Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- D4.1: Structured account of approaches on interoperability.
- D4.2: Set of requirements for interoperability of Identity Management Systems.
- D4.4: Survey on Citizen's trust in ID systems and authorities.
- D4.5: A Survey on Citizen’s trust in ID systems and authorities.
- D4.6: Draft best practice guidelines.
- D4.7: Review and classification for a FIDIS identity management model.
- D4.8: Creating the method to incorporate FIDIS research for generic application.
- D4.9: An application of the management method to interoperability within e-Health.
- D4.10: Specification of a portal for interoperability of identity management systems.
- D4.11: eHealth identity management in several types of welfare states in Europe.
- Profiling.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
Table of Contents
1 Executive Summary
This deliverable is concerned with the generic application of the best practice guidelines concerning interoperability, which incorporate an effective development method and framework. The guidelines presented in “D4.6: Draft best practice guidelines” have been applied, in broad terms, to four areas of interest relating to identity, namely the FIDIS research project itself and the sectors of e-Government, e-Health and e-Commerce. The identity classification system, which was outlined in “D4.7: Review and classification for a FIDIS identity management model”, has been applied in the report for each of these areas of interest.
The emphasis is on the delivery of a practical approach, incorporating sound tools and techniques that may be applied in the project and within business sectors dealing with identity management. Imposing a method, that provides a framework and discipline, should assist with the development, dissemination and application of the FIDIS results.
The rationale for developing the method and framework to assist with the creation of the best practice guidelines is outlined in Chapter 2, together with the aims of the deliverable. Chapter 3 briefly restates the proposed FIDIS information management method and framework. The application of the method, to the FIDIS project, e-Government, e-Health and e-Commerce is described in Chapter 4. Chapter 5 discusses how the work will be progressed in the FIDIS 3rd and 4th Work Plans and outlines the method envisaged for disseminating and exploiting the FIDIS results.
2 Introduction
One of the objects of investigation for the FIDIS research community is the interoperability of identity management systems from the technical, policy, legal and socio-cultural perspectives. It looks at the limits of identity systems designed for one purpose being used for other purposes (e.g. inter-purpose interoperability: e-government, e-health, e-commerce systems), and sees the role of the market in generating interoperability (e.g. interplay of governmental regulation, self-regulation and no regulation: cross-border and cross-sector comparisons). It is important to stress that interoperability of identity management should strike a balance between the need to exchange data and the need to prevent threats against privacy and security.
The aim of the FIDIS project is to develop integrated approaches for security, virtual identity management, and privacy enhancing technologies at application level, system level and infrastructure level. A fundamental aspect to be considered when applying identity management, involving many disciplines, within all areas of government, commerce and industry, is the development of a common comprehensive framework, which can be shared and applied by practitioners involved with identity management.
The proposed FIDIS framework endeavours to provide managers and developers with an approach to manage effectively and efficiently the vast amount and myriad forms of information and the many issues, such as security and privacy, which identity management technology and systems engender. The framework brings together a wide range of topics that are required to reach good decisions on interoperable identity and its application.
The proposed FIDIS framework endeavours to provide managers and developers with an approach to manage effectively and efficiently the vast amount and myriad forms of information and the many issues, such as security and privacy, which identity management technology and systems engender. The framework brings together a wide range of topics that are required to reach good decisions on interoperable identity and its application.
2.1 Aims of the deliverable
The aims of the deliverable are:
To apply the proposed FIDIS generic framework, in broad terms, to four areas of interest namely the FIDIS research project and the sectors of e-Government, e-Health and e-Commerce
To apply the proposed FIDIS classification system for each area of interest
To demonstrate the application of the framework and models to support interoperability
3 The proposed FIDIS Information Management Method and Framework
In the FIDIS project, to meet the challenge of bringing together the many different disciplines of identity management, there is a need for recommending best practice guidelines, which incorporate a method and framework for providing effective governance and information management. To assist the reader, the method and framework are briefly re-stated below.
The method is separated into four domains, developed by the authors, as shown in Figure 1, namely the requirements domain; the business modelling domain; the information management principles domain; and the system specification domain. In FIDIS these domains cover all aspects of identity management.
Figure 1: Domains of the Framework
3.1 Requirements domain
The requirements are divided into two main areas, those specifying the application activities and those specifying the management activities.
