NIEF TPAT | TD: ICAM Privacy - Run-Time Opt-In for Federated ICAM Transactions

ICAM Privacy - Run-Time Opt-In for Federated ICAM Transactions, v1.0

Defines privacy requirements related to run-time opt-in by end-users for Federated ICAM transactions.

Assessment Step

1 ICAM Privacy - Run-Time Opt-In for Federated ICAM Transactions (ICAMPrivacy-Run-TimeOpt-InforFederatedICAMTransactions) When participating in a Federated ICAM transaction, does the organization obtain positive confirmation from the End User before any End User information is transmitted to any partner organizations' systems? Note that confirmation MUST be obtained at "run-time" (just before the information is transmitted) and MUST enable the End-User to see each attribute that is to be transmitted to the partner system(s) as part of the opt-in process. Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.

Conformance Criteria (1)

C1 When participating in a Federated ICAM transaction, an organization MUST obtain positive confirmation from the End User before any End User information is transmitted to any partner organizations' systems. Confirmation MUST be obtained at "run-time" (just before the information is transmitted) and MUST enable the End-User to see each attribute that is to be transmitted to the partner system(s) as part of the opt-in process. Citation NIEFPP Section 4: NIEF Privacy Policy Rules, Item 1: Run-Time Opt-In for Federated ICAM Transactions

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://trustmark.nief.org/tpat/tds/icam-privacy---run-time-opt-in-for-federated-icam-transactions/1.0/

Publication Date

2021-08-27

Issuing Organization

NIEF (https://nief.org/) View Contact

NIEF Support

help@nief.org

No telephone

No Mailing Address

Keywords

Privacy, ICAM, Opt-In, Opt-Out

Issuance Criteria

yes(ALL)

Legal Notice

This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

NIEFPP	National Identity Exchange Federation Privacy Policy Version 2.0, August 27, 2021. https://nief.org/policies/nief-privacy-policy-2.0.pdf

Terms (7)

Term Name	Abbreviations	Definition
Credential Service Provider	CSP	An equivalent term for an Identity Provider Organization (IDPO).
Federated Identity, Credential, and Access Management	Federated ICAM	Describes activities involving the reuse of previously issued local credentials, such that end-users can use those locally issued credentials to access remote resources through a federated "Single Sign-On" (SSO) protocol.
ICAM Attribute		A piece of data about an end-user that can be transmitted from one system to another, for the purpose of enabling the receiving system to make access control decisions and take other actions (e.g., audit logging) related to that end-user.
Identity Provider Organization	IDPO	An organization that vets individuals, collects attributes about these individuals, and maintains those attributes in an accurate manner. An IDPO typically operates one or more Identity Provider (IDP) systems that support a Single Sign-On (SSO) protocol such as the Security Assertion Markup Language (SAML) or OpenID Connect (OIDC). An IDPO is also sometimes called a Credential Service Provider (CSP).
Identity, Credential, and Access Management	ICAM	Describes acitivites related to identify-proofing end-users, issuing authentication credentials to end-users, lifecycle-managing the issued credentials, and using the issued credentials as part of a strategy whereby end-users' access to sensitive resources is controlled in accordance with applicable policies.
Personally Identifiable Information	PII	Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
Service Provider Organization	SPO	An organization that manages one or more sensitive data resources or applications, and offers access to those resources or applications for federated users from partner organizations, subject to applicable access controls. An SPO typically operates one or more Service Provider (SP) systems that support a Single Sign-On (SSO) protocol such as the Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).

Also available as XML or JSON