[ Next | Previous | Contents ]

Part 3

Guidance Material

View printable pdf version of this section:

EOI v2.0 Part 3 Sections 5-6 (.pdf) 667k*

EOI v2 Part 3 Sections 5-6.3 (.pdf) 332k*

EOI v2 Part 3 Section 6.4-6.5 (.pdf) 260k*

EOI v2 Part 3 Section 6.6-6.6.3 (.pdf) 382k*

EOI v2 Part 3 Section 6.6.4-6.7 (.pdf) 247k*

* These documents are in Adobe Acrobat (.pdf) format. You need to have the Adobe Acrobat Reader installed on your computer. You can download a free version from the Adobe site.

In this section:

5 Overview

5.1 Navigating the guidance material

5.2 Core concepts for establishing identity

6 Risk Assessment Phase

6.1 General

6.1.1 The rationale for identity-related risk assessments

6.1.2 The importance of understanding identity-related risk

6.2 What is identity-related risk?

6.2.1 What are some types of identity-related risk?

6.2.2 How can a false identity be used to commit identity crime?

6.2.3 Entitlement fraud

6.3 Identity-related risk assessment process

6.3.1 Process overview

6.4 Step 1 — Context and objectives

6.4.1 Establish the context

6.4.2 Define the service’s objectives

6.4.3 Define the service’s risk appetite

6.5 Step 2 – Initial risk assessment

6.6 Step 3 – Formal risk assessment

6.6.1 Identify identity-related risks

6.6.2 Who can be affected by the incorrect attribution of identity?

6.6.3 Analyse and evaluate identity-related risk

6.6.4 Evaluating likelihood

6.6.5 Assessing a service’s overall identity-related risk level

6.6.6 Assigning an Identity Service Risk Category

6.6.7 Translating Identity Service Risk Categories to appropriate EOI process

6.6.8 Services with existing EOI processes

6.6.9 New services

6.7 Checklist for Phase 1 — Risk Assessment


5 Overview

5.1 Navigating the guidance material

Part 3 of the Standard provides detailed guidance to assist agencies to meet the minimum standard requirements outlined in Part 2. Guidance is provided on each of the required process steps to ensure that the EOI processes are appropriately implemented.

The following provides an overview of the guidance material with the relevant section references. The Table of Contents at the start of this Standard provides further detail.

Guidance material Section

Risk Assessment Phase

6

Step 1 — Context and objectives

6.4

Step 2 — Initial risk assessment

6.5

Step 3 — Formal risk assessment

6.6

Design and Operation Phase

7

Step 1 — Determine EOI Confidence Level

7.6

Step 2 — Design and implement EOI processes

7.7—7.21

Step 3 — Ongoing operation of EOI processes

7.22—7.27

Service Delivery Phase

8

Monitoring and Evaluation Phase

9

Step 1 — Develop Monitoring and Evaluation Plan

9.3 — 9.4

Step 2 — Ongoing monitoring and evaluation

9.5

Step 3 — Amend EOI processes

9.6

5.2 Core concepts for establishing identity

Identification is the process of associating identity-related attributes with a particular person. For many services it is necessary for the agency providing the service to uniquely identify the individuals who are seeking to access the service. An appropriate EOI process SHOULD be part of the identity-related risk management process for these services.

It is not feasible to prove with certainty the identity of individuals wanting to access services. This would require an EOI process so cumbersome and intrusive that the costs would greatly outweigh any benefits. This Standard provides a risk-based approach to establishing identity to a level of confidence appropriate to the service being delivered.

The EOI processes outlined in this Standard are based on a three component approach to establishing identity. Applying these three components to an individual case will provide an appropriate level of confidence that a person actually owns the identity they claim to own.

The three components for establishing identity involve:

Agencies SHOULD assess individuals against each of the above components for services that require a Moderate to High level of confidence in the individual’s identity (see 7.6). Each component provides important evidence about distinct aspects of identity. On its own, each component only satisfies part of the evidential process required to provide confidence that an individual is the true ‘owner’ of their claimed identity.