3.2 Business Modelling Domain
Business modelling of the activities is an essential prerequisite before information management can be implemented. Organisations should be able to analyse and anticipate the effects of processes, information flows, document management and enabling technologies, such as e-business, upon their operations.
3.2.1 Types of models
Business modelling takes many different forms and there are many techniques available. What is important is that fundamental processes should be modelled, and the way that this is done should maximise the generation of value for the institution.
3.2.1.1 Entity models
Entity models specify the relationships between such entities as people, objects, processes, and information within and between organisations. They are used to brainstorm, or when working from a fresh start, to specify and resolve business issues and to define the related corporate information.
3.2.1.2 Stakeholder models
Stakeholder models highlight the different stakeholders who are involved in the various activities of identity management throughout the supply chain. Stakeholder models may be created for particular business sectors, such as e-Government and e-Health, and they may be used as a basis for information flows within and between stakeholders.
3.2.1.3 Process and information flow models
Information flow models show the business processes, how they interact with each other and how information flows between them. They provide a functional overview of the operations and allow personnel to see the functions and processes of a business quite independently of the organizational chart.
3.2.1.4 Compliance models
A generic compliance model, (see D4.6: Section 4.2.1.4), has been developed in order to assess the degree to which institutions are fulfilling their obligations and their effectiveness in applying identity management.
3.3 Information management principles domain
The five principles discussed below underpin the modelling and are intended to serve as guidelines for those involved with the design and operation of information systems, irrespective of the technology being deployed.
The principles bring together the high-level internal policy issues and the detailed operational levels of any business or organisation. They are intended to provide a framework within which managers and others can develop detailed operational procedures. Alternatively they may be used as a template to check for the completeness or adequacy of an existing set of procedures and job descriptions.
The five principles take the form of a set of statements of objectives for information management. These are intended to act as guidelines for a set of procedures that any institution should be capable of devising and operating as an extension of their current standard operating procedures, or of their quality management processes.
3.3.1 Five Principles of Information Management
The Five Principles are:
1 Recognise and understand all types of information
2 Understand the legal issues and execute "duty of care" responsibilities
3 Identify and specify business processes and procedures
4 Identify enabling technologies to support business processes and procedures
5 Monitor and audit business processes and procedures
The ordering of the principles also reflects a cascade from the high level classification of information streams to responsibilities, and then on to technology and operational considerations.
3.3.1.1 Information
To ensure that the institution:
Recognises, understands and controls data and information through its classification, structure and the way it is represented.
Chooses appropriate methods to capture, store and transmit data within the institution and across its boundaries to, and from, its business partners.
Evaluates the information that it holds and takes appropriate measures to protect its information resources.
Implements appropriate levels of security for managing its information.
3.3.1.2 Duty of Care
To ensure that the institution:
Informs appropriate staff of pertinent legislation and regulations, which apply to the way information and data is handled within their industry and business activities
Executes its responsibilities under the duty of care principle.
3.3.1.3 es
To ensure that the institution:
Identifies, documents and describes its processes and procedures.
Monitors and controls changes to standard procedures using the documented descriptions of its operations.
3.3.1.4 Enabling technologies
To ensure that the institution:
Identifies, assesses and applies appropriate technologies to support and enable its business processes and procedures
Establishes procedures to monitor and control potential exposure to risks arising from the misuse or failure of its computer systems
3.3.1.5 Auditing
To ensure that the institution:
Employs appropriate measures to monitor and document its operations and any deviations from its designated standards and methods of operation as established by its industry’s regulatory bodies.
3.4 System Domain
Applying all of the above domains and their components helps to create the specification and requirements of an application system, either manual or electronic, in terms of processes, information and personnel. (See D4.6: Section 4.5)
4 Application of the method
This section outlines how the proposed method and framework may be applied to interoperability within the four areas of interest namely, the FIDIS research project, e-Government, e-Health and e-Commerce.
4.1 FIDIS research project
A requirements model for the FIDIS research project is shown in Figure 2.
Figure 2 : FIDIS Project requirements model
Research activities
Establish and maintain the “FIDIS Identity Wiki” to disseminate electronically the research (WP2)
Execute research activities relating to “High-Tech Technologies” to support identity and identification (WP3)
Develop the transversal perspective across the full spectrum of FIDIS work through “Interoperability” (WP4)
Jointly execute the research activities relating to “Profiling”(WP7)
Execute research activities relating to “Mobility & Identity” (WP11)
Execute research activities relating to “Emerging Technologies” (WP12)
Execute research activities relating to “Privacy and Privacy Technologies” (WP13)
Jointly execute research activities relating to “Privacy” (WP14)
Management activities
Manage the research activities through the “Internal Communication Infrastructure” (WP1)
Manage the FCI Steering Committee
Perform the management activity of the “Dissemination of the Research” (WP9)
Perform the activity of the “Network Management” (WP10)
Jointly execute the “PhD Training” in the NoE (WP15)
4.1.2
A stakeholder model for the FIDIS research project is shown in Figure 3 and represents the members of the FIDIS consortium. The information flows between them are performed by the internal communications infrastructure which is managed in WP1.
Figure 3: FIDIS Stakeholders
1. The principles of information management relating to the FIDIS project are shown in Tables 1 and 2
Work Package | ||
Ensure information is complete and accurate
Ensure systems and information are secure
Ensure statutes and regulations are complied with
Ensure all stakeholders & their representatives are bona fide
|
Table 1
Table 1
| Information | Roles & Responsibilities | Processes & Procedures | Enabling Technologies | Audit & Control |
Ensure information is complete and accurate
Ensure systems and information are secure
Ensure statutes and regulations are complied with
Ensure all stakeholders & their representatives are bona fide
|
Table 2
Table 2
2. The principles of information management relating to all sectors are shown in Table 3
Personal Identifiers / Credentials used within all sectors
Personal Identifiers / Credentials used within all sectors
Identity | |||||
Secure and protect: Information Computer systems Ensure stakeholders & representatives are bona fide Protect: Credit card usage Passwords PIN numbers Comply with statutes & regulations
|
Purpose for use Application Lifecycle: Input Storage Access Maintenance Deletion Authorisation Confidentiality Security Interoperability
|
Paper Electronic Web Cards: Credit (n) Store (n) Licence (n) Membership (n) Etc RFID
|
Ensure all items are bona fide: Stakeholders & their representatives Documents and copies Compliance with statutes & regulations
|
Table 3
Table 3
4.2 e-Government
It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “European Interoperability Framework for Pan-European eGovernment Services” which was published by the European Commission. The framework will be applied to D16.1: conceptual framework for Privacy-Friendly Identity Management for e-Government.
It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “European Interoperability Framework for Pan-European eGovernment Services” which was published by the European Commission. The framework will be applied to D16.1: conceptual framework for Privacy-Friendly Identity Management for e-Government.
A requirements model for e-Government is shown in Figure 4.
Operational / application activities include:
Manage the identity of the citizen to ensure that it is secure and strictly confidential to those who are authorised to see the information.
Request and receive certificates such as birth, marriage, death, residence, and nationality
Apply for, and receive entitled unemployment benefits, family allowances, student grants and medical costs, which require identity items relating to Tax Registration, Status (married/single, dependents, disability registration, etc)
Apply for and deliver electronic identity documents such as passports, visas, medical papers, etc
Submit and execute tax returns which require identity items such as Insurance Number/Citizen Service Number and Tax Details
Request and execute driving licences and car registrations (new/unused/imported),
which require identity items such as Vehicle registrations, licences, insurances, roadworthiness
Search and make reservations of library materials from public libraries
Search for vacancies that correspond to qualifications, to obtain information about organisations and to enrol in professional training programmes
Request building permits from their municipality, to file an appeal procedure and to make building permits decisions public
Management activities
The requirements for management activities should specify the management tools, techniques and procedures, which have to be employed to ensure that all the information, roles and responsibilities, processes and technologies are in place to manage identity activities. These should include the management of projects, finance, human and technology resources.
4.2.2
A stakeholder model for e-Government is shown in Figure 5, which might represent a “typical” structure of government. The government policies are determined by parliament and performed by the various departments and agencies. The proposed European Interoperability Framework is to “support the EU’s strategy of providing user-centred eServices by facilitating the interoperability of services and systems between public administrations, as well as between administrations and the public (citizens and enterprises), at a pan-European level”.
