If a highly trustable technology produces a card that is issued through a process with weak identify verification, what use is the advanced technology? The card could be issued to the wrong person. This is a situation that the FIPS 201 Personal Identify Verification (PIV) requirements address, and they do so through defining requirements (including roles and responsibilities) for three key processes:
- identity proofing and registration;
- card issuance and maintenance; and
- access control.
An excellent introduction to these processes and other aspects of PIV requirements is found in a white paper produced by CoreStreet, "Important FIPS 201 Deployment Considerations," which you can download from: http://tinyurl.com/FIPS-201-Key-Considerations. Note that card "personalization" (a term used in the whitepaper) refers to the process of printing the photo and other information on the smart card, and encoding electronic information specific to the cardholder.
If you are not familiar with the specifics of FIPS 201 and Personal Identity Verification, the white paper is a good place to start. Follow that up by identifying relevant information from the Smart Card Alliance Website. This information can help get corporate security and IT security walking down the same path.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 23 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).