6 Risk Assessment Phase

Figure for Risk Assessement Phase


6.1 General

This section provides guidance for determining the level of identity-related risk within the services that an agency delivers. The results of the identity-related risk assessment will help determine what, if any, EOI process is required for a particular service.

NOTE – For services delivered across the Internet, the level of identity-related risk can also be used to determine the minimum authentication key requirements for ongoing confirmation of identity. See 6.3 of the Guide to Authentication Standards for Online Services.

The material outlined in this section is consistent with the risk assessment process set out in the following Australian/New Zealand Standard and its associated Guidelines:

As such, this section can be read within the context of this overarching risk management standard. For some services, such as those with an international context, other risk management standards (or similar) may be more appropriate.

It is important that identity-related risk assessments are applied to individual services. Agencies often carry out multiple services, which have differing types and levels of identity-related risks inherent in them. Each service carried out by an agency MUST be subject to an individual identity-related risk assessment. Public service departments are required to adhere to AS/NZS 4360:2004. Identity-related risk assessments SHOULD be undertaken as part of the wider risk assessment process that agencies undertake in relation to any given service. Those agencies not required to use AS/NZS 4360:2004 and who apply a different risk assessment model, will need to tailor their identity-related risk assessments accordingly.

NOTE – While the identity-related risk assessment MUST be carried out for each service, an agency may then choose to maintain or implement a single EOI process that covers a range of services, providing these services have similar identity-related risks and risk levels.

6.1.1 The rationale for identity-related risk assessments

It is important that the New Zealand state sector maintains a high level of integrity in its processes and ensures that only people entitled to certain services receive them. The identity-related risk assessment is a critical part of designing EOI processes that are appropriate to the level of identity-related risk for a particular service.

Designing an EOI process that is appropriate to the service’s level of identity-related risk is important because:

NOTE – In some instances an agency’s EOI requirements may be prescribed in legislation (e.g. the issuance of the New Zealand Driver Licence provided for in the Land Transport Act 1998).

6.1.2 The importance of understanding identity-related risk

A clear understanding of the service’s identity-related risk is required to ensure that the appropriate EOI processes are designed and implemented to manage those identity-related risks.

Services that have no inherent identity-related risk or have an acceptable level of identity-related risk associated with them will not normally require EOI processes.

Services that have an unacceptable level of identity-related risk associated with them will require an EOI process. The required EOI processes will vary in their level of comprehensiveness depending on the level of identity-related risk contained in the particular service. In general, the greater the level of inherent identity-related risk for a service, the more comprehensive and stringent the EOI process will need to be.

Sections 6.4 to 6.6 provide guidance for agencies on how to determine the level of identity-related risk that exists within each of their services.

Section 7 provides guidance for agencies on how to manage identity-related risk within a service through the selection of an appropriate EOI process.

6.2 What is identity-related risk?

Identity-related risk is the risk that corresponds to the incorrect attribution of an individual’s identity. Identity-related risk is a component of the overall risk associated with any service.

6.2.1 What are some types of identity-related risk?

Types of risk consequences that can arise from the incorrect attribution of identity include:

These types of risks can have significant impacts on numerous parties, including government agencies, the individuals whose identities have been stolen, other organisations (both government and non-government) and the public. These impacts may be extremely negative for those affected.

6.2.2 How can a false identity be used to commit identity crime?

Identifying identity-related risks requires an understanding of how a person can obtain a false identity to subsequently commit identity crime. Identity crime encompasses any illegal use of identity including to gain money, goods, services, information or other benefits or to avoid obligations through the use of a false identity.

False identities can be established in the following ways:

NOTE –

  1. Identity theft is used to describe the theft or assumption of a pre-existing identity (or significant part thereof) with or without consent. Identity theft can occur in relation to both living and dead individuals.

  2. Identity manipulation involves the alteration of one or more elements of identity (e.g. name, date of birth) to dishonestly obtain dual or more access to services or benefits or to avoid establishing obligations.

