Identity Proofing - Risk Management Process, v3.0
Requirements for conducting a risk management process.
Assessment Steps (5)
1
Document Process (DocumentProcess)
Does the CSP document it's risk management process and outcomes of that process?
Artifact
Documentation
Provide risk management documentation/policies/reports indicating conformance to the requirement.
|
2
Process Frequency (ProcessFrequency)
Does the CSP conduct it's risk management process on regular intervals?
Artifact
Documentation
Provide risk management documentation/policies/reports indicating conformance to the requirement.
Parameter
Max Timerequired
NUMBER : The maximum time in months between risk management assessments.
|
3
Verify Identity (VerifyIdentity)
Does the CSP's assessment process account for any steps used to verify an identity beyond those explicitly documented?
Artifact
Documentation
Provide risk management documentation/policies/reports indicating conformance to the requirement.
|
4
PII Collected (PIICollected)
Does the CSP's assessment process account for all PII collected?
Artifact
Documentation
Provide risk management documentation/policies/reports indicating conformance to the requirement.
|
5
Retention (Retention)
Does the CSP's risk assessment clearly define a retention schedule for collected PII?
Artifact
Documentation
Provide risk management documentation/policies/reports indicating conformance to the requirement.
|
Conformance Criteria (5)
Document Process
The CSP SHALL document both its risk management process (at least in the context of its identity proofing policy and practices) and the outcomes of applying that process.
Citation
SP800-63A
Section 4.2 P7+
|
Process Frequency
The CSP SHALL conduct its risk management process at least once every six months and whenever there is a material change to its CrP, and SHALL include assessment of privacy and security risks, accounting for:
Citation
SP800-63A
Section 4.2 P7+
|
Verify Identity
The CSP's risk assessment must account for any steps that it will take to verify the identity of the Applicant beyond any mandatory requirements specified herein.
Citation
SP800-63A
Section 4.2 P7+
|
PII Collected
The CSP's risk assessment must account for PII which the CSP shall collect and store (per its CrP), including any biometrics, images, scans, or other copies of the identity evidence that the CSP will maintain as a record of identity proofing; and
Citation
SP800-63A
Section 4.2 P7+
|
Retention
The CSP's risk assessment must account for the CSP's retention schedule requirements for collected PII and associated records, accounting for applicable laws, regulations, contracts, and policies.
Citation
SP800-63A
Section 4.2 P7+
|