Our experience has shown us that typical privacy impact assessment frameworks are not ideal for assessing Identity and Access Management systems. We present a new assessment model that draws on authoritative standards to establish concrete evaluation criteria for identity management and operational risk as well as privacy policies.

Many corporations want to review Identity and Access Management (IAM) systems from a privacy perspective. In doing these assessments, it quickly became clear to us that commonly used methodologies based on ten internationally recognized privacy principles (found in legislation including Canada’s Personal Information Protection and Electronic Documents Act – PIPEDA) did not work well for assessing IAM. In each case, almost all of the privacy issues identified were related to a single principle: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” Since this principle does not specify necessary safeguards, our recommendations had to be based entirely on our professional judgment and experience.

What we realized through these experiences is that broad privacy principles alone are not an adequate framework for assessing IAM systems. The implementation of privacy principles rests on effective technical standards, policies, governance, and operational practices. To assess privacy properly, we needed the capacity to measure and evaluate these foundations.

For our latest IAM assessment, we developed a new model that assesses privacy, as well as two areas essential to IAM privacy implementation: identity management standards and operational risk. The difference from previous assessments was decisive: the risks identified were logically categorized and the model provided clear recommendations for improvement. Integrating established standards for identity management and operational risk into our assessment model enabled us to provide the concrete, authoritative feedback our client was seeking.

Identity Management Standards

To evaluate identity management standards, we adopted the International Organization for Standardization’s (ISO) security standard for identity management. The ISO standard defines the fundamental concepts and operational structure of identity management in order to support the development of information systems that fulfill business, contractual, regulatory, and legal obligations. With the aim of promoting a common understanding of identity management, the standard provides a framework for the issuance, administration, and use of identity data.

The ISO standard outlines definitions and requirements for aspects of identity management including:

  • IAM trust and delivery models
  • Managing identity information and attributes
  • Enrolling, activating, updating, suspending, or archiving user profiles
  • Policies for verifying identity information
  • Levels of identity assurance

Operational Risk

Operational risk is the risk associated with the everyday activities of an organization. It is managed through performance management of an organization’s processes, staff, and systems. In the context of an IAM system, operational risks may pertain to system support, IT controls, auditing and monitoring, or staff communication, among other areas. Questions explored in relation to operational risk include:

  • What are the risks to the system and what would the consequences be if they materialized?
  • What is the appropriate response to these risks?
  • What would be the quantifiable impact if these risks materialized?


To evaluate privacy, we assess the degree to which the IAM system aligns with PIPEDA’s ten privacy principles. In evaluating an IAM system, we attend specifically to policies related to collection, use, retention and disclosure of identity information, as well as processes for validating identity information.

Benefits of the IAM as a Service Assessment Model

Our experience has made it clear to us that assessing Identity and Access Management from a privacy perspective is not just about privacy policy. By utilizing an assessment model of IAM as a service – that is, by examining technical and operational areas in addition to privacy policies – we were able to help our client to establish clear priorities for the development of their service. As compared to previous assessments, our model consolidated identified risks and categorized them in a more useful manner. Founding our model on established standards enabled us to provide our client with specific recommendations based on validated references. Our broader assessment model helped us to show our client the full picture of their IAM system: not only their policies for how privacy is supposed to be protected, but also how these policies are actually being supported by technologies and operations – and how these foundational systems can be changed to support privacy better.

Viewers are also reading:

Risk: From overhead to an investment – how to change approach
Health App Store: Canada’s disruptive opportunity
Five Key Big Data Privacy and Information Protection Challenges


Office of the Privacy Commissioner of Canada, 2011. Legal Information Related to PIPEDA: Privacy Principles.

International Organization for Standardization, 2011. Information technology – Security techniques – A framework for identity management.

Senior Editor: Esther Townshend
Photo Credit: landofthefae.blogspot.com
Copyright: All rights reserved , © Waël Hassan

About the Author:

Waël Hassan, PhD, is the lead writer of Transigram, an online monthly magazine. Transigram explores legislative and regulatory changes, new technologies, and the needs and challenges of data custodians. It also provides insight into the development of our approaches to open data access strategies and models. Transigram offers summaries, analyses, insights, and commentaries on business transformation in the areas of Governance, Risk & Compliance, Project & Portfolio Management, IT Strategy & Operations, and Technological Tool Management.

Please join one Waël Hassan’s LinkedIn groups:


%d bloggers like this: