Clients wishing to integrate with IDIM's identity and authentication services must complete the following security steps as part of the onboarding process:
- Full Scope Security Threat and Risk Assessment (STRA) – All onboarding clients that integrate their applications with the BC Services Card Authentication Service must use the MTICS corporate security and threat assessment (STRA) tool to conduct a comprehensive STRA of their application using a current Basis of Evaluation template.
- Key STRA Control Areas Checklist - As IDIM does not review your STRA, the checklist is a set of key controls from the iSmart STRA scorecard assessment. Clients will complete the checklist and submit to IDIM for review.
- Third Party Review of STRA – This is to provide an objective review for the purpose of ensuring the appropriateness and completeness of the STRA. This type of analysis can be obtained from various third parties including Office of the Chief Information Officer Information Security Branch (ISB) Advisory Services. IDIM will require evidence of this review.
- Dynamic Analysis of Application – A scan scoped to an executing application to identify potential logic errors resulting in vulnerabilities that could be leveraged in potential malicious attacks. This type of runtime analysis can be obtained from various third party vendors. This activity may also be referred to as an application vulnerability scan.
- Penetration Test of Infrastructure – A penetration test builds off of a dynamic analysis or vulnerability scan. Observed vulnerabilities are exercised and tested to confirm their presence. Penetration testing usually consists of a combination of automated and manual tests. This activity aims to determine the viability that vulnerabilities could be exploited in the host applications infrastructure. A penetration test report will advise on potential impact and make recommendations for remediations.
- Keeping IDIM Informed - IDIM expects to be informed about critical & high vulnerabilities or risks. The source of these vulnerabilities or risks could be from the onboarding client STRA, security testing results, or incidents.
Data classification is an essential step in determining the different levels of security controls your organization will need. Clients need to assess how and which identity attributes will be used in their transactions. The outcome of this will allow for execution of the data classification process.