Good Practice Guides: Enabling Trusted Transactions

Today we’re publishing a series of Good Practice Guides (GPGs) for potential providers of identity assurance for government services. They can now be found on the Cabinet Office site.

Just For Starters

These are the first of a series of guides which will immediately be relevant to the forthcoming DWP Universal Credit procurement. We recognise that the guides are necessarily quite technical, so we will continue to refine and develop them in line with our design principles and as our understanding and requirements change.

They’ve been developed collaboratively with HMG departments, private sector representatives and the UK national technical authority for information assurance (CESG) to ensure that the business, technical and security demands across the sectors can be met. Moreover, the guides are intended to ensure that the delivery of trusted online user transactions will take place in accordance with the identity and privacy principles, as previously discussed here.

There are currently three guides available:

  • GPG 43: Requirements for Secure Delivery of Online Public Services (RSDOPS);
  • GPG 44: Authentication Credentials in Support of HMG Online Services; and,
  • GPG 45: Validating and Verifying the Identity of an Individual in Support of HMG Online Services.

What’s Inside The Guides

GPG 43 – Requirements for Secure Delivery of Online Public Services (RSDOPS):

This guide sets out an approach to determining the components needed to securely deliver public services online to individuals and businesses.

It introduces a six step process that provides a systematic approach to inform the risk management of online public services. The process takes into account the expectations of the key stakeholders and the risks to the service on the basis of the transactions that take place. The output is a security case that demonstrates that these aspects have been considered in a transparent way.

This guide is of particular relevance to those responsible for service and system security including procurement, provisioning, accreditation, information governance and security management.

GPG 44 – Authentication Credentials in Support of HMG Online Services:

The purpose of this document is to provide guidance to HMG public service providers and their contractors (e.g. Identity Service Providers) on the use of identity credentials to support citizen authentication to HMG digital services.

Delivery of an online public service may attract significant levels of risk as it will present a very attractive target to fraudsters and other sources of threat. Public sector service providers have to make informed choices with regard to credentials based on an understanding of threats, risks and the impacts associated with their service. The strength of an authentication credential, and hence the level of assurance assigned to it, is determined by many different factors which can be characterised under three main headings explored in the guide.

This document is intended to complement and support the guidance provided in GPG 45, Validating and Verifying the Identity of an Individual in support of HMG Online Services, see below.

GPG 45 – Validating and Verifying the Identity of an Individual in Support of HMG Online Services:

This document provides guidance to HMG public service providers and their contractors when considering the deployment of Identity Validation and Verification (IDV) services in support of an online public services.

It should be read by Senior Information Risk Owners (SIRO), Information Technology Security Officers (ITSO), Accreditors and Information Assurance Practitioners within public sector organisations who intend to provide online access to their public services.

Let Us Know What You Think

Follow the link here on the Cabinet Office site to read the guides. As always, we welcome your feedback via comments here.

8 comments

  1. From a quick perusal of the guides, I would be prepared to have a stab at naming the consultancies you’ve been talking to….

    The guides are OK for circulating to non-technical stakeholders but the information seems a bit dated and falls short in key areas of current best practice, eg dynamically evaluating the risk against policy rules and applying appropriate authentication. I wonder if this may be because you have only engaged so far with stakeholders processing low value transactions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s