Foreword 3.2.1 TYPES OF MODELS

Table of Contents 

1 Executive Summary 

This deliverable is concerned with the generic application of the best practice guidelines concerning interoperability, which incorporate an effective development method and framework. The guidelines presented in “D4.6: Draft best practice guidelines” have been applied, in broad terms, to four areas of interest relating to identity, namely the FIDIS research project itself and the sectors of e-Government, e-Health and e-Commerce. The identity classification system, which was outlined in “D4.7: Review and classification for a FIDIS identity management model”, has been applied in the report for each of these areas of interest.  

The emphasis is on the delivery of a practical approach, incorporating sound tools and techniques that may be applied in the project and within business sectors dealing with identity management. Imposing a method, that provides a framework and discipline, should assist with the development, dissemination and application of the FIDIS results.

The rationale for developing the method and framework to assist with the creation of the best practice guidelines is outlined in Chapter 2, together with the aims of the deliverable. Chapter 3 briefly restates the proposed FIDIS information management method and framework. The application of the method, to the FIDIS project, e-Government, e-Health and e-Commerce is described in Chapter 4. Chapter 5 discusses how the work will be progressed in the FIDIS 3rd and 4th Work Plans and outlines the method envisaged for disseminating and exploiting the FIDIS results.

2 Introduction 

One of the objects of investigation for the FIDIS research community is the interoperability of identity management systems from the technical, policy, legal and socio-cultural perspectives. It looks at the limits of identity systems designed for one purpose being used for other purposes (e.g. inter-purpose interoperability: e-government, e-health, e-commerce systems), and sees the role of the market in generating interoperability (e.g. interplay of governmental regulation, self-regulation and no regulation: cross-border and cross-sector comparisons). It is important to stress that interoperability of identity management should strike a balance between the need to exchange data and the need to prevent threats against privacy and security.  

The aim of the FIDIS project is to develop integrated approaches for security, virtual identity management, and privacy enhancing technologies at application level, system level and infrastructure level. A fundamental aspect to be considered when applying identity management, involving many disciplines, within all areas of government, commerce and industry, is the development of a common comprehensive framework, which can be shared and applied by practitioners involved with identity management.  

1. 1. The proposed FIDIS framework endeavours to provide managers and developers with an approach to manage effectively and efficiently the vast amount and myriad forms of information and the many issues, such as security and privacy, which identity management technology and systems engender. The framework brings together a wide range of topics that are required to reach good decisions on interoperable identity and its application. 

      The proposed FIDIS framework endeavours to provide managers and developers with an approach to manage effectively and efficiently the vast amount and myriad forms of information and the many issues, such as security and privacy, which identity management technology and systems engender. The framework brings together a wide range of topics that are required to reach good decisions on interoperable identity and its application. 

2.1 Aims of the deliverable 

The aims of the deliverable are: 

1. To apply the proposed FIDIS generic framework, in broad terms, to four areas of interest namely the FIDIS research project and the sectors of e-Government, e-Health and e-Commerce 

2. To apply the proposed FIDIS classification system for each area of interest 

3. To demonstrate the application of the framework and models to support interoperability 

3 The proposed FIDIS Information Management Method and Framework

In the FIDIS project, to meet the challenge of bringing together the many different disciplines of identity management, there is a need for recommending best practice guidelines, which incorporate a method and framework for providing effective governance and information management. To assist the reader, the method and framework are briefly re-stated below. 

The method is separated into four domains, developed by the authors, as shown in Figure 1, namely the requirements domain; the business modelling domain; the information management principles domain; and the system specification domain. In FIDIS these domains cover all aspects of identity management. 

Figure 1: Domains of the Framework 

3.1 Requirements domain 

The requirements are divided into two main areas, those specifying the application activities and those specifying the management activities.  

3.2 Business Modelling Domain 

Business modelling of the activities is an essential prerequisite before information management can be implemented. Organisations should be able to analyse and anticipate the effects of processes, information flows, document management and enabling technologies, such as e-business, upon their operations. 

3.2.1 Types of models

Business modelling takes many different forms and there are many techniques available. What is important is that fundamental processes should be modelled, and the way that this is done should maximise the generation of value for the institution.  

3.2.1.1 Entity models 

Entity models specify the relationships between such entities as people, objects, processes, and information within and between organisations. They are used to brainstorm, or when working from a fresh start, to specify and resolve business issues and to define the related corporate information.  

