Standards Review and Recommendation Publication
SRRPUB11
State Web Site Guidelines
Transaction Risk Assessment
August 18, 2003 Version 3.6
On-Line Requirements, Risks & Considerations:
Establishing an interactive web site that provides public
access to government information and services is a requirement
for federal agencies. In Texas, Senate Bill 801, 76th Legislative
Session, requires that "Each state agency that receives information
from members of the public or from regulated persons by means
of a form or that receives payments of money from members
of the public or from regulated persons must also include
in its strategic plan a plan for receiving the forms or the
payments through the Internet or through other electronic
means. The department shall assist state agencies in developing
this portion of the strategic plan." <<snip>>>
In June 2000, Congress passed Senate Bill 761, and the President
signed into law the ''Electronic Signatures in Global and
National Commerce Act'' or "E-SIGN." The Act provides, among
other things, that with respect to transactions in or affecting
interstate commerce, states cannot deny the legal effect,
validity or enforceability of a signature, contract or other
record solely because it is in electronic form. The Act does
not apply to statutes and regulations relating to the creation
and execution of wills, codicils or testamentary trusts, family
law matters, including adoption and divorce, and most of the
Uniform Commercial Code, excluding Sections 1-107, 1-206 and
Articles 2 and 2A. The Act does not affect contracts to which
the state is a party, nor does it affect procurement by state
agencies.
The legal effect, validity or enforceability of an electronic
contract or other record that must be in writing may be denied
if the electronic record is not capable of being retained
and accurately reproduced for later reference by all parties
or persons entitled to retain the contract or other record.
It should be noted that under E-SIGN an electronic signature
could be as simple as typing the individual's name at the
bottom of an e-mail message.
The Act is effective October 1, 2000, unless a state statute,
regulation, or other rule of law administered or promulgated
by a state regulatory agency has been initiated with respect
to the requirement that a record be retained. Depending on
the actions by the regulatory agency, implementation may be
delayed until March 1, 2001. If on March 1, 2001, a state
regulatory agency has announced, proposed, or initiated, but
not completed, a rulemaking proceeding to prescribe a regulation
with respect to retention of records, the effective date is
June 1, 2001.
UETA became effective in Texas January 1, 2002. It is codified
at Texas Business & Commerce Code, Chapter 43. Texas Business
& Commerce Code, §43.017 requires each state agency
to determine whether, and the extent to which, it will send
and accept electronic records and electronic signatures to
and from other persons and otherwise create, generate, communicate,
store, process, use, and rely upon electronic records and
electronic signatures.
1 T.A.C. §203 Management of Electronic Transactions
and Signed Records was adopted by the DIR Board, and published
in the Texas Register May 16, 2003, Volume 28 Number 20, Pages
3873-4016. A copy of the rule is available at http://www.dir.state.tx.us/standards/S203.htm
and the Guidelines for the Management of Electronic Transactions
and Signed Records, that were prepared by the UETA Task Force
of the Department of Information Resources and the Texas State
Library and Archives Commission, are available at http://www.dir.state.tx.us/standards/UETA_Guideline.htm.
General Policy Issues
An agency's determination of which technology is appropriate
for a given transaction must include a risk assessment, and
an evaluation of targeted customer or user needs. The initial
use of the risk assessment is to identify and mitigate risks
in the context of available technologies and their relative
total costs and effects on the program being analyzed. The
assessment also should be used to develop baselines and verifiable
performance measures that track the agency's mission, strategic
plans, and performance objectives. Agencies must strike a
balance, recognizing that achieving absolute security is likely
to be in most cases highly improbable and prohibitively expensive.
The identity of participants to a transaction may not need
to be authenticated. If authentication is required, several
options are available: ID and Passwords for a web-based transaction
may be sufficient, however the user login session should be
encrypted using SSL.
Digital Signatures/Certificates may offer increased security
(positive ID), however this will vary depending on
(1) who issues the certificates;
(2) what is the identity-proofing process (e.g., are you
using Social Security Number, photo IDs, biometrics); and
(3) is the certificate issued remotely via software or
mail, or is "in person" identification required?