Figure 5: Typical stakeholders within Government sector
Figure 5: Typical stakeholders within Government sector
4.2.3 Information management principles for e-Government are shown below in Table 4
Identity | |||||
Secure and protect: Information Computer systems
Destroy out of date information
Ensure stakeholders & representatives are bona fide
Protect: Credit card usage Passwords PIN numbers
Delete unsolicited emails
Monitor regularly: Information Computer systems Vetting of personnel
Comply with statutes & regulations
| Purpose for use
Application
Lifecycle: Input Storage Access Maintenance Deletion
Accuracy
Authentication
Authorisation
Confidentiality
Security
Interoperability
Identification
Matching checks | Paper
Electronic Web
Cards: Credit (n) Store (n) Licence (n) Membership (n) Etc
Voice
Face to face
Camera (n)
Scanner (n)
RFID
PET
TET
Databases | Ensure all items are bona fide:
Person (n)
Stakeholders & their representatives
Documents and copies
Scans match with originals
Computer systems
Compliance with statutes & regulations
|
Table 4
Table 4
4.3 e-Health
It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “Connected Health – Quality and safety for European Citizens” which was published by the European Commission.
It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “Connected Health – Quality and safety for European Citizens” which was published by the European Commission.
4.3.1
A requirements model for e-Government is shown in Figure 6.
A requirements model for e-Government is shown in Figure 6.
Figure 6 : e-Health requirements model
Operational / application activities include:
Manage the identity of the patient to ensure that it is secure and strictly confidential to those who are authorised to see the information
Provide health care to all citizens
Manage professional medical institutions by verifying qualifications supported by certificates, diplomas, degrees, etc
Provide and manage medical practitioners by verifying qualifications and CVs of practitioners such as doctors, surgeons and nurses
Supply and monitor funds
Keep medical records up to date of doctors, patients, biological data, etc
Management activities
Management activities
The requirements for management activities should specify the management tools, techniques and procedures, which have to be employed to ensure that all the information, roles and responsibilities, processes and technologies are in place to manage identity activities. These should include the management of projects, finance, human and technology resources.
A stakeholder model for e-Health is shown in Figure 7 which represents a “typical” structure of a national health service. The government policies are determined by parliament and performed by the various departments and agencies. The Connected Health initiative considers the “requirements of e-Health interoperability which aim to provide systems and services that are connected and can work together easily and effectively, while maintaining patient and professional confidentiality, privacy and security”.
Figure 7: Typical stakeholders within health sector
A stakeholder model for e-Health is shown in Figure 7 which represents a “typical” structure of a national health service. The government policies are determined by parliament and performed by the various departments and agencies. The Connected Health initiative considers the “requirements of e-Health interoperability which aim to provide systems and services that are connected and can work together easily and effectively, while maintaining patient and professional confidentiality, privacy and security”.
Figure 7: Typical stakeholders within health sector
4.1.3 Information management principles domain
The principles of information management relating to e-Health are shown in Tables 5
Health Sector – Identifiers / Credentials
The principles of information management relating to e-Health are shown in Tables 5
Health Sector – Identifiers / Credentials
Identity | |||||
Secure and protect: Information Computer systems
Destroy out of date information
Ensure stakeholders & representatives are bona fide
Protect: Credit card usage Passwords PIN numbers
Delete unsolicited emails
Monitor regularly: Information Computer systems Vetting of personnel
Comply with statutes & regulations
| Purpose for use
Application
Lifecycle: Input Storage Access Maintenance Deletion
Accuracy
Authentication
Authorisation
Confidentiality
Security
Interoperability
Identification
Matching checks | Paper
Electronic Web
Cards: Credit (n) Store (n) Licence (n) Membership (n) Etc
Voice
Face to face
Camera (n)
Scanner (n)
RFID
PET
TET
Databases | Ensure all items are bona fide:
Person (n)
Stakeholders & their representatives
Documents and copies
Scans match with originals
Computer systems
Compliance with statutes & regulations
|
Table 5
Table 5
4.4 e-Commerce
e-Commerce consists primarily of distributing, buying, selling, marketing and servicing products and services over electronic systems such as the internet and other computer networks. It is vital that the electronic transfer of identities and information, relating to individuals and organisations, are protected at an appropriate level.
An example of a security standard is the PCI Data Security Standard which is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including Visa, MasterCard, American Express, Discover Financial Services and JCB, to help facilitate the adoption of consistent data security measures on a global basis. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer identity and information.
