The institution implements an authentication model to identify, authenticate and sign digital transactions between institutions participating in the international agreement.
This model replaces the handwritten signatures used in paper-based transactions and enables validation of the authenticity of the data exchanged.
Guideline code
ICT_08300
Mechanism
Mechanism
- The ICT unit should implement an authentication model based on the authentication framework established for the agreement at the international level as well as on institutional standards.
- The model should enable users to identify, authenticate and sign electronic transactions between institutions participating in the international agreement.
- The implementation of the authentication model includes:
- Defining the types of electronic transactions to which the model will be applied and the associated security measures (enquiries, information provision or instruction, declarations, statements, financial transactions, etc.);
- Selecting the appropriate authentication mechanism (e.g. password, biometric authentication, digital certificate) for the different types of transactions;
- Defining the credential life-cycle management system (issuance, activation, deactivation, etc.) that meets the required security level.
- Obtaining certificates could be based on alternative strategies, such as:
- Certificates from a private Certificate Authority (CA), free or with payment, such as VeriSign, DigiCert, Entrust, StartCom, etc.;
- Certificates from a National Public Certificate Authority (CA);
- Owning and operating a local CA to issue private certificates for users and applications.
- The ICT unit should choose between the use of internal or external certificates based on a number of factors, such as maintenance (time and resources), control of certificates, costs, etc.
Structure
Structure
- The management should commission the ICT unit to implement an authentication model enabling authentication and digital signature for transactions between institutions participating in the international agreement.
- The authentication model should provide the means to achieve authentication, data integrity, confidentiality, and non-repudiation. It should be based on the authentication framework established for the agreement at the international level.
- The management should establish roles and responsibilities to put into practice the authentication-related functions in the institution.
- The implementation of a model based on digital certificates should include all aspects related to the acquisition, use and management of digital certificates.
- The institutional authentication model should be consistent with the institution’s standards on ICT.
- The model for implementing the authentication of transactions should follow the institutional data security framework, as well as the recommendations of the current set of Guidelines, particularly Section B.2, Data Security and Privacy.
Title HTML
Guideline 62. Model for implementing authentication of transactions in the institutions
Type
Guideline_1
Weight
86