  3. False identities can be created for legitimate reasons (e.g. in order to protect an individual from physical harm).

6.2.3 Entitlement fraud

Fraud that is not identity-related also occurs but is outside the scope of this Standard. A person may fraudulently gain money, goods, services, other benefits or the avoidance of obligations through the use of their real identity. For example, false declarations of income or personal situation may be made to gain additional welfare benefits that a person is not entitled to. This Standard is not designed to help reduce entitlement fraud risks. Agencies will need to have other strategies in place to deal with this type of fraud.

6.3 Identity-related risk assessment process

6.3.1 Process overview

Figure 2 provides an overview of the risk assessment process steps (see Steps 1 to 3) that agencies MUST follow in order to determine the level of identity-related risk associated with their particular services.


Figure 2 – Overview of risk assessment process

Figure 2 Overview



NOTE –

  1. The process steps are broadly based on those outlined in AS/NZS 4360:2004. Refer to that Standard for more detailed information.

  2. Risk assessments will still be required for other reasons (e.g. potential financial implications, potential reputation damage, etc), even if there is no identity-related risk.

See 6.4 to 6.6 for guidance and illustrative examples on how to carry out a risk assessment that focuses specifically on identity-related risk.

6.4 Step 1 — Context and objectives

6.4.1 Establish the context

For each service, the agency MUST establish the context in which that service is undertaken. Understanding the context is important for determining the service’s exposure to identity-related risk, and the subsequent design of an appropriate EOI process. Agencies may need to balance EOI process design with conflicting objectives.

The context consists of a number of influencing factors. These include:

The following scenarios illustrate aspects of the context, and how context can impact on identity-related risk, for two services.

Scenario 1 — Grant of New Zealand citizenship

Context – New Zealand citizenship entitles the recipient to many benefits. The criteria for the grant of citizenship are prescribed by legislation.

Scenario 2 — Enrolment at university

Context – Enrolment at university entitles the individual to attend university in courses/programmes for which they qualify. Acceptance of an enrolment potentially entitles the individual to financial support and other benefits such as discounted services. Universities are large organisations that are partly funded by government and that have a strong interest in maintaining reputation and excellence.

NOTE –

  1. Agencies are likely to have already identified the characteristics and nature of their context as part of their existing risk management practice and strategic planning.

  2. SAA/SNZ HB 436:2004 provides a good overview of the aspects that establish the context of a particular service – in particular aspects relating to external2 and internal3 environments.

6.4.2 Define the service’s objectives

For each service, the agency MUST determine the particular objectives to be achieved through that service. This will provide information on the context and will also provides an important reference point for assessing identity-related risk.

The following are generic examples of different types of objectives that a service might have:

The following scenarios illustrate the objectives for two particular services and how these objectives can impact on identity-related risk.

Scenario 1 – Grant of New Zealand citizenship

Objectives for this service include:

  • that citizenship is granted to only eligible applicants
  • that the citizenship process is accessible, fair and user-friendly
  • that all processes comply with the Privacy Act 1993
  • that the international reputation of New Zealand citizenship is maintained.

Scenario 2 – Enrolment at university

Objectives for this service include:

  • to confirm eligibility for enrolment
  • to confirm numbers of students for a range of administrative purposes (e.g. for funding allocation)
  • to gather information about what students want, to obtain relevant personal information about the applicants to assist with other objectives (e.g. targeting information about courses on offer, etc).

NOTE – Agencies are likely to already have a clear understanding of the objectives for a service as part of their existing risk management practice and strategic planning.

6.4.3 Define the service’s risk appetite

For each service, the agency MUST determine the amount of untreated risk the agency is willing to accept. The risk appetite will depend largely on the service’s context and objectives. An agency SHOULD make the risk appetite assessment according to whatever scale it deems most appropriate to the service being considered.

The risk appetite will be used in the Design and Operation Phase, to help agencies design the most appropriate identity-related business processes for their service.

The following scenarios illustrate the risk appetite for two particular services.

Scenario 1 – Grant of New Zealand citizenship

Risk appetite – Given the potential benefits and privileges associated with the gaining of New Zealand citizenship, a key aim regarding service delivery is to minimise the potential for untreated identity-related risk, within the scope of legislative requirements.

Scenario 2 – Enrolment at university

Risk appetite – Universities have a strong interest in retaining a reputation for excellence. There is a need to balance student facilitation against the inherent level of identity-related risk contained within this service. A proportionate response in this context means that universities accept a limited amount of identity-related risk.

6.5 Step 2 – Initial risk assessment

For each service, the agency MUST carry out an initial assessment to determine whether any specific identity-related risk exists. The initial assessment is intended to determine whether a formal identity-related risk assessment is required for a particular service. In practice, there are numerous services carried out by government agencies where it will be clear that they contain either Nil or Negligible identity-related risk.

If the agency is already certain that the service does contain identity-related risk, no initial risk assessment is required. The agency can progress directly to Step 3 (see 6.6).

Figure 3 – Initial assessment of identity-related risk

Figure 3 Initial assessment of identity-related risk


The factors set out in Table 3 will assist agencies to identify whether a service has an identity-related risk associated with it.

Table 3 – Initial risk assessment

Financial benefit

Could the individual customer receive a financial payment as a result of the service (e.g. payment of a benefit or grant)?

Non-financial benefit

Could the individual customer receive other specific non financial benefits as a result of the service (e.g. training)?

Personal information

Could subsequent information about the individual customer be collected and stored by the agency?

Could the service result in the unauthorised release of personal or sensitive information?

Subsequent use for EOI

Could the service result in the issue of a document or data source that the customer could subsequently use as a form of EOI?


If none of the above applies to the service then it is likely that no EOI process will be required. Therefore, no further application of the EOI Standard is required for the service.

As a guide, services that are unlikely to contain identity-related risk and would not normally require an EOI process include services where:

If a service meets one or more of the criteria in Table 3, the agency MUST carry out a formal identity-related risk assessment as outlined in Step 3 (see 6.6).

If it is not entirely clear whether a particular service requires a formal identity-related risk assessment, the agency MUST carry out a formal identity-related risk assessment as outlined in Step 3 (see 6.6).

The following scenarios illustrate an initial risk assessment undertaken for two particular services.

Scenario 1 – Grant of New Zealand citizenship

Financial benefit?

No.

There is no direct financial benefit resulting from the service.

Non-financial benefit?

Yes.

The individual will become a New Zealand citizen and obtain all the rights associated with citizenship.

Personal information?

Yes.

Personal information is collected as an integral part of this service.

Subsequent use for EOI?

Yes.

Citizenship certificate/record is used to establish identity for other services.

Given the above results, proceed to Step 3 and undertake a formal assessment of identity-related risk.
Scenario 2 – Enrolment at university

Financial benefit?

No.

There is no direct financial benefit resulting from the service.

Non-financial benefit?

Yes.

The individual will be able to access a range of education services if enrolment is accepted.

Personal information?

Yes.

Personal information is collected as an integral part of this service.

Subsequent use for EOI?

Yes.

Proof of enrolment is used as a basis of making a claim to other related services (e.g. applying for a student benefit or loan).

Given the above results, proceed to Step 3 and undertake a formal assessment of identity-related risk.


6.6 Step 3 – Formal risk assessment

For each service, the agency MUST undertake a formal assessment to determine the level of identity-related risk associated with that service. The results of this assessment will be used to determine:

Figure 4 provides an overview of the process steps an agency needs to follow to carry out a formal identity-related risk assessment for any given agency service.

Figure 4 – Formal assessment of identity-related risk

Figure 4 Formal assessment of identity-related risk



6.6.1 Identify identity-related risks

During this step, the agency MUST identify the identity-related risks for a particular service. For each service, an agency needs to identify:

6.6.2 Who can be affected by the incorrect attribution of identity?

The most obvious identity-related risk associated with any service is the risk that a person who is not entitled to that service receives the benefits of that service. If this occurs through the incorrect attribution of identity it can impact upon a number of different parties. As part of the identity-related risk assessment, it is important to identify who is affected and to what extent, by any incorrect attribution of identity. Affected parties may include:

6.6.3 Analyse and evaluate identity-related risk

Overall risk levels are calculated as a combination of the impact levels and likelihoods of the consequences. This section outlines the process agencies SHOULD follow to determine the identity-related risk consequences (and their level of impact) for a given service.

