State government use lots of identity credentials for a variety of purposes. This is true in the physical world, of course, but it's becoming even more important in the online world. As governments conduct more and more business online, the question of how to identify citizens (and how much) must be answered.
The NY State CIO, Michael R. Mittleman, has issued what I believe is the most comprehensive set of identity policies issued by any state to date. The intro to the document states:
In order for information owners to be able to trust credentials that have been issued to users, the credentials must have been issued, protected and managed according to some documented, consistent, and agreed on rules. This document outlines these rules, and documents the steps required in the process. In particular it:
- Defines the processes to establish identities and manage credentials;
- Defines the levels of trust; and
- Provides detailed procedures to map the identity and credential management processes to the various trust levels.
The policy is well written and includes very clear language explaining various concepts and why the policy says what it does. Part 9, describing how to assign trust levels walks users through the appropriate steps and questions to make an accurate assessment.
Even if you work in security, you might be tempted to skip past reading it no the grounds that it's too government-centric. Don't. Most of what's there applies to any large organization. This is a good model of a comprehensive authentication policy. I'm going to add it to my collection of identity policies.