, and Authenticator at bottom left.
The connection between Entity and Entity Information is labelled Entity Binding, the connection between Entity Information and Authenticator is labelled Authenticator Registration and the connection between Authenticator and Entity is Authenticator Binding.
There is a red circle around Entity Information to indicate the scope of this standard in relation to the other elements.
Relationship with other Identification Management Standards
Table 1 describes each of the assurance components and the processes they relate to. A separate standard has been developed for each assurance component. This standard addresses the first of these assurance components — Information Assurance.
|Robustness of the process to establish the quality and accuracy of Entity Information.|
|Robustness of the process to bind the Entity to Entity Information and/or Entity to Authenticator.|
|Robustness of the process to ensure an Authenticator remains in control of its holder.|
|Robustness of the processes undertaken to maintain the integrity, security and privacy of an authenticator or credential used in multiple contexts.|
Before applying this standard
It is recommended that a full understanding of the context of the collection of information is established and that an assessment of identification risk is carried out.
This standard uses the term ‘Party’ to represent the role that will carry out a control, as this may vary depending on the implementation of the identification process.
Objective 1 — Information protection
A key part of preventing identity theft is to build protections into the collection and storage of information from the beginning.
NZIM IA1.01 Control
The Party MUST have a justifiable need for every piece of information it collects.
NZIM IA1.02 Control
The Party MUST store only the information it requires to carry out its purpose.
Additional information — this includes considering if the full value of a piece of information is needed, or a derived value from the information. Examples of derived values include:
- Age derived from date of birth
- Adult derived from the date of birth is more than 18 years ago — Yes/No
- Salary range derived from the salary is between $50,000 and $60,000 — Yes/No.
NZIM IA1.03 Control
Where information is collected for the sole purpose of verifying required information, the Party MUST discard this information once verification is complete.
Additional information — under this requirement, the Party may keep a record that the information was collected, and the verification process undertaken.
NZIM IA1.04 Control
The Party MUST collect enough distinctive information, related to an entity, for it to be distinguishable from another entity’s information.
Additional information — entity information is likely to be made unique by an internal system number and by the addition of any reference identifier. However, this will be insufficient if these are not known by the claiming entity.
The lack of distinctive information will also make it difficult to identify potential fraud where two entities attempt to claim the same entity information.
Objective 2 — Information format
If any of the information is to be used across multiple systems or for statistical purposes outside the Party, consistent formatting is important for both efficiency and accuracy.
NZIM IA2.01 Control
The Party SHOULD use recommended data format standards for collection and storage of information.
NZIM IA2.02 Control
The Party MUST use approved data format standards when exchanging information.
Objective 3 — Information accuracy
To enable the correct decisions to be made, the information a Party collects will have varying degrees of accuracy. The degree of accuracy determines the level of assurance. The level of assurance needed for information is established through undertaking a suitable risk assessment process.
NZIM IA3.01 Control
The Party MUST establish the level of information assurance (IA) required, for each piece of information collected.
NZIM IA3.02 Control
The Party SHOULD select a suitable source that matches the level of information assurance (IA) required for verifying each piece of information.
Additional information — Table 2 describes information sources for each level of assurance.
|Level 4||Assurance is sought from a source that is authoritative or a continuously synchronised copy of the authoritative source, such that they are considered equal.|
|Level 3||Assurance sought from a source that is a copy of an authoritative source.|
|Level 2||Assurance is sought from a source that used a copy of an authoritative source as verification or verified against sources that may or may not have undertaken any assurance.|
|Level 1||Assurance is not sought; the entity is taken as the source.|
NZIM IA3.03 Control
The Party MUST verify each piece of information against the selected source.
Objective 4 — Source quality
The level of accuracy of information is also dependent on the trustworthiness of the source used. Whether the source is a physical document, electronic credential or database the Party needs to have some assurance that the source is genuine.
NZIM IA4.01 Control
The Party MUST establish the quality of the source is consistent with the level of information assurance (IA) required.
Additional information — Table 3 describes the source quality for each level of assurance.
|Level 4||Assurance is based on the source being systematically identified and accessed through a trusted communication channel.|
|Level 3||Assurance is based on the source being manually identified and/or includes physical security features that require proprietary knowledge to be able to reproduce it.|
|Level 2||Assurance is based on the source being taken at ‘face value’.|
|Level 1||Assurance is not sought.|
What compliance means
These requirements are provided as good practice for any Party wishing to contribute to the prevention of identity theft and fraud.
Compliance with this standard will be given through means such as contractual requirements, cabinet mandate, legislation etc., which will include mechanisms for assessment and certification.
In order to comply with this standard ALL the controls will be met.
The level of information assurance (IA) achieved will be the level below the 1 selected in NZIM IA3.02 and verified against, unless the Party maintains a permanent link that ensures the information remains synchronised.
If the Party is providing information assurance services to other parties, there will be additional controls applied in the Federation Assurance Standard (yet to be published).
The existing Evidence of Identity Standard contains additional guidance that may be used to supplement this standard. The content is being reviewed and updates will be published on Digital.govt.nz.
Department of Internal Affairs