Reviews the governance components required to successfully implement and maintain an e-government strategy: * Identity data governance * Identity infrastructure governance * Laws and regulations governance

1. Developing Countries
National ICT Identity
Governance
Strategy
Huntington Ventures Ltd.
The Business of Identity Management
May 2016

2. This Deck…
• Reviews the governance components required to
successfully implement and maintain an e-
government strategy:
– Identity data governance
– Identity infrastructure governance
– Laws and regulations governance
• So who am I?

3. Guy Huntington
Guy Huntington is a very
experienced identity
architect, program and
project manager who has led,
as well as rescued, many
large Fortune 500 identity
projects including Boeing and
Capital One. He recently
completed being the identity
architect for the Government
of Alberta’s Digital Citizen
Identity and Authentication
program.

4. Identity Governance
• Many people don’t understand the governance
requirements to successfully implement and
maintain an e-government strategy
• There are several components:
– Identity data governance
– Identity infrastructure governance
– Laws and regulations governance
• Let’s start with identity data…

5. Birth
Name Change
Gender Change
Death
Address Change
Tel. Number Change
Parent/Guardian Change
Marriage
Divorce
Authoritative Source
Authoritative Source
Authoritative Source
Authoritative Source
Authoritative Source
Authoritative Source
Authoritative Source
Authoritative Source
Authoritative Source
Business
Processes
Business
Processes
Business
Processes
Business
Processes
Business
Processes
Business
Processes
Business
Processes
Business
Processes
Business
Processes
Citizen
Tombstone
Identity
Directory
National Citizen Identity Lifecycle

6. Who Has Legal Responsibility?
• For each of the identity data on the left hand side of
the previous screen, what government ministry is
legally responsible for the data?
• There are some new identity challenges that need to
be addressed:
– When a biometric is obtained from a person (e.g. infant,
child or adult) which ministry is ultimately responsible for
the biometric?
– For Parents/legal guardians, which ministry is legally
responsible for establishing this relationship
– For citizen addresses and phone numbers, is there one
ministry who will be legally responsible for the collection
and management of this?

7. Legal Vs. Operational Responsibility
• Once the legal governance for each piece of identity data
is determined, then there needs to be a determination of
who is operationally responsible for the collection of it
• This is the second column in the previous diagram, i.e.
business processes
• Here’s a hypothetical example:
– When a student goes to school for their first day, they will
provide a face and voice print biometric
• The school district or, a specialized identity team, might be the people
who actually collect the biometrics
• HOWEVER, the ministry legally responsible for the biometric will likely
not be the Education Ministry
• So regulations and standards need to be created and then
audited for the operational governance of each piece of
identity data

8. Shared Services
• About 20 years ago, when large global
enterprises began to digitize themselves and
centralize operations, it became apparent there
was a need for a shared services group to
collectively manage IT infrastructure
• Governments began to adopt this too
• There needs to be a legal act and regulations
regarding the formation of such an entity

9. Identity Infrastructure et al
• Shared Services are usually the group who is
responsible for the operational management of the
identity infrastructure
– This includes data centres, clouds, operational data, high
availability, etc.
– It may or many not include the security management
• Note that the Shared Services group only has
operational responsibility and not legal ownership
for each of the underlying identity data components
– The legal ownership remains with the ministry
responsible for each identity data

10. BUT Sometimes Shared Services
Is Legally Responsible…
• Sometimes, the shared services group also looks
after things like identity phone numbers and
addresses, since there usually isn’t one ministry
assigned to this
• At the last government client I worked with, their
shared services ministry not only managed the
identity infrastructure but also was responsible
for the centralized citizen telephone numbers
and address collection and management
– Citizens would go to one place online to change their
addresses and phone numbers

11. Government Identity Steering Committee
• Many enterprises deploying global identity
strategies quickly come to the realization that
identity crosses all the enterprise administration
silos
– It’s thus not only operationally very important, BUT
also politically important
• It is not uncommon in large enterprises for them
to form a identity steering committee to oversee
identity infrastructure, identity investments, etc.

