Info Tech, Inc. DBA Infotech Digital ID Practice Statement: Infotech-owned Products

Introduction

Overview

This Digital ID Policy (herein referred to as the "Policy,” as appropriate) specifies minimum requirements for the issuance and management of Digital IDs that shall be used in authenticating actions of users accessing resources of the Info Tech, Inc., DBA Infotech (herein referred to as "Infotech") and the resources of other entities (relying parties) which accept those Digital IDs. For clarification of any aspect of this Policy contact contract-admin@infotechinc.com.

This document illustrates the policies and practices that govern the Infotech PKI. To obtain credentials, Infotech PKI subscribers complete one of a small variety of processes and upon completion of the applicable process, Infotech-PKI generates a subscriber's private key on the subscriber's local host machine. If the request is authenticated and verified according to the standards of this policy, the subscriber receives a Digital ID from Infotech.

Digital ID Usage

Appropriate Uses

Infotech-issued Digital IDs which have been approved, which have not expired, and which have not been revoked may be used for the purpose of authentication, encryption, and digital signing within Infotech systems or software.

Prohibited Uses

Other uses of Infotech issued Digital IDs are not prohibited, but neither are they supported or guaranteed by Infotech in any way whatsoever. Such uses are at the sole risk of the user of the certificate and the party seeking to rely upon the Digital ID.


Definitions and Acronyms

Digital IDi: electronic credentials consisting of public and private keys used for encryption, digital signatures, and/or bid submission by users of Infotech services, such as the Doc Express or Bid Express Services.

Holder (Digital ID): a Digital ID Holder is someone that has been issued an activated Digital ID. A Digital ID Holder may also be referred to as a Subscriber, if the Holder has subscribed to any Infotech subscription services.

Infotech PKI: Any software or repository used to distribute and authenticate policies, Digital IDs and the like.

Relying Party: a recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate.

Subscriber: a person (an individual) that has been issued an Infotech PKI Digital ID according to the terms of this policy.

User: one who accesses any portion of the Infotech PKI system, network, or other Infotech system or network. As applicable, this may be a subscriber, an Infotech employee, or a relying party; usage in this document should be determined by context in each case.

iDigital ID is a trademark of Info Tech, Inc.


Identification and Authentication

Naming

Types of Names

Common Name, State and Country names will always be used. Other names may be used if needed.

Need for Names to be Meaningful

Names are neither meaningful nor strictly serial in nature.

Anonymity or Pseudo-anonymity of Subscribers

Subscribers may not remain anonymous or pseudonymous.


Initial Identity Validation

Infotech assigns Digital IDs - and therefore public and private keys - to users once Infotech verifies the user’s identity to confirm that the new keys correlate only to that authorized user.

Authentication of Individual Identity

Identity verification is provided via Infotech’s third-party identity verification service.

Validation of Authority

Applicants requesting Infotech Digital IDs must be authenticated as the applicant identified in the Digital ID. This certification is a matter between Infotech and the subscriber. Relying parties should take note that this validation is not intended to replace any process or requirement of the relying party for validation of authority (such as approved vendor lists, owner or officer requirements, or the like).


Identification and Authentication for Re-key Requests

Circumstances for Digital ID Rekey

Infotech shall verify Subscriber’s possession of the Subscriber’s private key by any acceptable means prior to execution of a routine re-key procedure by Infotech.

Infotech Digital IDs are renewed using a re-keying process prior to expiration unless they have been revoked or the Subscriber no longer has an account or subscription associated with an Infotech service.

Re-key after Revocation

No Digital ID shall be re-keyed after revocation.

Circumstance for Digital ID Re-Key

Infotech shall be the sole entity which determines the need for a re-key event.


Digital ID Life-cycle Operational Requirements

Digital ID Application

Who can Submit a Digital ID Application

Any user granted an Infotech user account may submit an application for an Infotech Digital ID.

Enrollment Process and Responsibilities

Applicant is responsible for successfully completing identity verification through Infotech’s third-party identity verification service.

Infotech shall not be responsible for any Digital ID applicant's failure to provide complete and correct application information in the specified manner and format, or failure to submit application information to Infotech prior to the need of the applicant to use the Digital ID for any purpose, without sufficient time allotted for processing the application. Infotech shall not be responsible for any delays or technical difficulties experienced by Holders or Subscribers that are a result of circumstances outside of Infotech's control.


Digital ID Application Processing

Approval of Digital ID Applications

All Digital ID applications that meet all criteria for acceptance and are authenticated according to all controls and protocols will be approved.

All Digital ID applications that do not meet each and every criteria for acceptance or do not pass all controls and protocols for authentication will be rejected.

Time to Process Digital ID Applications

No Digital ID shall be approved and/or activated except upon completion of any necessary internal and external review required by policy. Infotech makes no guarantees whatsoever on any processing times for Digital ID applications or activation requests.

Digital ID applications are approved immediately based on acceptance of all controls and protocols and the uptime of our automated identity provider. Infotech recommends that applicants submit all requests for Digital ID approval and activation not less than seven days in advance of the anticipated need to use the Digital ID. Infotech recommends that Holders, once the Holder's Digital ID has been activated and approved, test the functionality of the Digital ID well in advance of the need to use the Digital ID, in the event that technical troubleshooting is necessary.

Infotech shall not be responsible for any delays or technical difficulties experienced by Holders or Subscribers that are a result of circumstances outside of Infotech's control.


Digital ID Issuance

Notification to Subscriber of Issuance of Digital ID

Subscribers will be notified of the issuance of any Digital ID via email.


Digital ID Acceptance

Conduct Constituting Digital ID Acceptance

Digital ID acceptance is assumed due to the specific actions taken to accept the terms of the Digital ID electronically, request the Digital ID, pay any associated fees, and provide any associated documentation prior to Digital ID issue.


Key Pair and Digital ID Usage

Subscriber Private Key and Digital ID Usage

By accepting and using an Infotech Digital ID, you, as a Subscriber or Holder, represent to Infotech and to parties relying on your use of the Digital ID with Infotech products and services that you will:

  • Exercise due care to protect the integrity of the private key corresponding to the certificate.

  • Never remove or compromise the encryption measures designed to protect the security of the private key;

  • Never share the private key between people; and

  • Promptly notify Infotech of any incident which may involve a possibility of exposure of a private key.

  • Observe any restrictions on private key and Digital ID use.

  • Not represent that their Digital ID is guaranteed by Infotech for trust to any entity that is not relying upon that Digital ID within the normal use of Infotech systems or software, is not a party to an Infotech PKI Relying Party Agreement, or is not party to another express agreement to rely on Infotech PKI Digital IDs.

  • Use the Digital ID in a manner consistent with applicable law and Infotech’s intended use of the Digital ID.

  • Only use the Digital ID if the Digital ID is accepted by the subscriber and authorized for the subscriber's use by Infotech.

  • Discontinue use of the Digital ID if it has been revoked or has expired.

Subscribers are notified of these and other responsibilities:

  • Via notice accessible from a relevant Infotech website;

  • Via acknowledgement of the terms of use and the subscriber agreement during the submission process of an application for an Infotech PKI certificate; and

  • Via this document, which is available on the Infotech corporate website.

Relying Party Public Key and Digital ID Usage

Relying parties should:

  • Review the provisions of this Infotech’s Digital ID Policies and any Relying Party Agreement or other express agreement for which the relying party is in privity of contract with Infotech.

  • Not presume authorization of an end entity based solely on possession of an Infotech PKI Digital ID or its corresponding private key.

  • Observe restrictions on private key and Digital ID use.

Relying parties are notified of these and other guidelines:

  • Via notice accessible from a relevant Infotech website;

  • Via notice of this document's incorporation into any Relying Party Agreement or any other express agreement; and

  • Via this document, which is available in the Infotech PKI repository and on the Infotech corporate website.

Digital ID Renewal

Renewal Requests

A renewal request is assumed unless a Subscriber indicates the intent to revoke the Subscriber’s Digital ID.

Processing Digital ID Renewal Requests

This process is automatic and happens within Infotech systems.

Conduct Constituting Acceptance of a Renewal

Acceptance is implied by not requesting revocation; is expressly confirmed by use of the Digital ID.

