Specialists from different fields in the digital identity ecosystem have shed light on what it takes to be accredited for New Zealand’s Digital Identity Services Trust Framework (DISTF). They shared their thoughts during a webinar on March 26 moderated by the Executive Director of Digital Identity New Zealand, Colin Wallis, during which they also explained details about the process and the benefits that come with the accreditation.
The DISTF in New Zealand is a legal framework designed to regulate digital identity services as the country looks to expand its digital ID services. New rules and accreditation system of the DISTF took effect last November.
The objective of the webinar dubbed “DISTF Evaluators Showcase” was to provide an opportunity for those considering a DISTF accreditation to have an understanding of its advantages for small and large scale entities, organizational roles, costs and time frames, and the preparation process for the evaluation of compliance with standards which precedes the accreditation application.
Discussants included security consultant at Middleware Group, Tom Norcliffe; Director of Cyber, Privacy and Resilience at Deloitte which is an accredited evaluator, Marcus Bossert; and Founder of Cianaa Technologies, Rizwan Ahmad, who are all Digital Identity New Zealand members. There was also the Regulatory Practice Manager of New Zealand’s Department of Internal Affairs, Deanne Myers.
The first three speakers took time off to make an introduction of their companies, highlighting their services and key projects across the domains of digital identity and cybersecurity. They also mentioned some of their projects in New Zealand and the institutions they work with.
Bossert, for a start, explained the work Deloitte as a consultancy services firm is doing in the digital security assessment space. He mentioned that the firm offers services in cyber strategy, transformation, digital privacy, trust, and enterprise security, application cloud security, emerging technology solutions, threat detection and response, as well as operational security services. He also said that they have worked extensively on digital identity projects.
He said evaluation for the DISTF accreditation process looks at several factors including enterprise security, cloud security, security and resilience mechanisms, and threat detection and response, among others. The official also explained that the firm plays a significant role in guiding organizations through the accreditation process, helping them to align their cybersecurity and privacy expertise in order to ensure successful transactions.
Accreditation not a mere compliance formality
The accreditation, he insisted, is not just for the purposes of compliances but is something that enables entities demonstrate robust security practices which are vital for building confidence and trust among stakeholders such as boards, customers, and even regulators.
“If you think about why you want to get accredited, you’ve got to think about the stakeholders that are involved in this. But fundamentally, you have to think about it from a more practical and operational perspective as well,” Bossert said.
“Security, privacy, development and operations teams are really interested in knowing that you have solid security practices built in. It is quite valuable for them to understand and have clarity on what the control measures are. So, I see the accreditation process as a mechanism to build confidence that your stakeholders need,” he stated.
“[Thanks to] the work that we do, our knowledge and global network, we can help you accelerate readiness and navigate the shortest path to success, so that we help you focus on those things that really matter, get your accreditation and accelerate operational readiness.”
For his part, Norcliffe from Middleware Group emphasized the importance of the digital ID trust framework, saying it is crucial for most of the work they are doing with government entities and the private sector in New Zealand.
Taking the floor, Ahmad said Cianaa Technologies has a framework on which their team of independent security evaluators offer services which include penetration testing, privacy, and GDPR compliance.
“We assess organizations based on this [framework]. We see whether you’re keeping the information confidential, whether you have the integrity intact, whether your services are available, whether it has non-repetition, and if it has the proper authentication authorization,” he said.
“Now, when we assess your organization based on that, it actually automatically gives up to the right assessment, because if something is missing, then there’s something missing in security.”
Overview of accreditation application process
Myers said the team she manages is responsible for basically all aspects of the accreditation process. She gave an overview of components of the application process required by the Trust Framework Authority (TFA), noting that the entire process is transparent.
“We receive and assess applications for accreditation as a trust framework provider. We monitor ongoing compliance with the requirements of accreditation, assess applications for renewal, and obviously deal with any issues that arise in the course of these processes.”
She explained that a part of the application process requires results of an independent evaluation undertaken by independent evaluators, including a conformance assessment against the New Zealand identification standards. “Those outputs or deliverables will be submitted as part of an application,” she stated.
“There are currently 15 independent security evaluators who have been appointed and three privacy independent evaluators. However, we are currently undertaking an expression of interest process, calling for interest from other agencies who are able and who meet the criteria to be appointed as either a privacy or security evaluator, or both.”
Myers also shared important links and resources which can help those seeking accreditation to better understand what is required of them and how they can go through the process successfully. She also said the application would need to be submitted within 12 months of the standards compliance evaluation.
Understand what you need
The speakers also noted the place of AI in the trust framework evaluation process. Ahmad said while the technology can make a positive contribution to the process, it can also bring about challenges that effect these assessments.
Bossert added that those applying for accreditation must clearly understand what they need, and often, they expect the process to be as quick, painless and cost-effective as possible.
“If you’ve ever done something like an ISO accreditation, you would understand or know that it is very useful to be clear on the scope of accreditation that you’re looking for. So don’t apply for accreditation for areas that you don’t need. For example, if you’re not going to be providing personal information, then don’t sign up for accreditation for that,” he advised.
He also said for evaluators to have their work made easy, those seeking to provide trust services must take certain key factors into consideration, including having the right control and risk management mechanisms in place.
“I would suggest that you have a look at your solution and do a proper risk assessment early on so that you’ve got visibility of those risks and that you can start building in the necessary controls. In terms of risks, if you can demonstrate that you’re actively managing them and you have visibility and control, then that certainly helps to give the confidence needed.”
The aspect of pricing for the evaluation process was also addressed, with the speakers saying the process can range, approximately, from between $10,000 and $50,000, depending on the scope and the level of preparedness of the entity to be evaluated.
Source: biometricupdate.com