|
|
View printable pdf version of this section:
EOI v2 Foreword and Contents (.pdf) 247k*
View printable pdf version of the full EOI 2.0 document:
EOI v2.0(.pdf) 2581k*
View higher resolution printable pdf version of the full EOI 2.0 document:
EOI v2.0-highres(.pdf) 4842k*
*These documents are in Adobe Acrobat (.pdf) format. You need to have the Adobe Acrobat Reader installed on your computer. You can download a free version from the Adobe site.
Creative Commons
This Standard is part of the New Zealand E-government Interoperability Framework (NZ e-GIF) authentication standards. These standards outline good practice guidance for the design (or re-design) of the authentication component of online services that require confidence in the identity of the transacting parties. These standards give effect to the planning advice from the State Services Commission’s 2004 Authentication for e-government: Best Practice Framework for Authentication.
This Standard is intended to be used by New Zealand government agencies primarily. It sets out the process requirements for establishing and confirming the identity of individuals seeking government services. It should be used for all services that contain identity-related risk, regardless of the delivery channel (i.e. it applies to both online and offline service delivery).
Applying this Standard will help to ensure that agencies implement Evidence of Identity (EOI) processes that are appropriate to the services they deliver and that adhere to current accepted good practice.
EOI refers to the types of evidence that, when combined, provide confidence that individuals are who they say they are. All government services containing identity-related risk will require an EOI process. The comprehensiveness of each service’s EOI process will depend on the level of identity-related risk in that particular service. This Standard provides guidance on how to design and operate EOI processes appropriately.
Applying this Standard will assist with the management of identity crime, and the consequences that arise from these activities. However, application of this Standard does not guarantee complete mitigation of these risks, nor will it prevent cases of administrative error in relation to the establishment and confirmation of an individual’s identity. Agencies should, therefore, apply this Standard alongside other good practice initiatives that assist in the reduction of identity crime and which prevent administrative error.
This Standard supersedes the Evidence of Identity Framework published in October 2004 (www.dia.govt.nz) and the Evidence of Identity Standard (Version 1.0) published in June 2006.
1.3 Standardising EOI business processes
1.6 Authoritative identity sources
1.10 Accessing advice about this Standard
4 Minimum Process Step Requirements
4.1.1 Step 1 – Establish the context, objectives and risk appetite for the agency’s services
4.2 Design and Operation Phase
4.2.1 Step 1 – Determine required EOI Confidence Level
4.3 Monitoring and Evaluation Phase
4.3.1 Step 1 – Develop Monitoring and Evaluation Plan
6.2 What is identity-related risk?
6.2.1 What are some types of identity-related risk?
6.2.2 How can a false identity be used to commit identity crime?
6.3 Identity-related risk assessment process
6.4 Step 1 — Context and objectives
6.5 Step 2 – Initial risk assessment
6.6 Step 3 – Formal risk assessment
6.6.1 Identify identity-related risks
6.6.2 Who can be affected by the incorrect attribution of identity?
6.6.3 Analyse and evaluate identity-related risk
6.6.5 Assessing a service’s overall identity-related risk level
6.6.6 Assigning an Identity Service Risk Category
6.6.7 Translating Identity Service Risk Categories to appropriate EOI process
7.2 No ‘one-size-fits-all’ EOI process
7.3 Factors to balance when designing EOI processes
7.4 Minimum process steps required
7.5 Establishing an individual’s identity
7.6 Step 1 – Determine EOI Confidence Level
7.7.1 EOI requirements associated with each EOI Confidence Level
7.7.3 Single document serving multiple Table 8 objectives
7.7.4 Objective A – The identity exists
7.7.5 Objective B – Identity is a ‘living’ identity
7.7.6 Objective C – Presenter ‘links’ to identity
7.7.7 Objective D – Presenter is sole claimant of identity
7.7.8 Objective E – Individual uses the identity in the community
7.9.1 Determining confirmation of identity requirements
7.9.2 Designing a confirmation of identity process
7.9.3 Service transaction considerations
7.9.4 Creation of a customer’s identity record
7.9.5 Maintenance of a customer’s identity record
7.10 Identity-related documentation
7.10.1 Types of identity-related documents
7.10.2 Protocols for acceptance of documentation
7.10.3 Training for staff – document recognition
7.10.4 Resources to assist with document recognition
7.11 Verification of identity-related data against source data
7.13.1 Criteria for trusted referees
7.13.2 Legislative implications for trusted referee processes
7.14 In-person verification processes
7.15 Dealing with discrepancies
7.16 Investigative interviewing processes
7.17 Handling individual exceptions
7.18.2 Collection of identity-related information from individuals
7.21 Agents/persons acting on behalf of individuals
7.22 Step 3 – Ongoing operation of EOI processes
7.23.1 Establishing identity as part of an employment recruitment process
7.23.2 Operational considerations
7.23.4 Physical control over vulnerable assets
7.23.6 Accurate and timely recording of services
7.23.7 Access restrictions and accountability for identity-related records
7.23.8 Appropriate documentation of service delivery and internal controls
7.25 Transition of business processes
9 Monitoring and Evaluation Phase
9.1 Continual improvement of EOI processes
9.2 Monitoring and evaluation approaches
9.3 Step 1 – Develop Monitoring and Evaluation Plan
9.3.1 Monitoring processes and performance indicators
9.5 Step 2 – Ongoing monitoring and evaluation
Governance Group representation
Appendix A - EOI ‘primary’ documents/records referenced in this Standard
Table 1 – Authentication standards and documents
Table 2 – Phases of EOI process
Table 3 – Initial risk assessment
Table 4 – Identity-related risk: consequences and impacts
Table 5 – Identity Service Risk Categories
Table 6 – Matching Identity Service Risk Categories to EOI Confidence Levels
Table 7 – Matching risk level to appropriate EOI Confidence Level process
Table 8 – Evidential requirements for EOI Confidence Level processes
Table 9 – Documents/records used to satisfy Objective A
Table 10 – Documents/records used to satisfy Objective E
Table 11 – ‘Supporting’ documents/records used to satisfy Objective E
Table 12 – Documents/records used to establish name usage
Table 13 – In-person confirmation of identity: Evidential requirements for EOI Confidence levels
Table 14 – Phone confirmation of identity: Evidential requirements for EOI Confidence Levels
Table 15 – Postal mail confirmation of identity: Evidential requirements for EOI Confidence Levels
Table 16 – Performance indicators
Figure 1 – Overview of Evidence of Identity (EOI) model
Figure 2 – Overview of risk assessment process
Figure 3 – Initial assessment of identity-related risk
Figure 4 – Formal assessment of identity-related risk
Figure 5 – Overview of the Design and Operation Phase
Figure 7 – Overview of generic business processes for establishing an individual’s identity
Figure 8 – Generic business processes for confirmation of identity