3.2.1.2 Stakeholder models 

Stakeholder models highlight the different stakeholders who are involved in the various activities of identity management throughout the supply chain. Stakeholder models may be created for particular business sectors, such as e-Government and e-Health, and they may be used as a basis for information flows within and between stakeholders.  

3.2.1.3 Process and information flow models 

Information flow models show the business processes, how they interact with each other and how information flows between them. They provide a functional overview of the operations and allow personnel to see the functions and processes of a business quite independently of the organizational chart.

3.2.1.4 Compliance models 

A generic compliance model, (see D4.6: Section 4.2.1.4),  has been developed in order to assess the degree to which institutions are fulfilling their obligations and their effectiveness in applying identity management.

3.3 Information management principles domain 

The five principles discussed below underpin the modelling and are intended to serve as guidelines for those involved with the design and operation of information systems, irrespective of the technology being deployed.

The principles bring together the high-level internal policy issues and the detailed operational levels of any business or organisation. They are intended to provide a framework within which managers and others can develop detailed operational procedures. Alternatively they may be used as a template to check for the completeness or adequacy of an existing set of procedures and job descriptions. 

The five principles take the form of a set of statements of objectives for information management. These are intended to act as guidelines for a set of procedures that any institution should be capable of devising and operating as an extension of their current standard operating procedures, or of their quality management processes. 

3.3.1 Five Principles of Information Management

The Five Principles are: 

1    Recognise and understand all types of information

2    Understand the legal issues and execute "duty of care" responsibilities

3    Identify and specify business processes and procedures

4    Identify enabling technologies to support business processes and procedures

5    Monitor and audit business processes and procedures

The ordering of the principles also reflects a cascade from the high level classification of information streams to responsibilities, and then on to technology and operational considerations. 

3.3.1.1    Information

To ensure that the institution: 

1. Recognises, understands and controls data and information through its classification, structure and the way it is represented. 

2. Chooses appropriate methods to capture, store and transmit data within the institution and across its boundaries to, and from, its business partners. 

3. Evaluates the information that it holds and takes appropriate measures to protect its information resources. 

4. Implements appropriate levels of security for managing its information. 

3.3.1.2    Duty of Care

To ensure that the institution: 

1. Informs appropriate staff of pertinent legislation and regulations, which apply to the way information and data is handled within their industry and business activities 

2. Executes its responsibilities under the duty of care principle. 

3.3.1.3 es

To ensure that the institution: 

1. Identifies, documents and describes its processes and procedures. 

2. Monitors and controls changes to standard procedures using the documented descriptions of its operations. 

3.3.1.4      Enabling technologies

To ensure that the institution: 

1. Identifies, assesses and applies appropriate technologies to support and enable its business processes and procedures 

2. Establishes procedures to monitor and control potential exposure to risks arising from the misuse or failure of its computer systems 

3.3.1.5       Auditing

To ensure that the institution: 

1. Employs appropriate measures to monitor and document its operations and any deviations from its designated standards and methods of operation as established by its industry’s regulatory bodies. 

3.4 System Domain 

Applying all of the above domains and their components helps to create the specification and requirements of an application system, either manual or electronic, in terms of processes, information and personnel. (See D4.6: Section 4.5)

4 Application of the method

This section outlines how the proposed method and framework may be applied to interoperability within the four areas of interest namely, the FIDIS research project, e-Government, e-Health and e-Commerce. 

4.1 FIDIS research project 

A requirements model for the FIDIS research project is shown in Figure 2. 

Figure 2 : FIDIS Project requirements model  

Research activities 

1. Establish and maintain the “FIDIS Identity Wiki” to disseminate electronically the research (WP2) 

2. Execute research activities relating to “High-Tech Technologies” to support identity and identification (WP3) 

3. Develop the transversal perspective across the full spectrum of FIDIS work through “Interoperability” (WP4) 

4. Jointly execute the research activities relating to “Profiling”(WP7) 

5. Execute research activities relating to “Mobility & Identity” (WP11) 

6. Execute research activities relating to “Emerging Technologies” (WP12) 

7. Execute research activities relating to “Privacy and Privacy Technologies” (WP13) 

8. Jointly execute research activities relating to “Privacy” (WP14) 

Management activities 

1. Manage the research activities through the “Internal Communication Infrastructure” (WP1) 

2. Manage the FCI Steering Committee 

3. Perform the management activity of the “Dissemination of the Research” (WP9) 

4. Perform the activity of the “Network Management” (WP10) 

5. Jointly execute the “PhD Training” in the NoE (WP15) 

4.1.2