N.Y. technology office issues identity management guidelines

Find opportunities — and win them.

The New York State Office for Technology has issued a best practices guideline to help state agencies and local governments manage employee and citizen access to online applications and transactions.

The New York State Office for Technology has issued a best practices guideline to help state agencies and local governments manage employee and citizen access to online applications and transactions.

The NYS Trust Model establishes basic standards and processes that will govern the way identity credentials are managed and is intended to serve as a foundation for future identity and access management policies.

The guidelines, which were a collaborative effort by New York Chief Information Officer Michael Mittleman and the New York State CIO Council, were issued to address the need for better information security.

The guidelines are part of a larger governance framework that is still evolving, Mittleman told Washington Technology. The governance model, when completed, will address such issues as compliance review and dispute resolution.

The state's computer systems are used daily by a wide variety of people, including citizens and business partners, across various agencies and geographical areas, the New York Office for Technology said in a statement announcing the trust model. The statement noted that citizens and businesses currently are able to conduct 350 different online transactions, with more transactions to be added in the future.

The Empire State's trust model is based heavily on the efforts of the National Institute of Standards and Technology and the U.S. Office of Management and Budget, Mittleman said.

To private sector technology companies, "the guidelines should indicate how New York state agencies will be thinking about identity vetting, data classification and authentication in a federated environment," he said.

"The guidelines suggest some of the capabilities that the state will expect to put in place as part of a federated [identity access management], and, by extension, capabilities that state and local agencies might expect in their own IAM efforts," Mittleman said.