Common use of Information Security and Assurance Requirements Clause in Contracts

Information Security and Assurance Requirements. 2.15.1 The DWP requires all IDPs to provide structured and formal assurance of the scope and effectiveness of their IDP and related Trust services, and of the security control measures implemented to protect those services including all personal data held. 2.15.2 In recognition that IDP services are still a maturing industry, the DWP is providing an assurance framework against which IDP security capabilities and assurance assessment regimes may be characterised and asserted to DWP by IDPs, and valued by degrees in the IDP services payment model. 2.15.3 The DWP IDP Security and Assurance Framework (illustrated in the diagram) is built upon a broad foundation of international standard security and assurance. The model adds increasingly specific assurance profiles across a narrower scope at each tier, covering in turn industry, HMG and DWP profiles, guidelines and requirements. 2.15.4 The DWP solution represents the first implementation of the Government Digital Service (GDS) - Identity Assurance Architecture. Cabinet Office GDS is leading development of the supporting management, standards and accreditation processes required for the operation of pan-government Identity Assurance services. Under current proposals, IDPs wishing to provide identity services to OGDs will need to obtain certification under a recognised certification regime. 2.15.5 For the foundation security and assurance tier, all IDPs must hold and maintain a current independent certification to ISO 27001 for their corporate information security management system (ISMS). The IDPs must include all aspects of their IDP and related trust services within the scope of all applicable controls in their ISMS. The IDP’s ISMS must be independently audited once in any 12 month period, and achieve the conditions required for award of a new ISO 27001 certificate. IDPs must provide a copy of all current ISO27001 certificates that cover the scope of their IDP and related trust services. 2.15.6 All IDPs are required to provide in their response a summary of their intended ISO 27001 Security Plan. This should provide DWP with some assurance that the scope of their key implemented ISO 27001 security controls will protect their IDP and related trust services, including all personal customer data. The summary Security Plan must illustrate the IDPs approach to key measures from all the major ISO 27001 control groups, including:  Personnel Security  Secure Information Handling and Transfers  Physical Premises Security  Security Incident Handling 2.15.7 For the industry identity security and assurance tier, it is recognised that IDP assessment services are still a developing market. In due course HMG will accredit IDP Certification and assessment services under the CESG Assured Service (CAS) scheme; however this scheme is not yet available. In the meantime DWP will recognise and accept appropriate independent industry IDP assessment and certification schemes that have an active collaborative engagement with the GDS ▇▇▇ Programme themselves. 2.15.8 Examples of such schemes are currently t-Scheme, Kantara and the Open Identity Exchange (OIX). Although not specific to the HMG ▇▇▇ service model, these schemes provide a selection of generic IDP and related trust services good practice profiles; these are also useful as a basis for assessment. Some schemes already support accredited audit and certification services for IDPs. 2.15.9 The HMG Guidelines security and assurance tier represents the set of good practice guidelines relating to both the HMG Requirements for Secure Delivery of Online Public Services (RSDOPS, GPG 43), including those specifically for the delivery of IDP services to HMG aligned to the GDS Identity Assurance Programme (IDAP): GPG 44 for assessing credential strength and GPG 45 for validation and verification of identity. 2.15.10 The DWP Standards security and assurance tier details the specific DWP requirements for the implementation of HMG Guidelines and service assurance in the provision of DWP IDP services. IDPs must implement their services in full compliance with the provisions of the DWP Identity Assurance Standards document in the ITT pack. IDPs must include audit of compliance to the provisions of DWP ▇▇▇ standards and this service specification in their service assurance assessment scope (and for certification, as applicable). 2.15.11 DWP requires an IDP target service Level of Assurance (LoA) 2 in RSDOPS (GPG 43) terms. HMG is keen to ensure IDP’s obtain independent assessment of their capabilities; however, in recognition of the ground- breaking nature of the ▇▇▇ model, IDPs who currently self assess their identity management capabilities will be allowed on to the ▇▇▇ Framework but will do so at the lowest assurance level. 2.15.12 DWP may in the future require some specific IDP services to RSDOPS (GPG 43) LoA 3 under this framework. In those specific cases, an additional payment band would be introduced, subject to commercial agreement. 2.15.13 IDPs that are not currently certified or applying for certification with an IDP assessment scheme are required to provide a view on whether they are willing to obtain certification under a recognised IDP assessment and certification regime, with their timescale for achieving this at RSDOPS (GPG43) LoA 2. 2.15.14 Although independent IDP service assessment or certification is not mandatory for the purposes of this ▇▇▇ framework, DWP is incentivising increasing levels of service assurance in the IDP service payment model, in step also with increasing levels of assurance of identity verification and credential strength deployed in their IDP services. 2.15.15 IDP service assurance will be scored for the IDP service payment model against the two categories detailed in the DWP Identity Assurance Standards document, included in the ITT pack. These categories are:  IDP service Capability – a measure of the implemented capability of an IDP to provide assurances of identity verification and credentials strength to a given LoA; and  IDP service Assessment – the level of IDP service assurance assessment implemented, from self assessment (lowest assurance) through independent assessment and independent certification to HMG accredited assessment; these are broadly in keeping with the RSDOPS (GPG43) LoA guidance. 2.15.16 IDPs must state their claim of scores against both categories of IDP service assurance for their business, and must provide evidence demonstrating compliance with their claimed profile. This process must be repeated and updated at least once every 12 months. HMG will require a right of audit of the claimed IDP capabilities and security controls. 2.15.17 IDPs will support the relevant interface components [See Annex A, IDP001- 003]. The operation of the connection between the IDP and DWP is subject to the continuous maintenance of the security of the connection. The IDP must provide details of how they monitor and react to security threats, and agree to a joint security incident management process. 2.15.18 For evaluation purposes, Key Criteria 12 refers (see Annex B).