IDEF Registry

Entities MUST employ documented business policies and processes in conducting their digital identity management functions, including internally and in transactions between entities.

This Requirement is that entities shall document business policies and procedures that are employed for identity management functions related to the transmission, receipt, and acceptance of data between systems. Having documented procedures is a necessary prerequisite for transparency and accountability, quality control, auditability, and ease of interoperability among federated communities.

However, this Requirement does not mandate adoption of any specific policies and procedures, or any specific systematic approaches to procedures. Rather, the entity making this assertion should simply affirm that it does maintain such documents in writing, and can make them available as described. The obligation for policies to be transparent to USERS in this context includes prospective users such as eligible applicants.

Regarding “digital identity management functions”, see Appendix A.

Reference examples for requirements that entities maintain written policies and procedures generally:

• HIPAA Security and Privacy Regulations regarding development and maintenance of policies and procedures: 45 CFR Part 164, § 164.316(a), § 164.530(a), § 164.530(a)(1)(i), § 164.530(i) and § 164.530(j): http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div5
• Sarbanes- Oxley Sec. 404, Assessment of Internal Controls, https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act#Sarbanes.E2.80.93Oxley_Section_404:_Assessment_of_internal_control

Reference example of a federation’s published policies, see: https://www.incommon.org/policies.html

TBA