Cabinet Office publishes identity assurance 'good practice' guidance

The Cabinet Office has published the first tranche of a series of guides which set out an approach for potential providers of the government's identity assurance programme to securely deliver public services online to individuals and businesses. The identity assurance service will essentially be a market of competing private sector identity providers that will sell ID assurance services to the public sector, allowing organisations to identify who they are dealing with during government transactions. The service will heavily support the Department for Work and Pensions' Universal Credit and the Personal Independence Payment, which is to replace its current benefit system in 2013. The three new guides that are available cover: • Requirements for secure delivery of online public services. • Authentication credentials in support of government online services. • Validating and verifying the identity of an individual in support of government online services. The first guide on 'requirements for secure delivery of online public services' sets out a six-step process which aims to inform suppliers about the risk management of online public services. It also outlines the expectations of key stakeholders and the risks to the service on the basis of the transactions that take place. According to a blog post by the Government Digital Service , this particular guide will be of relevance to suppliers responsible for service and system security including procurement, provisioning, accreditation, information governance and security management. The second guide on 'authentication credentials in support of government online services' will provide guidance on the use of identity credentials to support citizen authentication to the government's digital services. The guide says that this is an important area to consider as online public services may attract significant levels of risk as it may be targeted by fraudsters and other sources of threat. The final guide on 'validating and verifying the identity of an individual in support of the government's online services' aims to provide suppliers with guidance when considering the deployment of identity validation and verification services. This will be relevant to senior information risk owners, IT security officers, accreditors and information assurance practitioners within public sector organisations who intend to provide online access to their public services. The Government Digital Service said that the guides will be refined if necessary as requirements, and the government's understanding of the programme change. In late December 2011 the government pulled back its tender for identity assurance services, put out by the DWP. The government then reissued the £25m tender with a number of mainly commercial changes. It also made the new tender a government-wide framework, so that it could benefit the whole of Whitehall, and not just one department as was previously the case. Speaking to Guardian Government Computing in March, Mike Bracken, the government's executive director for digital, acknowledged that the implementation of the identity assurance service was a controversial one. He said that many people in government had shied away from it in the past because of similar issues around the now defunct identity card scheme. But he said he was confident that the amendments to the framework would be more beneficial to the government as a whole than the previous tender. This article is published by Guardian Professional. For weekly updates on news, debate and best practice on public sector IT, join the Guardian Government Computing network here.