Many potential risk consequences can arise from the incorrect attribution of identity. These will impact on the parties identified in 6.6.2 in a number of different ways and with differing levels of impact or severity.

Table 4 outlines the generic risk consequences4 and impacts that agencies SHOULD consider as part of an analysis of identity-related risk. For each risk consequence identified, three impact levels – Low, Moderate and High impact – are described.

Table 4 is not intended as a complete list of possible consequences and agencies MUST continue to be alert to other consequences that could arise. Each risk consequence can potentially impact on numerous parties (e.g. both agencies and individuals).

Agencies SHOULD consider any specific vulnerabilities which may affect the impact of a consequence, or the likelihood of a consequence occurring. For example, if an agency has multiple contact points with an individual before an identity document or credential is issued there are many points at which incorrect attribution of identity may occur. Depending on the agency context, this may affect one or more of the consequence areas in terms of impact or likelihood.

Table 4 – Identity-related risk: consequences and impacts

Risk consequence Description Description of impact levels

Inconvenience, distress, or damage to standing or reputation

The result of incorrect attribution of identity can inconvenience, distress, or damage the standing or reputation of any party in a number of ways. For example, a stolen identity will have a significant impact on an individual’s ability to participate effectively in the community and to receive the services they are entitled to. Widespread misuse and abuse of identity could also potentially impact negatively on the international reputation of New Zealand, leading to a reduction of investment in New Zealand businesses and migration.

Low – at worst, limited short-term inconvenience, distress or embarrassment to any party.

Moderate – at worst, serious short-term or limited long-term inconvenience, distress or damage to the standing or reputation of any party (e.g. an individual’s credit rating is unduly affected).

High – severe or serious long-term inconvenience, distress or damage to the standing or reputation of any party (ordinarily reserved for situations with particularly severe effects or which affect many individuals, for example loss of personal liberty due to error).

Financial loss or liability

Financial loss or liability as a result of incorrect attribution of identity can cause significant problems for any affected party. For example, a benefit payment to any person who uses a stolen or fictitious identity and who is not entitled to receive that benefit creates a direct financial loss to the Crown.

Low – at worst, non-material or inconsequential unrecoverable financial loss to any party, or non-material or inconsequential agency liability.

Moderate – at worst, serious unrecoverable financial loss to any party, or a serious agency liability.

High – severe or catastrophic unrecoverable financial loss to any party, or severe or catastrophic agency liability.

Harm to agency programmes or the public interest

Incorrect attribution of identity has the potential to disrupt the effectiveness of agency programmes. This may result in a negative public or political perception that some people are not receiving the services from these agencies that they are entitled to or that people who are not entitled are receiving agency services.

Low – at worst, a limited adverse effect on organisational operations or assets, or public interests. Examples of limited adverse effects include:

function degradation to the extent and duration that the agency is able to perform its primary functions with noticeably reduced effectiveness

minor damage to agency assets or public interests.

Moderate – at worst, a serious adverse effect on agency operations or assets, or public interests. Examples of serious adverse effects include:

significant function degradation to the extent and duration that the agency is able to perform its primary functions with significantly reduced effectiveness

significant damage to agency assets or public interests.

High – a severe or catastrophic adverse effect on agency operations or assets, or public interests. Examples of severe or catastrophic effects include:

severe function degradation or loss to the extent and duration that the agency is unable to perform one or more of its primary functions

major damage to agency assets or public interests.

Unauthorised release of sensitive information

Unauthorised release of sensitive information can result in loss of confidence in an agency and directly result in or contribute to negative outcomes for the affected individual (e.g. personal safety, financial loss, job loss). Personal information needs to be protected and appropriately and closely managed.

Low – at worst, a limited release of in-confidence information to unauthorised parties, resulting in loss of confidentiality with a low impact.

Moderate – at worst, a release of in-confidence or sensitive information to unauthorised parties, resulting in loss of confidentiality with a moderate impact.

