Prindi

Requirements for Identity Providers

Requirements for non-qualified certificates

To use external electronic identity provider as a source of Smart-ID user identity information the following requirements must be met by the Identity Provider.

1.Enrollment

Identity Provider ensures that the applicant is aware of the terms and conditions related to the use of the electronic identification means.

2.Identity proofing and verification

The person has been verified to be in possession of photo or biometric identification evidence and that evidence represents the claimed identity and the evidence is checked to determine that it is valid according to an authoritative source and the applicant is identified as the claimed identity through comparison of one or more physical characteristic of the person with an authoritative source.

3.Electronic identification means characteristics and design

The electronic identification means is technically designed so that it can be assumed to be used only if under the control or possession of the person to whom it belongs.

4.Issuance, delivery and activation

The activation process verifies that the electronic identification means was delivered only into the possession of the person to whom it belongs.

5.Suspension, revocation and reactivation

It is possible to suspend and/or revoke an electronic identification means in a timely and effective manner.

Reactivation shall take place only if the same assurance requirements as established before the suspension or revocation continue to be met.

6.Renewal and replacement

Taking into account the risks of a change in the person identification data, renewal or replacement needs to meet the same assurance requirements as initial identity proofing and verification or is based on a valid electronic identification means of the same, or higher, assurance level.

Where renewal or replacement is based on a valid electronic identification means, the identity data is verified with an authoritative source.

7.Information security management

The information security management system adheres to proven standards or principles for the management and control of information security risks.

8.Record keeping

Recording and maintenance of relevant information is made using an effective record-management system, taking into account applicable legislation and good practice in relation to data protection and data retention.

Retain, as far as it is permitted by national law or other national administrative arrangement, and protect records for as long as they are required for the purpose of auditing and investigation of security breaches, and retention, after which the records shall be securely destroyed.

9.Facilities and staff

The existence of procedures that ensure that staff and subcontractors are sufficiently trained, qualified and experienced in the skills needed to execute the roles they fulfil.

Facilities used for providing the service are continuously monitored for, and protect against, unauthorised access and other factors that may impact the security of the service.

Facilities used for providing the service ensure that access to areas holding or processing personal, cryptographic or other sensitive information is limited to authorised staff or subcontractors.

10.Technical controls

The existence of proportionate technical controls to manage the risks posed to the security of the services, protecting the confidentiality,integrity and availability of the information processed.

Electronic communication channels used to exchange personal or sensitive information are protected against eavesdropping, manipulation and replay.

All media containing personal, cryptographic or other sensitive information are stored, transported and disposed of in a safe and secure manner.

Sensitive cryptographic material, if used for issuing electronic identification means and authentication is protected from tampering.

11.Compliance and audit

The existence of periodical independent internal or external audits scoped to include all parts relevant to the supply of the provided servicesto ensure compliance with relevant policy.

Requirements for qualified certificates

To use external electronic identity provider as a source of user identity information the following requirements must be met by the Identity Provider.

1.Enrollment

Identity Provider ensures that the applicant is aware of the terms and conditions related to the use of the electronic identification means.

2.Identity proofing and verification

Identity scheme is notified by a member state to be on the level substantial or high.

3.Electronic identification means characteristics and design

The electronic identification means utilises at least two authentication factors from different categories.

The electronic identification means protects against duplication and tampering as well as against attackers with high attack potential.

The electronic identification means is designed so that it can be reliably protected by the person to whom it belongs against use by others.

4.Issuance, delivery and activation

The activation process verifies that the electronic identification means was delivered only into the possession of the person to whom it belongs.

5.Suspension, revocation and reactivation

It is possible to suspend and/or revoke an electronic identification means in a timely and effective manner.

Reactivation shall take place only if the same assurance requirements as established before the suspension or revocation continue to be met.

6.Renewal and replacement

Taking into account the risks of a change in the person identification data, renewal or replacement needs to meet the same assurance requirements as initial identity proofing and verification or is based on a valid electronic identification means of the same, or higher, assurance level.

Where renewal or replacement is based on a valid electronic identification means, the identity data is verified with an authoritative source.

7.Information security management

The information security management system adheres to proven standards or principles for the management and control of informationsecurity risks.

8.Record keeping

Recording and maintenance of relevant information is made using an effective record-management system, taking into account applicable legislation and good practice in relation to data protection and data retention.

Retain, as far as it is permitted by national law or other national administrative arrangement, and protect records for as long as they are required for the purpose of auditing and investigation of security breaches, and retention, after which the records shall be securely destroyed.

9.Facilities and staff

The existence of procedures that ensure that staff and subcontractors are sufficiently trained, qualified and experienced in the skills needed to execute the roles they fulfil.

Facilities used for providing the service are continuously monitored for, and protect against, unauthorised access and other factors that may impact the security of the service.

Facilities used for providing the service ensure that access to areas holding or processing personal, cryptographic or other sensitive information is limited to authorised staff or subcontractors.

10.Technical controls

The existence of proportionate technical controls to manage the risks posed to the security of the services, protecting the confidentiality, integrity and availability of the information processed.

Electronic communication channels used to exchange personal or sensitive information are protected against eavesdropping, manipulation and replay.

All media containing personal, cryptographic or other sensitive information are stored, transported and disposed of in a safe and secure manner.

Sensitive cryptographic material, if used for issuing electronic identification means and authentication is protected from tampering.

11.Compliance and audit

The existence of periodical independent external audits scoped to include all parts relevant to the supply of the provided services to ensure compliance with relevant policy.