Back

Establish, implement, and maintain a digital identity management program.


CONTROL ID
13713
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Establish the requirements for Identity Assurance Levels., CC ID: 13857
  • Establish, implement, and maintain an authorized representatives policy., CC ID: 13798
  • Establish, implement, and maintain digital identification procedures., CC ID: 13714
  • Implement federated identity systems, as necessary., CC ID: 13837


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes. (Attachment C 4., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Manage, store, and review the information of system identities, and level of access. (IAM-03, Cloud Controls Matrix, v4.0)
  • The full life cycle of identities should be managed. (§ 5.16 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes. (PR.AC-1, CRI Profile, v1.2)
  • USE OF IDENTIFIERS.—The standards adopted under paragraph (1) shall specify the purposes for which a unique health identifier may be used. (§ 1173(b)(2), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. (IA-8(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. (IA-8(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. (IA-8(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. (IA-8(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)