12. Laws and Regulations
• If one examines governments who have already
successfully deployed national e-identity programs,
like Estonia, one finds that a major component to do
this is to create and/or change laws and regulations
• The use of things like digital signatures, digital data
retention, biometrics et al require well thought out
acts and regulations
• So your government will have to do this too
• Let’s take a quick look at some of the laws that
Estonia brought into being…

13. Legal Framework
• Digital Signatures Act -
https://www.riigiteataja.ee/en/eli/508072014007/consolide
• Public Information Act -
https://www.riigiteataja.ee/en/eli/522122014002/consolide
• Personal Data Protection Act -
https://www.riigiteataja.ee/en/eli/529012015008/consolide
• Act on Intellectual Property
• Uniform Bases for Document Management Procedures -
https://www.riigiteataja.ee/akt/119062012007
• Archives Act - https://www.riigiteataja.ee/akt/112072014028
• Principles of Estonian Information Policy (1998, 2004)
• Action Plan of Estonian Information Policy – (eEstonia) (1998,
1999, 2000, 2001,2002, 2003, 2004, 2005, 2006...)
• http://egov2.eu/knowledge-base/an-overview-of-estonian-
e%E2%80%91government-development-and-projects/

14. Identity and Credential Assurance
• Your government will have to create two standards; identity
and credential assurance
• Identity assurance covers what documents and biometrics are
allowable under what type of conditions to establish an
identity
• Credential assurance covers what type of credential is
allowable for certain types of risk
• There will have to be memorandums of understanding
between the national government and local state and
municipalities as well as crown corporations
• These documents will also likely be legally referred to in
federation agreements with third parties
• As your country begins to work with other countries on
recognizing national identities and verification, these
documents must then become part of such agreements

15. Federation Agreements
• Your government’s e-identity strategy will also
require the national identity and authentication
service to work with third parties like banks,
telcos, insurance companies, etc.
• Each of these parties will have to sign a
federation agreement with the government
• This covers many things like identity and
credential assurance, liability, responsibility for
when a session is dropped part way through, etc.

16. Governance Challenges
• Creating, implementing and sustaining an e-
identity strategy IS VERY CHALLENGING because:
– Crosses over all ministry silo’s
– Extremely public facing
– Literally many thousands of decisions to be made as
the systems are all interconnected
– The system is prone to attack from organized crime
and foreign intelligence agencies
– Large budgets and time cycles involved

17. Strong, Sustained Leadership
• Therefore, from the top of your government on
down, all must be not only aware but take a
strong, sustained leadership role
• It’s when times get tough, like a denial of service
attack, etc. that the top leaders have to be there
to calm the public and ensure the system will be
properly maintained

18. There’s A Lot To Governance
• It has been my own past experience that most
enterprises commencing large, global, identity
programs don’t understand the implications of
governance
• It’s usually tacked on towards the end of the
project
• THIS IS A BIG MISTAKE since many projects go
over time and budgets as they finally realize
governance is complex and must be addressed

19. Governance Should Be Addressed First
• At the very least, governance should be one of
the main project tracks
• Many different government governance
initiatives must be launched in parallel to the
business process and technical activities of the
teams
• Governance work takes time – so plan for it
• If you do this, then there is an excellent chance
your identity program will roll out the door on
time and on budget

20. Changing the World a Bit
• Guy wants to change the world a bit by assisting
developing countries to leapfrog ahead of most
western societies by:
– Leveraging citizen’s use of the cell phone and their
voice to then access online government services
– Creating a new model for educating students
– Leverage existing technology to deliver healthcare
more effectively

21. If You Thought This Is Thought Provoking
• Then please pass along a link to the presentation
to people in your country who might be
interested
• You can contact me at:
– guy@hvl.net
– 1-604-861-6804
– Via LinkedIn (https://ca.linkedin.com/in/ghuntington)
• Thanks for your time!