High – at worst, a release of in-confidence, sensitive information or information with a National Security classification to unauthorised parties, resulting in loss of confidentiality with a high impact.

Personal safety

Incorrect attribution of an identity for an individual can compromise personal safety. For example, an individual incorrectly provided with a driver licence on the basis of another person’s details and who would not qualify on the basis of a driving test can put themselves and/or the public at risk.

Low – at worst, minor injury not requiring medical treatment.

Moderate – at worst, moderate risk of minor injury or limited risk of injury requiring medical treatment.

High – at worst, risk of serious injury or death.

Downstream effects external to the agency

Incorrect attribution of identity can impact on agencies other than the agency delivering the service. For example, a passport that is issued to a fictitious identity could be used as the basis for fraudulent activities that directly impact on other government or non-government organisations. Alternatively, severe downstream consequences may occur if the holder of that passport uses it to engage in a destructive act made possible by using that passport to gain access to another country.

Low – at worst, limited short-term effect.

Moderate – at worst, serious short-term or limited long-term effect.

High – at worst, severe or serious long-term effect.

It is important to recognise that these consequence categories are often interrelated. In addition, within each of the consequence categories there are likely to be a number of different specific consequences that are affected by factors such as the different customer groups that the agency deals with for the service. Processes based on risk profiling may need to be included as part of the EOI process that is developed (see 7.19).

The following scenarios show some of the potential risk consequences for two services and the level of impact for each consequence.

Scenario 1 - Grant of New Zealand citizenship
Risk consequence Description of consequence Impact level

Inconvenience, distress, or damage to standing or reputation

If a person who has assumed another person’s identity is granted citizenship and uses the assumed identity to commit offences, the legitimate person will suffer inconvenience and distress in having to rectify the situation.

High

Financial loss or liability

Not applicable for this service. However, downstream consequences may result in financial loss for other agencies (e.g. where New Zealand citizenship is part of the eligibility criteria for another service).

n/a

Harm to agency programmes or public interest

If citizenship processes are perceived to be inadequate this could lead to a loss of public confidence in the granting of citizenship process.

High

Unauthorised release of sensitive information

Citizenship Officer provides information to an unauthorised agent who uses that information to track down an individual for negative purposes.

Moderate

Personal safety

Citizenship is granted to a person who is using a false identity. This citizenship is then used to obtain a passport that could be used to travel internationally to commit a criminal offence or terrorist act.

High

Downstream effects external to the agency

A person is granted citizenship on the basis of a false identity and then receives services from various agencies using their citizenship certificate as evidence of their identity.

High





Scenario 2 – Enrolment at university
Risk consequence Description of consequence Impact level

Risk consequence

Description of consequence

Impact level

Inconvenience, distress, or damage to standing or reputation

If individuals are able to enrol under false identities on a regular basis this could lead to reputation damage for universities.

Moderate

Financial loss or liability

If enrolments are made on the basis of false identities, this could lead to incorrect funding by the Crown for invalid enrolments.

Low-Moderate

Harm to agency programmes or public interest

If enrolment processes are perceived to be inadequate this could erode public confidence in the quality of the university’s programmes.

Moderate

Unauthorised release of sensitive information

If academic information is released to people claiming to be the ‘owner’ of that information, this could lead to individuals claiming to be the holder of certain qualifications and gaining employment on the basis of those qualifications (e.g. medical practitioners).

Low

Personal safety

No identifiable risks.

Low

Downstream effects external to the agency

Successful enrolments are used as the basis for a number of subsequent government services, such as accessing student allowances and loans.

Moderate

After analysing the impact levels for each risk consequence category, the agency SHOULD then determine the overall impact level of the identity-related risk consequences. When doing this evaluation the agency SHOULD determine if any risks are more significant than others for the particular service. Generally, the highest impact level for any of the risk consequence categories will indicate what the overall impact level for the service should be.