Publication of Renewal by Infotech

Publication takes place in the same manner as the publication of a new Digital ID.


Digital ID Replacement

Circumstances for Digital ID Replacement

If a Digital ID is lost, corrupted, or expired, the Digital ID Holder will need to obtain a new Digital ID. The circumstances causing the need to obtain a new Digital ID may require immediate and urgent action; however, all limitations on liability identified in this policy apply to the Digital ID process. For security reasons, Infotech does not retain backups of Holder Digital ID private keys.

Holders are advised to contact Customer Support as soon as possible for assistance.


Digital ID Modification

Circumstances for Digital ID Modification

Infotech Digital IDs are not modified. Subscribers may apply for a new Digital ID via the normal application procedure.


Digital ID Revocation and Suspension

Circumstances for Revocation

Digital IDs issued by Infotech will be revoked in any of the following circumstances:

  • The private key is suspected or reported to be lost or exposed.

  • The information in the Digital ID is believed to be, or has become inaccurate.

  • The Digital ID is reported to no longer be needed.

  • Infotech may revoke any Digital ID for any reason and at Infotech’s sole discretion.

Who can Request Revocation

Infotech Legal, Directors, and Officers may request revocation of any Digital ID issued by Infotech.

The subscriber may request revocation.

Entities other than the subscriber who suspect a Digital ID issued by Infotech may be compromised should contact Infotech Legal.

Procedure for Revocation Request

Subscribers should request revocation via the methods described supra.

Non-Infotech, non-Subscriber entities should send requests for revocation via email to contract-admin@infotechinc.com.

Infotech Legal, Directors and Officers may request revocation of any Infotech Digital ID orally or in writing to qualified Infotech staff.

Revocation Request Grace Period

There shall be no grace period during which a Digital ID may be revived from a revoked status. A Subscriber must request a new Digital ID to replace the Subscriber’s revoked Digital ID.

Time Within which Infotech Must Process the Revocation Request

Requests must be processed within one business day of the request unless the request is based solely on the report of a non-Subscriber, non-Infotech entity. In such cases, requests will be investigated by Infotech Legal by whatever means are available and appropriate; however, in no case will an investigation by Legal take more than two business days. After the Legal investigation is concluded, Legal must immediately either render a decision to revoke the Digital ID or to disregard the request. All requests for revocation which result in a Legal Department investigation are logged, along with the findings and result of the investigations.

Revocation Checking Requirement for Relying Parties

Upon request relying parties may obtain a copy of revoked Digital IDs

Circumstances for Suspension

There is no suspension status for Infotech Digital IDs. The Digital IDs, once authorized and issued, are either authorized or expired.


End of Subscription

Subscribers may terminate their subscription by canceling their account within the Infotech service.


Key Escrow and Recovery

Infotech does not escrow and cannot recover Infotech Digital ID private keys. The Subscriber is responsible for any backup mechanism for his or her own private keys.


Facility, Management, and Operational Controls

Physical Controls

Site Location and Construction

The physical site housing all data required to manage the Digital ID life-cycle is in the United States.

Cloud Vendor

All applicable services required to manage the Digital ID life-cycle tasks are hosted by a cloud vendor in a suitable cloud environment. The vendor must be verified to meet the following standards:

Certifications:

  • PCI 3.1

  • ISO 27001/27017 - Information Security Management

Standards Reports:

  • SOC 2, Type 2/SOC 3 - Effective security and availability controls

The vendor is audited for compliance annually.

Off-site Backup

Backups are retained within the cloud vendor at a separate physical location.

Procedural Controls

Trusted Roles

Persons acting in trusted roles for Infotech are internal auditors and system administration personnel. The functions and duties performed by persons in trusted roles are distributed so that one person alone cannot circumvent security measures or subvert the security or trustworthiness of Infotech operations.

Identification and Authentication for Each Role

All trusted role personnel are required to authenticate themselves before they are allowed access to systems necessary for them to perform their trusted roles.

Roles Requiring Separation of Duties

The following duties are assigned to those persons in trusted roles:

  • Authorization and revocation functions of subscriber Digital IDs.

