63 new standards became effective on the 30th of November 2021. There are series of documents on information technologies among them. Now we will elaborate on them in more details.
It is necessary to collect and form information on the users, software or equipment connected with such users, take decisions based on such data for the purposes of functioning of automated (information) systems. Such decisions based on the data of the users can deal with the access to the applications and other resources.
For many organizations management of identity information is critical for provision of security of organization processes. Proper management is an important matter for the purposes of protection of users’ personal data.
GOST R 59381-2021 «Information technology. Security techniques. A framework for identity management. Part 1. Terminology and concepts» sets main terms connected with the process of identity management.
The notion attribute specifies characteristics, feature or sense of the entity. Possible attributes can be the following ones- type of an entity, address, telephone number, privilege, MAC address, name of the domain.
Domain of applicability is an environment where entity can use a set of attributes for identification purposes. For example, an IT system of an organization enabling users to register is a domain for the registered username.
Domain of origin is a domain in which value of an identity attribute was created. Standard provides the following example- membership number in the club. Its domain of origin is a certain club that assigned this number.
Identity is representation of an entity in the form of one or two attributes that allow the entities to be different in the domain.
Main aim of the domain maintained by the system is to determine which attributes describing entity should be used in its identity.
GOST R 59515-2021 «Information technology. Security techniques. Identity proofing» contains recommendations on identity proofing of the subjects, specifies the levels of identity proofing of their identity information and requirements for their achievement.
Identity proofing is a verification process of identity attributes put in the identity management system and it is also a process of determination whether attributes refer to the subject which will be put in the register.
Each case of identity proofing includes several stages aimed at the collection of the approved data, determination of validity of collected identity attributes, conformity to the required level of identity proofing which should be achieved, linking of the declared identity attributes to the subject.
Approval of identity data requires that they were unique in their domain according to the data stated in standard.
GOST R 59382-2021 «Information technology. Security techniques. A framework for identity management. Part 3. Practice»
Practical ways of identity management cover provision of credibility to the structure of identity management which includes access to identity data and other resources on the basis of such data, access policy, ways of exchange of identity data, management of goals that should be achieved during creation and support of identity management system. There are risk assessment, confidence in the credibility of identity information etc. among them.
Organizations should provide confidence in the implementation of adequate measures of information protection to reduce the risks and consequences of breach, damage and loss of accessibility of identity information during its collection, storage, use, transfer and disposal.