Scenario 1 – Grant of New Zealand citizenship

Avoiding loss of reputation will be particularly important. The maintenance of a good international reputation for New Zealand citizenship impacts positively on New Zealanders’ ability to travel freely internationally. As such, this consequence category will need to be given considerable weighting within the overall risk evaluation.

The results shown in the previous citizenship scenario suggest that, overall, the identity-related risk consequences for this service are high.

Scenario 2 – Enrolment at university

Maintaining integrity in the New Zealand university system is important. One objective concerning this integrity is to ensure that only individuals who have met prerequisites for entry are enrolled. This will ensure that the correct individuals are matched with their evidence of achievement of those standards. In addition, it is important that the identity of individuals is correctly attributed, as being a student confers a wide range of non-financial (i.e. access to education services) and financial benefits.

The results shown in the previous education scenario suggest that, overall, the identity-related risk consequences for this service are moderate.

6.6.4 Evaluating likelihood

Overall risk levels are calculated from a combination of the impact levels and likelihoods of the consequences. Once the risk consequences for a particular service have been identified and impact levels evaluated (see 6.6.3), the agency SHOULD then assess the likelihood of these consequences occurring.

The extent to which an agency will be able to accurately establish the likelihoods associated with unwanted consequences will vary. However, the following methods may help:

An agency SHOULD make likelihood assessments according to whatever scale it deems most appropriate to the services being considered. Overall levels for impact, likelihood and risk SHOULD be calculated using the agency’s chosen risk methodology. Wherever possible scales SHOULD be consistent so that different identity-related risks can be compared and EOI processes tailored accordingly. Examples of such scales are included in section 6 of SAA/SNZ HB 436:2004.

If an agency’s identity-related risk assessments contain significant uncertainty, the agency SHOULD carry out a sensitivity analysis to test the effect of this uncertainty. See section 6 (pp. 46-61) of SAA/SNZ HB 436:2004 for more information on sensitivity analysis.

6.6.5 Assessing a service’s overall identity-related risk level

The following scenarios provide an assessment of the overall identity-related risk associated with the granting of citizenship and enrolment at university. A three-point scale of Unlikely, Possible and Likely is used in the following scenarios.

Scenario 1 – Grant of New Zealand citizenship
Consequence category Impact Level Likelihood Risk

Inconvenience, distress, or damage to standing or reputation

High

Possible

High

Financial loss or liability

n/a

n/a

n/a

Harm to agency programmes or public interest

High

Possible

High

Unauthorised release of sensitive information

Moderate

Unlikely

Low-Moderate

Personal safety

High

Unlikely

Moderate

Downstream effects external to the agency

High

Possible

High

Overall Levels

High

Possible

High

Scenario 2 – Enrolment at university
Consequence category Impact Level Likelihood Risk

Inconvenience, distress, or damage to standing or reputation

Moderate

Unlikely

Low-Moderate

Financial loss or liability

Low-Moderate

Unlikely

Low-Moderate

Harm to agency programmes or public interest

Moderate

Unlikely

Low-Moderate

Unauthorised release of sensitive information

Low

Unlikely

Low

Personal safety

Low

Unlikely

Low

Downstream effects external to the agency

Moderate

Unlikely

Low-Moderate

Overall Levels

Moderate

Unlikely

Low-Moderate


6.6.6 Assigning an Identity Service Risk Category

Once the service’s identity-related risk level has been determined, the agency MUST allocate the service to an Identity Service Risk Category. This will enable the agency to determine what level of stringency of EOI process is required for the particular service.

Table 5 outlines four Identity Service Risk Categories. These risk categories will be used later to determine the appropriate level of confidence in a customer’s identity required by a particular service. The agency SHOULD use the overall level of risk associated with the service to assign the appropriate Identity Service Risk Category inTable 5.

NOTE – For services delivered across the Internet, these Identity Service Risk Categories can also be used to determine the minimum authentication key requirements for ongoing confirmation of identity. See section 6.3 of the Guide to Authentication Standards for Online Services.

Table 5 – Identity Service Risk Categories

Identity Service Risk Categories Description

Nil or Negligible risk

Nil identity-related risk in the service – this is sometimes referred to as an ‘anonymous’ service

or

Negligible identity-related risk in the service – this is sometimes referred to as a ‘pseudonymous’ service.