An example of a security standard is the PCI Data Security Standard which is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including Visa, MasterCard, American Express, Discover Financial Services and JCB, to help facilitate the adoption of consistent data security measures on a global basis. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer identity and information.
4.4.1
A requirements model for e-Commerce is shown in Figure 8.
Operational / application activities include:
Manage the identity of the customer to ensure that it is secure and strictly confidential to those who are authorised to see the information
Create and execute financial accounts with organisations such as banks, building societies, insurers and retailers
Manage accounts within banks, building society and insurance companies, credit and debit cards
Perform financial and other transactions with organisations and individuals using cheques and Internet payments of bills for services, products and taxes
Apply for, and fulfil employment with organisations utilising application forms, CVs, qualifications, salary/pension details
Carry out personal activities such as leisure and travel using such items as club membership cards and airline tickets
Management activities include:
Management activities include:
The requirements for management activities should specify the management tools, techniques and procedures, which have to be employed to ensure that all the information, roles and responsibilities, processes and technologies are in place to manage identity activities. These should cover the management of project, finance, human and technology resources.
A stakeholder model for e-Commerce is shown in Figure 9 which represents a “typical” structure of a commercial sector. All types of information, documents, products and currencies flow, within and between organisations and customers, throughout supply chains within the commercial sector
A stakeholder model for e-Commerce is shown in Figure 9 which represents a “typical” structure of a commercial sector. All types of information, documents, products and currencies flow, within and between organisations and customers, throughout supply chains within the commercial sector
Figure 9: Typical stakeholders within commerce sector
Figure 9: Typical stakeholders within commerce sector
4.4.3
The principles of information management relating to e-Commerce are shown in Table 6
Commerce Sector – Identifiers / Credentials
The principles of information management relating to e-Commerce are shown in Table 6
Commerce Sector – Identifiers / Credentials
Identity | |||||
Secure and protect: Information Computer systems
Destroy out of date information
Ensure stakeholders & representatives are bona fide
Protect: Credit card usage Passwords PIN numbers
Delete unsolicited emails
Monitor regularly: Information Computer systems Vetting of personnel
Comply with statutes & regulations
| Purpose for use
Application
Lifecycle: Input Storage Access Maintenance Deletion
Accuracy
Authentication
Authorisation
Confidentiality
Security
Interoperability
Identification
Matching checks | Paper
Electronic Web
Cards: Credit (n) Store (n) Licence (n) Membership (n) Etc
Voice
Face to face
Camera (n)
Scanner (n)
RFID
PET
TET
Databases |
Ensure all items are bona fide:
Person (n)
Stakeholders & their representatives
Documents and copies
Scans match with originals
Computer systems
Compliance with statutes & regulations
|
Table 6
5 Conclusion and future work
This deliverable should only be considered as the start of a continuous process for developing best practice guidelines. It is concerned with the generic application of the best practice guidelines concerning interoperability, which incorporate an effective development method and framework. The guidelines presented in “D4.6: Draft best practice guidelines” have been applied, in broad terms, to four areas of interest relating to identity, namely the FIDIS research project itself and the sectors of e-Government, e-Health and e-Commerce. The identity classification system, which was outlined in “D4.7: Review and classification for a FIDIS identity management model”, has been applied in the report for each of the areas of interest.
It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the EC reports:
It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the EC reports:
“European Interoperability Framework for Pan-European eGovernment Services”
“Connected Health – Quality and safety for European Citizens”
5.1rd Work Plan
The next deliverable, D4.9: “An application of the management method to an interoperability case study” will apply the method in detail to determine recommendations for best practice, relating to identity management, within the e-health sector.
5.2th Work Plan
The generic best practice guidelines, which incorporate an effective development method and framework, will be applied in the following deliverables:
D4.11: Overview of reflections and models underlying the health identity management of different types of welfare states in Europe
D7.14: Report Where Idem meet Ipse
D16.1: Conceptual framework for Privacy-Friendly Identity Management for e-Government
To enable the practical adoption of the management method, we are proposing for development in a further deliverable, a FIDIS portal, rooted in the constructs illustrated in Figure 10, established to assist with the dissemination and exploitation of the FIDIS results. It is envisaged that the final best practice guidelines will be established after the delivery of D4.10 “Specification of a portal for interoperability of identity management systems”.
Figure 10: Structure of Portal for Interoperability
0 / 0 |