Back

Establish, implement, and maintain digital identification procedures.


CONTROL ID
13714
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a digital identity management program., CC ID: 13713

This Control has the following implementation support Control(s):
  • Implement digital identification processes., CC ID: 13731


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Authenticity: In computing, e-business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. (Basic Principles of Information Security ¶ 1 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as "measures for identity verification"), including preparation of methods and procedures for verifying identity of … (Article 44-5(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Even where the collection/use of users' resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users' resident registration numbers (hereinafter referred to as "alternative means") shall be provided. (Article 23-2(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Identity check by trusted procedures (Section 5.7 IDM-08 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (§ 164.312(d), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Each agency’s PIV implementation SHALL meet the control objectives listed above including, but not limited to, processes that ensure that (2.1 ¶ 2, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • The identity proofing and registration process used when verifying the identity of the applicant SHALL be accredited by the department or agency as satisfying the requirements above and approved in writing by the head or deputy (or equivalent) of the federal department or agency. (2.7 ¶ 11, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • Individuals and devices are proofed and bound to credentials, and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks). (PR.AC-P6, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)