In determining whether an electronic signature is required
or is sufficiently reliable for a particular purpose, agencies
should consider the relationships between the parties, the
value of the transaction, and the likely need for accessible,
persuasive information regarding the transaction at some later
date (e.g., audit or legal evidence). The types of transactions
may require different security control measures, based on
security risks and legal obligations:
(1) Transactions involving the transfer of funds.
(2) Transactions where the parties commit to actions or
contracts that may give rise to financial or legal liability.
(3) Transactions involving information protected under
state or federal law or other agency-specific statutes obliging
that access to the information be restricted.
(4) Transactions where the party is fulfilling a legal
responsibility which, if not performed, creates a legal
liability (criminal or civil).
(5) Transactions where no funds are transferred, no financial
or legal liability is involved and no privacy or confidentiality
issues are involved.
Agency transactions fall into five general categories, each
of which may be vulnerable to different security risks:
(1) Intra-agency transactions.
(2) Inter-agency transactions (i.e., those between state
agencies).
(3) Transactions between a state agency and federal or
local government agencies.
(4) Transactions between a state agency and a private organization
- contractor, non-profit organization, or other entity.
(5) Transactions between an agency and a member of the
general public.
Agencies should follow several privacy tenets:
(1) Electronic authentication should only be required where
needed. Many transactions do not need, and should not require,
detailed information about the individual.
(2) When electronic authentication is required for a transaction,
do not collect more information from the user than is required
for the application.
(3) Users should be able to decide the scope of their electronic
means of authentication.
Technologies & Methods:
The key in protecting information on the Internet is encryption.
The type of encryption used will depend on what and how the
information is being exchanged. Filing in a form on a web
site may not require security, however if the form requests
any personal information, or the user is accessing a specific
application that requires a user ID and password, then the
session (transmission) should be encrypted.
Encryption
In January 1999, the National Institute of Standards and
Technology (NIST) published a Federal Register notice announcing
the new Draft of Federal Information Processing Standard (FIPS)
46-3, Data Encryption Standard. The Data Encryption Standard
(DES) provides specifications for the Data Encryption Algorithm
used for the protection of sensitive information. FIPS 46-3
will provide for the use of Triple DES as specified in the
American National Standards Institute (ANSI) X9.52 standard.
The NIST is developing an Advanced Encryption Standard (AES)
for protecting sensitive government information. The AES is
not expected to be a fully developed FIPS for several years.
Additional information on the NIST's initiative to develop
the AES is available at http://www.nist.gov/aes.
In January 1999, Distributed.Net, a worldwide coalition of
computer enthusiasts, worked with the Electronic Frontier
Foundation's (EFF) "Deep Crack," a specially designed supercomputer,
and a worldwide network of nearly 100,000 PCs on the Internet,
to win the RSA DES Challenge III in 22 hours and 15 minutes.
The worldwide computing team deciphered a secret message encrypted
with the United States government's Data Encryption Standard
(DES) algorithm using commonly available technology. In February
1999, the NIST indicated that it could no longer support the
use of the DES for many applications.
A key issue in using encryption, is the key length used in
the specific application and how it is used. Security has
two primary concerns, security of information maintained on
a system and information being transmitted (exchanged) between
two locations. The exchange of information and the level of
protection will depend on the type of information. Filling
in a form on a web site may not require security, however
if the form requests any personal information, then the session
(transmission) should be encrypted. The same would apply to
a user accessing a specific application that requires a user
ID and password.
Secure Sockets Layer
The most common form of securing this type of transmission
is to use the Secure Sockets Layer (SSL) session. The SSL
protocol includes provisions for server authentication (verifying
the server's identity to the client), and version 3 allows
server to server authentication. Currently two levels of security
are available for the transmission of information using 40
or 128 bit encryption keys. Depending on the application,
government entities should plan on using 128 bit encryption
and/or provide a warning to the user if they elect to provide
information using only 40 bit encryption. Additional information
on SSL can be found at the following:
W3C site at http://www.w3.org/Security/faq/wwwsf3.html
Netscape at
http://home.netscape.com/products/security/ssl/index.html
RSA site at http://www.rsa.com/standards/protocols/ssl_tls.html
Securing files and other forms of information (e.g., certificates
used for signing or encrypting) should use stronger (longer)
encryption keys. Triple DES uses 168 bit keys and the general
recommendation for certificates is 1024 bit keys. Additional
information addressing the development of a Public Key Infrastructure
(PKI) to support secure transactions between government entities
and the public can be found at the Federal PKI Steering Committee
site at http://gits-sec.treas.gov
or the Federal PKI Steering Committee Technical Working Group
site at http://csrc.nist.gov/pki/twg/welcome.html.
Secure Multipurpose Internet Mail Extensions (S/MIME)
S/MIME is an Internet suite of standards for the secure exchange
of electronic messages and provides privacy and authenticity.
S/MIME uses public-key encryption technology to protect messages
from unauthorized interception and forgery. While SSL secures
a transaction between a user and a web site over the Internet,
S/MIME is used to secure messages between users, applications,
and computers. The primary technology supporting public-key
encryption is digital signatures and certificates.
Digital Signature/Certificate technology
The federal government defines "electronic signature" as
"a method of signing an electronic message that" --
(A) identifies and authenticates a particular person as
the source of the electronic message; and
(B) indicates such person's approval of the information
contained in the electronic message. (GPEA, section 1709(1)).
The term "signature" has long been understood as including
"any symbol executed or adopted by a party with present intention
to authenticate a writing." (Uniform Commercial Code, 1-201(39)(1970)).
These flexible definitions permit the use of different electronic
signature technologies, such as digital signatures, digitized
signatures or biometrics. The Texas state laws are technology
neutral, however the technology for digitized signatures or
biometrics are for the most part vendor specific, and may
not scale to meet local, state and federal application requirements.
The primary focus at this time is on using digital signatures
as part of a public key infrastructure initiative. Additional
information addressing the development of a Public Key Infrastructure
(PKI) to support secure transactions between government entities
and the public can be found at the Federal PKI Steering Committee
site at http://gits-sec.treas.gov
or the Federal PKI Steering Committee Technical Working Group
site at http://csrc.nist.gov/pki/twg/welcome.html.
The National Institute of Standards and Technology (NIST)
is taking a leadership role in the development of a Federal
Public Key Infrastructure that supports digital signatures
and other public key-enabled security services. The NIST has
several initiatives that agencies should review:
Modeling
of PKI Architectures
Interoperability
Testbed
The NIST Special Publication 800-15, Minimum Interoperability
Specifications for PKI Components and other documents are
available at http://csrc.nist.gov/pki/documents/welcome.html
and a draft protection profile for PKI certificate and issuing
components http://csrc.nist.gov/pki/documents/cimcppJuly7.pdf
Federal Information Processing Standard (FIPS) 199 - Standards
for Security Categorization of Federal Information and Information
Systems; FIPS 140-2 - Security Requirements for Cryptographic
Modules; and FIPS 197 - Advanced Encryption Standard form
the basic toolkit addressing:
- Encryption
- Modes of Operation
- Digital Signatures
- Secure Hashing
- Key Management
- Random Number Generation
- Message Authentication
- Entity Authentication
- Password Usage and Generation
Additional information and resources may be found at http://csrc.nist.gov/CryptoToolkit/aes/
Records Retention
One of the key provisions of E-SIGN is the requirement for
the electronic record being retained and accurately reproduced
for later reference. This does not prevent the agency from
printing a copy of the record to meet the retention requirement.
The National Archives and Records Administration (NARA)
published a policy that lets federal agencies delete electronic
records if paper copies have been made for permanent storage.
In May 2000, the Supreme Count declined to hear a case that
would have required the retention of the electronic copy of
all records. The Records Management Interagency Coordinating
Council (RMICC)
has direct authority over policy affecting Texas state government's
management of its records. Texas State Records Retention Schedule
http://www.tsl.state.tx.us/slrm/recordspubs/rrs2.html.
The Texas State Library and Archives Commission provides a
page with links to resources to web sites of interest to the
government records management community at http://www.tsl.state.tx.us/slrm/resources/index.html.
