Trustmark Definition (TD):
Assignment of Identifiers

Metadata


Identifierhttps://trustmark.gtri.gatech.edu/operational-pilot/trustmark-definitions/assignment-of-identifiers/1.0/
NameAssignment of Identifiers
Version1.0
Publication Date2015-09-18
Trustmark Defining Organization
Identifierhttps://trustmark.gtri.gatech.edu/
NameGeorgia Tech Research Institute
PRIMARY Contact
EmailTrustmarkFeedback@gtri.gatech.edu
Telephone404-407-8956
Mailing Address75 5th Street NW, Suite 900, Atlanta, GA 30308
DescriptionThis Trustmark Definition defines conformance and assessment criteria for compliance with minimum security requirements for assignment of identifiers as related to overall identification and authentication requirements.
Target StakeholdersOrganizations that are interested in implementing or making use of digital information systems in a manner that complies with widely accepted information security standards and practices such as NIST Special Publication 800-53.
Target RecipientsOrganizations that want to demonstrate that they provide and/or consume digital information services in a manner that complies with widely accepted information security standards and practices such as NIST Special Publication 800-53.
Target Relying PartiesOrganizations and individuals that require their trusted partners' computer and information systems to comply with widely accepted information security standards and practices such as NIST Special Publication 800-53.
Target ProvidersOrganizations that audit or evaluate other organizations for compliance with widely accepted information security standards and practices such as NIST Special Publication 800-53.
Provider CriteriaAny organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.
Assessor QualificationsAny individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.
Trustmark Revocation CriteriaFor any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.
Extension DescriptionThis Trustmark Definition requires no extension data.
Legal NoticeThis document and the information contained herein is provided on an "AS IS" basis, and the Georgia Tech Research Institute disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the Georgia Tech Research Institute disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.
NotesThe Georgia Tech Research Institute (GTRI) has published this document with the support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) via the National Institute of Standards and Technology (NIST). The views expressed herein do not necessarily reflect the official policies of GTRI, NIST or NSTIC; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.

Conformance Criteria (1)


NOTE:If conformance criteria reference organization-defined elements (e.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), these values must be defined and documented by the organization.

Similarly, if the criteria specify a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.

1: C1

The organization must manage information system identifiers by assigning the identifier to the intended individual, group, role, or device.
Citation(s)

Assessment Steps (1)


NOTE:If an assessment step references organization-defined elements (E.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), corresponding citations/excerpts must be provided to confirm that the organization has established and documented these values and that they apply as referenced in the conformance criteria.

Similarly, if a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.

The assessment step shall not be marked as satisfied without this evidence.

1: Assignment of Identifiers (AssignmentofIdentifiers)

Does the organization manage information system identifiers by assigning the identifier to the intended individual, group, role, or device?
Required Artifact(s)
  • A1Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.

Issuance Criteria


yes(ALL)

Sources (1)


SP800-53R4
NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Includes updates as of 01-15-2014). Available at http://dx.doi.org/10.6028/NIST.SP.800-53r4.

Terms (31)


Accreditation
The official management decision given by a senior organization official to authorize operation of an information system and to explicitly accept the risk to organization operations (including mission, functions, image, or reputation), organization assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Authentication
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Authorizing Official
Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations (including mission, functions, image, or reputation), organization assets, or individuals. Synonymous with Accreditation Authority.
Availability
Ensuring timely and reliable access to and use of information.
Certification
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Environment
Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system.
Incident
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Information
An instance of an information type; data.
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information System
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Information Technology
Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the organization. For purposes of the preceding sentence, equipment is used by an organization if the equipment is used by the organization directly or is used by a contractor under a contract with the organization which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
Management Controls
The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.
Media
Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.
Organization
An organized body of people with a particular purpose, especially a business, society, association, government agency, etc.
Potential Impact
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Records
All books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an organization in connection with the transaction of business and preserved or appropriate for preservation by that organization or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities such as legal requirements or because of the informational value of the data in them.
Risk
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Management
The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.
Safeguards
Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Sanitization
Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs.
Security Category
The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.
Security Controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Security Plan
See System Security Plan.
Security Requirements
Requirements levied on an information system that are derived from applicable laws, orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
System
See information system.
System Security Plan
Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.
User
Individual or (system) process authorized to access an information system.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.