Assurance Review board Charter

Group: Assurance Review Board (ARB)

Date: july 23, 2009

1. Description & Constitution

The Assurance Review Board (ARB) is the operational authoritative body of the Kantara Identity Assurance Framework Assurance Assessment Scheme (AAS) certification program. It shall have delegated authority from the Kantara Initiative Board of Trustees (KIBoT) to undertake assessments of all types of applications for a Grant of Rights of Use of the Kantara Initiative Assurance Mark and shall make recommendations to the KIBoT for the award or denial of such Grants.

The ARB is chartered to:

• A. Provide oversight of the entire AAS; and
• B. Review applications using the appropriate review guidelines, as set forth in the latest published AAS documents.

1.1 Membership

Voting Membership of the ARB is by appointment of the Kantara Initiative Board of Trustees and should consist of members representing the following communities:

• A. Credential Service Provider (CSPs);
• B. Relying Party (RP);
• C. Auditor;
• D. Federation Operator; and
• E. Interested Party.

ARB members must have at least participant status within the Kantara Initiative.

In addition the Membership may include a non-voting Subject Matter Expert, as deemed necessary, to advise on and support assessments and interpretation and understanding of the AAS.

1.2 Selection of a Chairman

The chair of the ARB shall be selected by a process defined by the KIBoT.

2. Duties

To assess applications for Grants of Rights of Use of the Kantara Initiative Assurance Mark and to handle renewals, revocations and any appeals thereof.

When assessing applications, the ARB will:

• A. Work closely with the Program Management Office (PMO) to communicate with applicants throughout the assessment process;
• B. Create a plan for review, potentially dividing up areas of responsibility within the committee, and a timeline for completion (must be within one month of receiving the application). Review of applications shall follow the processes defined in the AAS in the context of the IAF Glossary and Assurance Levels;
• C. Present written recommendations for Grants of Rights of Use to the KIBoT (to: grant unconditionally; grant conditionally, meaning the application will be reviewed in no less than 6 months; or deny, with justification); and
• D. In the case of an appeal against the denial or qualification of an application:
  • I) For recommendations originating with the ARB: serve with three additional ad hoc members, within two weeks of appeal being filed, to review the recommendation and make a final determination; and
  • II) For recommendations originating with a Service Approval Authority: appeal to be reviewed by the ARB to make a final determination.

In addition to processing applications, and on an ongoing basis, the ARB shall:

• E. Conduct annual reviews of grants awarded, working from report submitted by the PMO (confirmed by the applicant); any change in approval status will be confirmed through the KIBoT;
• F. Work to resolve any complaints or concerns submitted about grantees in order to maintain integrity of the program; and
• G. Provide overall program guidance and oversight.

In terms of confidentiality and disclosures, the ARB shall:

• H. Maintain strict confidentiality throughout the assessment process – before, during and after; and
• I. Be subject to any NDA procedures as required by the KIBoT.

Any conflict of interest must be disclosed and parties involved should recuse themselves from the affected vote.

3. Criteria for Success

The ARB shall be deemed to be effective in its operations when each of the following goals is consistently achieved:

• A. Credible assessment of applications, renewals and appeals;
• B. Marketplace recognition of the value of the Kantara Initiative Assurance Mark;
• C. Marketplace demand for assessments bearing the Kantara Initiative Assurance Mark;
• D. Professional and reasonable resolution of assessment issues, in compliance with timeframes outlined in the AAS; and
• E. Confidentiality maintained throughout the process.

4. Duration

The ARB exists at the discretion of the KI BoT. In the event that a member of the ARB needs to resign their seat, they shall submit their resignation 60 days prior to the need to cease performing responsibilities.

5. Schedule and Deliverables

The ARB will monitor ongoing certification activities as well as the overall certification program. Activities, output and deliverables will be ongoing.

6. Resource Requirements

The ARB requires the following support from the Kantara Initiative:

• A. Access to the KIBoT for its receipt of certification recommendations and their timely processing;
• B. Secure, restricted and segregated access storage of certification applications, supporting documentation, and correspondence with applicants that is isolated from the general member area;
• C. Access to the web-based applications as well as associated applications and IAF documentation;
• D. Conference call facilities; and
• E. Program Management Office logistics and administrative support.

ARB members shall:

• F. Participate in meetings, teleconferences, and e-mail discussions;
• G. Cover their own costs incurred as a result of participation; and
• H. Attend and monitor any on-site review visits as required to confirm conformance as declared in applications.

7. Coordination with other Kantara Initiative activities

The ARB will coordinate with the Identity Assurance Work Group and other groups as deemed reasonable, as required by email and conference call, as well as the Kantara Initiative Board of Trustees and, as certification types demand, certified assessors, federation operators, and service approval authorities.

The ARB shall follow the processes and guidance of the latest published AAS and its associated documents, which are maintained by the Identity Assurance Work Group. It shall interpret and apply the AAS processes and guidance to the best of its collective understanding, knowledge and experience. In the event that clarification is required the ARB shall refer to the Identity Assurance Work Group to request clarification of interpretation or omission, and shall act according to the IAWG’s response.

8. Document Dependencies

The ARB has an explicit dependency on the following:

• A. The Assurance Accreditation Scheme (AAS) plus all of its supporting documents and forms identified therein;
• B. The IAF Glossary; and
• C. The IAF Levels of Assurance.

9. Group Meetings

Members will communicate mainly through electronic mail utilizing the mailing list and regular conference calls as necessitated. Face-to-face meetings will take place in conjunction with regularly scheduled Kantara Initiative meetings as required. Telephone conference calls will also be arranged as needed. If there is no need, both conference calls and face-to-face meetings may be cancelled with the support of a majority of the Assurance Review Board.

10. Voting Requirements

The following voting rules shall apply to decisions of the ARB:

• A. Recommendations for accreditation, certification, etc, shall require a Supermajority of all voting members; and
• B. For other types of decisions, the group shall use Simple Majority quorum rules.

11. Communication Policy in Group

Communication is conducted mainly through electronic mail utilizing the mailing lists and through conference calls. ARB voting may be conducted through email or through telephone communications as determined most appropriate.

ARB members will be required to attend conference calls before, during and after certification program reviews as needed. ARB members will be required to be available with a reasonable response time via email and/or telephone during certification testing events.