When agencies evaluate the retention requirements for specific
records, they should consider the following if the record
was signed with an electronic signature:
- Low risk ~ Simple electronic signature (e.g., typed name
on an e-mail message)
- High risk ~ Digitally-signed communication - a message
that has been processed by a computer in such a manner that
ties the message to the individual that signed the message.
The digital signature must be linked to the message of the
document in such a way that it would be computationally
infeasible to change the data in the message or the digital
signature without invalidating the digital signature.
If the record contains a digital signature, the following
additional documents may be required:
- A copy of the Public Key
- A copy of the Certificate Revocation List (CRL) showing
the validity period of the certificate or a copy of the
On-line Certificate Status Protocol (OCSP) results.
- Certification Practice Statement (CPS)
Summary
All government entities should evaluate the need to collect
information about visitors to web sites, and post a privacy
policy that informs visitors about the collection and use
of that information. Organizations that outsource the operation
of a web site and specifically the collection of fees, should
include privacy policy requirements, and may consider requiring
the vendor provide a branded site under one of the three programs
identified above. Any government site that requires users
to enter sensitive information should provide a secure environment
equal to the type of information.
The process which agencies employ to evaluate authentication
mechanisms for electronic transactions and documents, should
address the following:
1. Examine the current business process that is being converted
to employ electronic transactions, identifying the existing
risks associated with fraud, error or misuse, as well as
customer needs and demands.
2. Consider what risks may arise from the use of electronic
transactions or documents. This evaluation should take into
account the relationships of the parties, the value of the
transactions and future access requirements (e.g., audit),
and what are the benefits that accrue from the use of electronic
transactions.
3. Consult with counsel about any specific legal implications
about the use of electronic transactions in the particular
application.
4. Evaluate how each electronic signature alternative may
minimize risk compared to the costs incurred in adopting
an alternative.
5. Determine whether any electronic signature alternative
in conjunction with appropriate process controls represents
a practicable trade-off between cost and risk on the one
hand, and benefits on the other. If so, determine, to the
extent possible at the time, which signature alternative
is the best one. Document this determination to allow later
evaluation and audit.
6. Develop plans for retaining and disposing of information,
ensuring that it can be made continuously available to those
who will need it, for managerial control of sensitive data
and accommodating changes in staffing, and for ensuring
adherence to these plans.
7. Develop plans for seeking the continuing input of technology
experts for updates on the changing state of technology
and the continuing advice of legal counsel for updates on
the changing state of the law in these areas. Integrate
these plans into the agency's strategic IT planning and
perform periodic review and re-evaluation, as appropriate.
Additional Resources
Drafts and Final Uniform and Model Acts - NCCUSL University
of Pennsylvania Web Site at http://www.law.upenn.edu/bll/ulc/ulc.htm.
The NIST is drafting a new Federal Information Processing
Standard (FIPS)199, Standards for Security Categorization
of Federal Information and Information Systems, that is required
for the OMB/GSA "four levels of identity." The current
proposal would identify the following requirements:
Level 1 - Minimal Assurance - Basically for PINs, or passwords
sent without encryption - Not expected to resist eavesdroppers.
No more than 1 in 2,048 chance of an inband attack succeeding
over the life of the password.
Level 2 - Low Assurance - Useful for routine e-commerce and
e-gov transactions. Must resist eavesdroppers and off-line
analysis of authentication protocol run. Resist replays and
no more than a 1 in 65,536 chance of an in-band attack succeeding
over the life of the password. Not required to defeat man-in-the-middle
or verifier impersonation attacks.
Level 3 - Substantial Assurance - Useful for e-commerce and
e-gov transactions of substantial value. Must resist eavesdroppers
and off-line analysis of authentication protocol run. Resist
replays and man-in-the-middle, or verifier impersonation attacks.
No more than a 1 in 1,000,000 chance of inband attack succeeding
over the life of the password.
Level 4 - High Assurance - Can only be achieved by the use
of PKI based technologies, not passwords.
The current version of the draft is available at http://csrc.nist.gov/publications.
Address questions about the Texas Information Technology
Standards Web pages to:
DIR Standards and Architecture
|