Low risk

Low level of identity-related risk in the service.

Moderate risk

Moderate level of identity-related risk in the service.

High risk

High level of identity-related risk in the service.

6.6.7 Translating Identity Service Risk Categories to appropriate EOI process

The service risk levels that were determined in 6.6.5 correspond with the levels of confidence required by the agency in the individual’s identity.

Determining the level of confidence required in an individual’s identity is based on the premise that a higher level of identity-related risk consequence in a service will require a correspondingly higher degree of confidence in the validity of the claimed identity. If an Identity Service Risk Category is established as being Low-Moderate, a Moderate EOI Confidence Level is required. Correspondingly, a Moderate-High Identity Service Risk Category implies a High EOI Confidence Level is required. The following scenarios illustrate the overall assessment of Identity Service Risk Category for two services.

Scenario 1 – Grant of New Zealand citizenship

The Identity Service Risk Category was assessed to be High. This indicates that a high level of confidence in the asserted identity’s validity is required and that a High EOI Confidence Level process should be applied.

Scenario 2 – Enrolment at university

The Identity Service Risk Category was assessed to be Low-Moderate. This indicates that a moderate level of confidence in the asserted identity’s validity is required and that a Moderate EOI Confidence Level process should be applied.


NOTE – Applying the appropriate EOI Confidence Level to a service is an important aspect of the management of identity-related risk. However, this is not the only means of managing identity-related risks, and agencies SHOULD also determine any other mitigation strategies required to manage the service’s identity-related risk (see 7).


Table 6 outlines the translation between the Identity Service Risk Category and the EOI Confidence Level required. Full descriptions of EOI Confidence Levels are outlined in 7.6 and the processes for each are outlined in 7.7.

Table 6 – Matching Identity Service Risk Categories to EOI Confidence Levels

Low identity risk service

Low EOI Confidence Level required

Moderate identity risk service

Moderate EOI Confidence Level required

High identity risk service

High EOI Confidence Level required


NOTE – Services described as having Nil or Negligible risk in Table 5 do not require an EOI process and, therefore, do not appear in Table 6.

6.6.8 Services with existing EOI processes

Once an assessment of identity-related risk associated with a particular service is completed, the agency SHOULD benchmark any existing EOI processes against those described in 7 of this Standard to determine what, if any, change is required to bring the current EOI process into alignment with this Standard.

6.6.9 New services

If an agency is implementing a new service, the agency SHOULD design EOI processes based on the assessment of identity-related risk for that service, as described in 6.5 and 6.6, and the relationship between such risks and levels of confidence shown in Table 6.

The types of EOI processes required to meet each of the EOI Confidence Levels are outlined in 7.7.

6.7 Checklist for Phase 1 — Risk Assessment


Checklist for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (service name)
Step
Date when completed

1

Context and objectives for service defined and documented and define the service’s risk appetite


2

Initial identity-related risk assessment for service documented


3

Formal risk assessment for services with identity-related risk:



  • risk consequence categories evaluated



  • evaluate likelihood



  • overall risk level assessed and Identity Service Risk Category determined



  • translate Identity Service Risk Categories to appropriate EOI processes


4

Monitor, evaluate and review on . . . . . . . . . . . . . . . . . . . . . . .


5

Revisit identity-related risk assessment on . . . . . . . . . . . . . . .




2 Includes factors listed in 3.3.4.1 and the organisation’s strengths and weaknesses, opportunities and threats. See section 4 (pp. 27-36) of SAA/SNZ HB 436:2004.

3 Includes factors listed in 3.3.4.1 and culture; structure and capital; and goals and objectives and the strategies that are in place to achieve them. See section 4 (pp. 27-36) of SAA/SNZ HB 436:2004.

4 Based on Memorandum to the Heads of All Departments and Agencies from Joshua B. Bolten of the Executive Office of Management and Budget, Washington D.C. 20503 issued on 16 December 2003. (www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf).

[ Next | Previous | Contents ]