Guideline on Identity Assurance

Supports implementation of the minimum requirements for establishing the identity of an individual to a given level of assurance.
Date modified: 2016-03-04

Supporting tools

Guidelines:

Standard:

More information

Directive:

Terminology:

Hierarchy

Print-friendly XML

Glossary

assurance

A measure of certainty that a statement or fact is true.

assurance level

A level of confidence that may be relied on by others.

authoritative party

A federation member that provides assurances (of credential or identity) to other members (relying parties).

authoritative source

A collection or registry of records maintained by an authority that meets established criteria.

availability (disponibilité)
The state of being accessible and usable in a timely and reliable manner.
biological or behavioural characteristic confirmation

A process that compares biological (anatomical and physiological) characteristics in order to establish a link to an individual. Example: Facial photo comparison.

business continuity planning (planification de la continuité des opérations)
The development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets.
communications intelligence (COMINT)
Technical information or intelligence derived from the exploitation of communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those systems or networks by other than the intended recipient.
Communications Security (COMSEC) (sécurité des communications (COMSEC))
The application of cryptographic security, transmission and emission security, physical security measures, operational practices and controls to deny unauthorized access to information derived from telecommunications and that ensure the authenticity of such telecommunications.
compromise (compromission)
The unauthorized access to, disclosure, destruction, removal, modification, use or interruption of assets or information.
confidentiality (confidentialité)
A characteristic applied to information to signify that it can only be disclosed to authorized individuals to prevent injury to national or other interests.
credential

A unique physical or electronic object (or identifier) issued to, or associated with, an individual, organization or device.

credential assurance

The assurance that an individual, organization or device has maintained control over what has been entrusted to him or her (e.g., key, token, document, identifier) and that the credential has not been compromised (e.g., tampered with, modified).

credential assurance level

The level of confidence that an individual, organization or device has maintained control over what has been entrusted to him or her (e.g., key, token, document, identifier) and that the credential has not been compromised (e.g., tampered with, corrupted, modified).

credential risk

The risk that an individual, organization or device has lost control over the credential that has been issued to him or her.

critical service (service critique)
A service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians or to the effective functioning of the Government of Canada (GC).
department (ministère)
All departments named in Schedule I, divisions or branches of the federal public administration set out in column I of Schedule I.1, corporations named in Schedule II, and portions of the federal public administration named in schedules IV and V of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.
Deputy Head (Administrateur général)
Deputy Head as defined in section 11 of the Financial Administrtion Act, and in the case of the Canadian Forces the Chief of the Defence Staff.
electronic intelligence (ELINT)
Technical information or intelligence derived from the collection, processing and analysis of electromagnetic non-communications emissions.
emergency (urgence)
A present or imminent event, including IT incidents, that requires prompt coordination of actions to protect the health, safety or welfare of people, or to limit damage to assets or the environment.
emergency management (gestion des urgences)
The prevention and mitigation of, preparedness for, response to and recovery from emergencies.
evidence of identity

A record from an authoritative source indicating an individual's identity. There are two categories of evidence of identity: foundational and supporting.

executive (cadre supérieure)
An employee appointed to the executive group (EX-01 to EX-05 levels), i.e., director, director general, assistant deputy minister or equivalent.
federation

A cooperative agreement between autonomous entities that have agreed to work together. The federation is supported by trust relationships and standards to support interoperability.

foreign instrumentation signals intelligence (FISINT)
Technical information or intelligence derived from the collection, processing and analysis of foreign instrumentation signals by other than the intended recipient.
foundational evidence of identity

Evidence of identity that establishes core identity information such as given name(s), surname, date of birth, sex and place of birth. Examples include records of birth, immigration or citizenship from an authority with the necessary jurisdiction.

identity

A reference or designation used to distinguish a unique and particular individual, organization or device.

identity assurance

A measure of certainty that an individual, organization or device is who or what it claims to be.

identity assurance level

The level of confidence that an individual, organization or device is who or what it claims to be.

identity management

The set of principles, practices, processes and procedures used to realize an organization's mandate and its objectives related to identity.

identity risk

The risk that an individual, organization or device is not who or what it claims to be.

interoperability (interopérabilité)
The ability of federal government departments to operate synergistically through consistent security and identity management practices.
knowledge-based confirmation

A process that compares personal or private information (i.e., shared secrets) to establish an individual's identity. Examples of information that can be used for knowledge-based confirmation include passwords, personal identification numbers, hint questions, program-specific information and credit or financial information.

national interest (intérêt national)
The security and the social, political and economic stability of Canada.
physical possession confirmation

A process that requires physical possession or presentation of evidence to establish an individual's identity.

reliability status (cote de fiabilité)
Indicates the successful completion of reliability checks; allows regular access to government assets and with a need to know to PROTECTED information.
relying party

A federation member that relies on assurances (of credential or identity) from other members (authoritative parties).

remittance agency (organisme de remise)
An organization outside the federal Public Service to which federal government institutions remit money on behalf of employees (e.g. charitable organizations, financial institutions and insurance administrators).
risk (risque)
The uncertainty that can create exposure to undesired future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to impede the achievement of an organization's objectives.
security clearance (cote de sécurité)
indicates successful completion of a security assessment; with a need to know, allows access to classified information. There are three Security Clearance levels: Confidential, Secret and Top Secret.
security control (mesure de sécurité)
An administrative, operational, technical, physical or legal measure for managing security risk. This term is synonymous with safeguard.
security incident (incident de sécurité)
Any workplace violence toward an employee or any act, event or omission that could result in the compromise of information, assets or services.
security screening (filtrage de sécurité)
Any measure resulting in a high level of assurance that an individual can be granted specific access privileges within the context of the federal government.
situational awareness (connaissance de la situation)
Having insight into one's environment and circumstances to understand how events and actions will affect business objectives, both now and in the near future. Having complete, accurate, and current SA is essential in any domain where technological complexity, decision making, and the well-being of the public interact. Because incident management involves predictions and forecasts, SA in the area of IT requires an understanding of the interrelationships between critical services and information, safeguards supporting IT infrastructure and processes, and evolving threats.
sophisticated IT security incident (incident complexe de sécurité des TI)
An event, usually initiated by sophisticated threat actors, that is complicated to detect and recover from, causes harm to GC networks and systems, and affects the confidentiality, integrity and availability of information.
sophisticated IT security threat (menace complexe à la sécurité des TI)
An entity or entities that make use of advanced technologies and tradecraft to penetrate or bypass protective systems and security technologies without being detected.
supporting evidence of identity

Evidence of identity that corroborates the foundational evidence of identity and assists in linking the identity information to an individual. It may also provide additional information such as a photo, signature or address. Examples include social insurance records; records of entitlement to travel, drive or obtain health insurance; and records of marriage, death or name change originating from a jurisdictional authority.

threat (menace)
An event or act, deliberate or accidental, that could cause injury to people, information, assets or services.
trusted referee confirmation

A process that relies on a trusted referee to establish a link to an individual. The trusted referee is determined by program-specific criteria. Examples of trusted referee include guarantor, notary and certified agent.

vulnerability (vulnérabilité)
An inadequacy related to security that could increase susceptibility to compromise or injury.
workplace violence (violence dans le lieu de travail)
An action, conduct, threat or gesture that can reasonably be expected to cause harm, injury or illness to an employee in the workplace.
Date modified: