Canada tackles trust framework

The foundation for security and enterprise management

Last issue I was talking about the U.S. General Services Administration's recent efforts to develop a trust framework for identity in the federal government. Not to be outdone, our neighbors to the North are embarking on a similar effort.

Actually, the Canadian effort is a bit earlier chronologically as the Treasury Board of Canada Secretariat put out their call on July 1. Called "Directive on Identity Management", the directive's objective is "…to ensure effective identity management practices by outlining requirements to support departments in the establishment, use and validation of identity."

Identity management critical for security, government IT shops say

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last issue I was talking about the U.S. General Services Administration's recent efforts to develop a trust framework for identity in the federal government. Not to be outdone, our neighbors to the North are embarking on a similar effort.

Actually, the Canadian effort is a bit earlier chronologically as the Treasury Board of Canada Secretariat put out their call on July 1. Called "Directive on Identity Management", the directive's objective is "…to ensure effective identity management practices by outlining requirements to support departments in the establishment, use and validation of identity."

Identity management critical for security, government IT shops say

There's less to do with privacy here (compared with the GSA's project), but Canada does have a privacy commissioner to deal with those issues.

This isn't a long document, but it is important both for its definitions and scope. For example, the definition of identity is concise, easily understood and bears using in a much wider context: "Identity (identité) -- a reference or designation used to distinguish a unique and particular individual, organization or device."

That's another point -- the document actually states the context in which it is to be used and understood. Read section 3 of the document to understand the context. Surprisingly it isn't written in lawyerese but in easily understood English (and I'm sure there's a similar easily understood French version), such as: "Without a coherent, consistent, standardized and interoperable approach for dealing with identity across the federal government and other jurisdictions, successful risk mitigation strategies are increasingly difficult to develop and deploy to manage challenges to national security, respect for privacy, program integrity and the delivery of citizen-centred services."

This is a blueprint for IdM, which governments on all levels should read, adapt to their circumstances and adopt. Enterprises, especially global enterprises and those assembled through frequent mergers, acquisitions and divestations, should pay attention also. It's very hard to argue with the expected outcome of this directive:

The expected results of this directive are:

* 5.2.1 Sound identity management practices that are aligned with an integrated government-wide approach to achieve effective identity management across the GC.

* 5.2.2 Identity management is an identifiable and integral element of departmental programs, activities and services.

* 5.2.3 Effective identity management ensures that departmental service and security requirements are met and that departments are dealing with the right client when delivering services.

* 5.2.4 Departments ensure that their identity management activities allow for interoperability, when appropriate, which enables the exchange of individuals' identity information to meet the overall objectives of the GC and the respective mandates of departments.

Read it, use it. See you next time.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.