Skip to main content

https://gds.blog.gov.uk/2012/05/14/good-practice-guides-enabling-trusted-transactions/

Good Practice Guides: Enabling Trusted Transactions

Posted by: , Posted on: - Categories: GOV.UK One Login

Today we’re publishing a series of Good Practice Guides (GPGs) for potential providers of identity assurance for government services. They can now be found on the Cabinet Office site.

Just For Starters

These are the first of a series of guides which will immediately be relevant to the forthcoming DWP Universal Credit procurement. We recognise that the guides are necessarily quite technical, so we will continue to refine and develop them in line with our design principles and as our understanding and requirements change.

They’ve been developed collaboratively with HMG departments, private sector representatives and the UK national technical authority for information assurance (CESG) to ensure that the business, technical and security demands across the sectors can be met. Moreover, the guides are intended to ensure that the delivery of trusted online user transactions will take place in accordance with the identity and privacy principles, as previously discussed here.

There are currently three guides available:

  • GPG 43: Requirements for Secure Delivery of Online Public Services (RSDOPS);
  • GPG 44: Authentication Credentials in Support of HMG Online Services; and,
  • GPG 45: Validating and Verifying the Identity of an Individual in Support of HMG Online Services.

What’s Inside The Guides

GPG 43 - Requirements for Secure Delivery of Online Public Services (RSDOPS):

This guide sets out an approach to determining the components needed to securely deliver public services online to individuals and businesses.

It introduces a six step process that provides a systematic approach to inform the risk management of online public services. The process takes into account the expectations of the key stakeholders and the risks to the service on the basis of the transactions that take place. The output is a security case that demonstrates that these aspects have been considered in a transparent way.

This guide is of particular relevance to those responsible for service and system security including procurement, provisioning, accreditation, information governance and security management.

GPG 44 - Authentication Credentials in Support of HMG Online Services:

The purpose of this document is to provide guidance to HMG public service providers and their contractors (e.g. Identity Service Providers) on the use of identity credentials to support citizen authentication to HMG digital services.

Delivery of an online public service may attract significant levels of risk as it will present a very attractive target to fraudsters and other sources of threat. Public sector service providers have to make informed choices with regard to credentials based on an understanding of threats, risks and the impacts associated with their service. The strength of an authentication credential, and hence the level of assurance assigned to it, is determined by many different factors which can be characterised under three main headings explored in the guide.

This document is intended to complement and support the guidance provided in GPG 45, Validating and Verifying the Identity of an Individual in support of HMG Online Services, see below.

GPG 45 - Validating and Verifying the Identity of an Individual in Support of HMG Online Services:

This document provides guidance to HMG public service providers and their contractors when considering the deployment of Identity Validation and Verification (IDV) services in support of an online public services.

It should be read by Senior Information Risk Owners (SIRO), Information Technology Security Officers (ITSO), Accreditors and Information Assurance Practitioners within public sector organisations who intend to provide online access to their public services.

Let Us Know What You Think

Follow the link here on the Cabinet Office site to read the guides. As always, we welcome your feedback via comments here.

Sharing and comments

Share this page

8 comments

  1. Comment by Cabinet Office publishes identity assurance 'good practice' guidance - Government Tenders, Government News and Information - Government Online posted on

    [...] According to a blog post by the Government Digital Service, this particular guide will be of relevance to suppliers responsible for service and system security including procurement, provisioning, accreditation, information governance and security management. [...]

  2. Comment by Identity assurance – Stepping Up A Gear | Government Digital Service posted on

    [...] for exchanging ideas between interested suppliers and the broader market. We’ve been drafting good practice guides and privacy principles, and we’ve reached out beyond central government to understand the needs [...]

  3. Comment by Mobile Cloud Identity Services for Government – Cloud Computing Best Practices posted on

    [...] For SaaS Entrepreneurs, the key aspect to understand about this technology is the role it plays in enabling more Trustworthy business processes; as in what the UK describes as Trustworthy Transactions. [...]

  4. Comment by From Canadian Concept to Commercialization – Canada Cloud posted on

    [...] venture opportunity for these projects is clearly described by the UK’s own plans for online Trusted Services, which is the key point about these CICP type programs, i.e. It’s really smart to make [...]

  5. Comment by How not to reform a voting system that would disgrace a banana republic | E RADAR | Smarter business online posted on

    [...] government issued "credentials" being used to facilitate fraud, At this point I should mention the "Good Practice Guides" for "potential providers of identity assurance services for government services" also just issued [...]

  6. Comment by Fats Brannigan posted on

    From a quick perusal of the guides, I would be prepared to have a stab at naming the consultancies you've been talking to....

    The guides are OK for circulating to non-technical stakeholders but the information seems a bit dated and falls short in key areas of current best practice, eg dynamically evaluating the risk against policy rules and applying appropriate authentication. I wonder if this may be because you have only engaged so far with stakeholders processing low value transactions.

  7. Comment by starburn posted on

    Minor nitpick - there's a 'click here' type link in first paragraph. Would be better to make Good Practice Guides the link. See http://www.w3.org/QA/Tips/noClickHere

    • Replies to starburn>

      Comment by steve posted on

      Thanks, Starburn, for drawing our attention to this. Hopefully fixed it now.