The institution, in coordination with the other participants in the agreement, establishes an authentication framework to provide legally valid, efficient and secure means for the transactions carried out in the social security agreement.
This framework replaces that based on handwritten signatures used in paper-based transactions and provides the means to validate the authenticity of the electronically exchanged data.
Guideline code
ICT_08200
Mechanism
Mechanism
- The Responsible Technical Team (RTT), with the assistance of specialized groups, should establish an authentication framework to provide legally valid, efficient and secure means by which to perform the transactions specified in the social security agreement.
- The key principles that underpin the authentication framework are: Transparency, Risk Management, Consistency, Interoperability, Responsiveness and Accountability, Trust and Confidence, Privacy, Choice, Flexibility, and Cost Effectiveness and Convenience.
- The authentication framework should include approaches that maintain a balance between mitigating identity-related risks in transactions and usability, affordability and feasibility of implementation.
- To promote reuse, the authentication framework may be based on mainstream authentication models used in existing agreements as well as on existing authentication credentials already used in the participant institutions.
- The authentication framework should include a standardized criterion for determining the level of security required for a particular electronic transaction.
- The scope of the authentication framework:
- Covers the types of operations of the agreement that require a signature. There may be operations that do not have this requirement (e.g. consulting local information and the log of transactions may require only an authorized access to the system);
- Covers staff of institutions who: (i) would perform operations requiring electronic signature; and (ii) would use electronic certificates for authentication into the systems;
- Provides the way to implement a future trusted electronic environment where social security institutions can transact with each other as well as with other stakeholders.
- Authentication may be implemented following different approaches, particularly:
- Paired (applicable only for two institutions), where each institution implements and manages its own authentication solutions, including the definition of authorized signatures;
- With a “trusted third organization” (recommended for multilateral agreements), where institutions participating in the agreement commission a third organization to manage the set of authorized signatures.
- The implementation of the authentication framework requires:
- Authentication solution components with the capacity to meet the security levels required for transactions;
- Authentication models implementing the framework in each institution participating in the agreement. This is addressed in Guideline 11, Implementing e-services;
- A repository of signatures and the authorization level associated with different types of operation (e.g. make a request, provide personal data of a person, grant a benefit, etc.);
- Using standards, such as X.509.
- The competent authorities involved in the social security agreement formalize the adoption of the authentication framework for the transactions in the agreement.
Structure
Structure
- The management should commission the ICT unit and the institution’s delegates in the working committees of the agreement to define, in coordination with the other participating institutions, an authentication framework to be used in the agreement in order to manage the authenticity of the messages exchanged and to prevent repudiations.
- The authentication framework should comply with national and international legislation and should take into account the political and legal context, business processes and concepts involved in authenticating operations.
- The adoption of the authentication framework at the international level should be formalized in the context of the social security agreement, for instance through administrative arrangements.
- The authentication framework should follow the institutional data security framework, as well as the recommendations of the current set of Guidelines, particularly Section B.2, Data Security and Privacy.
Title HTML
Guideline 61. Authentication framework
Type
Guideline_1
Weight
85