  • Audit, review, and oversight functions: reviewing, maintaining, and archiving audit logs and performing or overseeing internal compliance audits [internal auditors],

  • Infotech PKI key management and Infotech PKI administration functions: installs and configures Digital ID software including key generation, key backup, and key management; installs and configures system hardware, including servers, routers, firewalls, and network configurations [Infotech PKI system administration].

Audit Logging Procedures

Event Records

All Infotech systems require authentication and identification at system login, whether the system is internal or external, and whether it is being accessed as an employee or an end-user non-employee. Important system actions are logged to establish the accountability of the operators who initiate such actions. Logging is automatic and actions which require urgent notice are reviewed immediately. For each event, Infotech records the relevant: date and time, type of event, success or failure, and user or system that caused the event or initiated the action. All event records are available to auditors as proof of Infotech's practices.

Retention Period for Audit Log

Audit logs are kept for a period of at least one year.

Protection of Audit Log

Access to logs is strictly limited to qualified system administrators and developers with appropriate credentials. Audit logs may not be modified, and are protected from destruction throughout the retention period for those logs.

Vulnerability Assessments

Infotech performs annual risk assessments that identify and assess reasonably foreseeable internal and external threats that could result in unauthorized access, disclosure, misuse, alteration, or destruction of any Digital ID data or Digital ID issuance process. Infotech routinely assesses the systems and controls in place to protect the integrity of Infotech Digital IDs.


Records Archival

Infotech complies with all record retention policies that apply by law.

Types of Records Archived

Infotech retains the following information related to the operation of the Infotech PKI system for archival purposes:

  • Independent security assessment reports

  • Policy versions

  • Contracts and other agreements concerning the operation of Infotech Digital IDs

  • Subscriber agreement versions

  • Compliance auditor reports

  • Digital ID status changes and requests

  • Digital ID compromise notifications

  • Remedial actions taken as a result of violations of physical security


Compromise and Disaster Recovery

Incident and Compromise Handling Procedures

Infotech maintains incident response procedures to guide key personnel in response to security incidents, natural disasters, and similar events that may give rise to system compromise. Infotech reviews and updates its incident response plans as needed.

Computing Resources, Software, and/or Data are Corrupted

Infotech systems are protected by regular backups and Infotech maintains copies of the Infotech Digital ID issuing system's private keys, which are stored securely. If Infotech discovers that any of its systems have been compromised or corrupted, Infotech assesses the danger, legal obligations, and possible risks associated with the incident. If Infotech determines that a continued operation could pose a significant risk to relying parties or subscribers, Infotech will suspend Infotech PKI operations until the risk is mitigated, or as permitted by law.


Key Protection and Security Controls

Private Key Delivery to Subscriber

Private keys are generated by the Subscriber on their own computing equipment, and never leave their control. Subscribers may choose to back up their keys or to copy them to other computers under their control.

Public Key Delivery to Infotech

After the Subscriber generates a key pair, the public key is securely transmitted electronically to Infotech.

Subscriber private keys are stored on their own computer’s internal storage, encrypted with randomly generated keys stored on external servers and provided only upon Subscriber authentication.

Infotech has no access to the Subscriber’s private key. The Subscriber is responsible for backing up and securely storing their private key.


Other Business and Legal Matters

Fees

Any fee associated with the issuance or renewal of a Digital ID is governed by other terms, policies, or agreements which may or may not incorporate this policy.


Confidentiality of Business Information

Scope of Confidential Information

The following information is considered confidential and, unless disclosed voluntarily, is protected against disclosure to the fullest extent permitted by law, regulation, or agreement:

  • Business continuity, incident response, contingency, and disaster recovery plans;

  • Non-public details of other security practices used to protect the confidentiality, integrity, or availability of information;

  • Information held by Infotech as private information;

  • Audit logs and archive records; and

  • Transaction records, financial audit records, external or internal audit trail records, and any audit reports.


Document Name and Identification

Document title: Info Tech, Inc., DBA Infotech Digital ID Practice Statement: Infotech-owned Products

This Policy is published at: infotechinc.com/digitalid-policy

Document version:1.0