3 Scope

3.1.1 Where possible agencies should use commercial off the shelf (COTS) systems for information security applications as opposed to specially developed products.

3.1.2 Proven industry standards are to be used wherever possible.

3.1.3 Inter-agency systems are most likely to be web based, as the Internet is one of few commonalities among government agencies.

3.1.4 The level of security provided by an authentication mechanism must be appropriate for the information protected. This document targets the protection of IN CONFIDENCE and SENSITIVE information.

3.1.5 This document is limited to considering the authentication of services and individuals among government agencies. The scope of this paper does not include business to government, citizen to government, or citizen to business interaction.

3.1.6 However, it must also take into account that there are a number of external entities that interact with inter-agency applications in many situations. These include private sector agencies and individuals working on behalf of government; SOEs and other public sector entities such as local government bodies. In addition, remote access to systems (from locations other than a government office) is becoming a more common requirement, and the infrastructure also needs to cater for this.

3.1.7 As described later in this paper, the requirements for authentication in any individual computer application can be complex, involving issues of relationships between users, a user's position within an organisation and relationships between data elements. These considerations are outside the scope of this document.