Examples on Determining the Assurance Level
Home > 
Examples on Determining the Assurance Level
< back

Examples on Determining the Assurance Level

Introduction

Below are some examples on how to assess the impacts of potential consequences of unauthorised authentication for determining the overall assurance level of respective service / transaction scenarios. It should be noted that the examples are for illustration only and the analysis results as well as the enrolment and authentication solutions suggested can vary in light of the actual situation. When businesses determine the assurance level of their business processes, a thorough impact analysis having regard to a wide range of possible scenarios and factors, which can vary from case to case, should be conducted in order to determine the potential impacts / damages associated with their business processes.

e-Newsletter (Assurance Level 1)

An online shop allows visitors and customers to register an account for receiving email newsletters containing only promotional contents which are intended for all customers and available on the website of the online shop. The account registration does not require any sensitive personal information but only a valid email address for receiving the newsletters. The user has to activate the account by responding to the confirmation email sent to the registered email address.

To determine the assurance level, we will have to consider the following aspects:

Potential Consequence of Unauthorised Authentication Level of Impact Justification
Inconvenience, distress, or damage to standing / reputation Minimum Email addresses may be used for registration without the consent of the respective email users. While the registration is still subject to confirmation by the email users, the users may experience minimal inconvenience arising from the unsolicited confirmation emails.
Financial loss or agency liability N/A No financial transaction or liability is involved in the newsletter subscription service.
Harm to the organisation or public interests N/A No effect on the organisation’s business, service delivery or public interest is expected.
Unauthorised release of sensitive information N/A The subscription service does not involve any sensitive information but only promotional materials.
Personal safety N/A The subscription service does not pose any risk to personal safety.
Civil or criminal violations N/A No detection or investigation of civil or criminal violation is involved.

Required Assurance Level:: Assurance Level 1

The newsletter subscription service has a “minimum” impact on “Inconvenience, distress, or damage to standing / reputation” only and no impact on other aspects. Therefore, Assurance Level 1 is sufficient to cover the impacts of all aspects for the service. No specific enrolment or authentication requirement is required.

Online Tracking Service (Assurance Level 2)

A package delivery company provides online package tracking services for customers to check the real-time status of shipments, access their billing statements and maintain their accounts, which contain information such as the user name, postal/billing address, email address, etc.

To determine the assurance level, we will have to consider the following aspects:

Potential Consequence of Unauthorised Authentication Level of Impact Justification
Inconvenience, distress, or damage to standing / reputation Moderate A malicious actor may access the user’s account and obtain or even change the user’s account information including the postal address. Disclosure or change of such information will cause minor or moderate inconvenience or distress to the user.
Financial loss or agency liability N/A No financial transaction or liability is involved, or any unintended payment leading to financial loss will be caused.
Harm to the organisation or public interests N/A Given that no shipment order can be changed, no effect on the organisation’s business, service delivery or public interest is expected.
Unauthorised release of sensitive information Moderate A malicious actor may compromise the system and obtain the user’s account information including the postal address. Such information can have minor or moderate impacts on the user (e.g. the mailbox is crammed with unsolicited emails).
Personal safety N/A The system or data involved have no foreseeable risk to personal safety.
Civil or criminal violations N/A No detection or investigation of civil or criminal violation is involved.

Required Assurance Level:: Assurance Level 2

The online tracking service has a “moderate” impact on “Inconvenience, distress, or damage to standing / reputation” and “Unauthorised release of sensitive information” and no impact on other aspects. Assurance Level 2 is recommended as it is the minimum assurance level that can cover the impacts of all aspects. Customers will be required to register online by providing authoritative identity information (e.g. information from the Hong Kong Identity Card) for identity proof. Users may be requested to register with an email address and assign a strong password for authentication with the online system.

Online Medical Record System (Assurance Level 3)

A cosmetic surgery centre has an online system to allow patients to retrieve their own medical records and staff to manage the medical records. By logging in the system with an assigned user account, patients can check their personal information like full name and contact address as well as their medical records and appointment details. The staff can update the medical records including past medical history (illnesses, previous surgery or operations).

To determine the assurance level, we will have to consider the following aspects:

Potential Consequence of Unauthorised Authentication Level of Impact Justification
Inconvenience, distress, or damage to standing / reputation Substantial A malicious actor may gain unauthorised access to the system and retrieve the medical history of patients. The disclosure of previous history on cosmetic surgeries can cause substantial distress or damage to the patients’ reputation.
Financial loss or agency liability N/A No financial transaction or liability is involved.
Harm to the organisation or public interests N/A No effect on the organisation’s business, service delivery or public interest is expected.
Unauthorised release of sensitive information Substantial The medical history is considered sensitive and release of such information has serious impact on the patients.
Personal safety Moderate Unauthorised modification of past medical history could lead to medical incidents in cosmetic surgeries and pose moderate risk of personal safety to the patients.
Civil or criminal violations N/A No detection or investigation of civil or criminal violation is involved.

Required Assurance Level: Assurance Level 3

The unauthorised access to the service can have “substantial” impact on “Inconvenience, distress, or damage to standing / reputation” and “Unauthorised release of sensitive information”, “moderate” impact on “Personal safety” and no impact on other aspects. Assurance Level 3 is the minimum assurance level that can cover the impacts of all the aspects. Users (patients) are required to complete account registration with identity information verified against authoritative source. The system may be accessed via mobile app in which users use their fingerprint to activate the software cryptographic token in the mobile phone to authenticate with the system.

Legal Practice Management System (Assurance Level 4)

A law firm uses a system to manage cases, client contacts, billing and other legal documents. It provides a portal for sharing documents with clients, sending invoices and receiving payments. The legal documents and communications between the lawyers and clients may be relevant to legal advice or litigations which must be protected from disclosure under the laws of Hong Kong.

To determine the assurance level, we will have to consider the following aspects:

Potential Consequence of Unauthorised Authentication Level of Impact Justification
Inconvenience, distress, or damage to standing / reputation Substantial Any unauthorised access to the system could cause leakage of privileged information which will in turn damage the reputation of the law firm (failing in its fiduciary duty and duty of confidentiality to their clients).
Financial loss or agency liability Moderate The law firm can be subject to client’s claims in relation to any financial loss due to leakage of confidential information.
Harm to the organisation or public interests Substantial Vicious disclosure of case records could cause serious injustice and detriment to the clients in the course of legal proceedings.
Unauthorised release of sensitive information Substantial / Severe Any unauthorised access to the system could leak privileged information of the cases and personal particulars of relevant parties including the witnesses, informants and suspects.
Personal safety Substantial / Severe Any unauthorised access to personal information of relevant parties of a case, including the informants and witnesses, could threaten their personal safety.
Civil or criminal violations Severe Vicious alteration of case records could affect the legal proceedings related to civil or criminal violations.

Required Assurance Level:: Assurance Level 4

Any unauthorised access to the system can result in the highest level of impact on “Personal safety”, “Unauthorised release of sensitive information” and “Civil or criminal violations”. Assurance Level 4 that can cover the impacts of all the aspects is recommended. In-person identity verification for users (staff) is required as the basis for enrolling and issuing account credentials to access the system, where the identity of the users shall be ascertained at the time of joining the law firm through stringent background check or vetting process. Each user registered to the system should have a unique cryptographic key generated which is stored in a USB token with tamper-resistant hardware. The user will use the USB token together with a password to access the system.