An identity management practice statement (IMPS) is defined in the SWAMID Policy:
Each Identity Provider that wishes to become a Member of SWAMID MUST create, publish and maintain an Identity Management Practice Statement. The Identity Management Practice Statement is a description of the Identity Management life-cycle including a description of how identity Subjects are enrolled, maintained and removed from the identity management system. The statement MUST contain descriptions of administrative processes, practices and significant technologies used in the identity management life-cycle. The processes, practices and technologies described MUST be able to support a secure and consistent identity management life-cycle. Specific requirements are imposed by Assurance Profiles.
The Identity Management Practice Statement is evaluated against claims of compliance with Assurance Profiles.
An identity management practice statement is a requirement for SWAMID membership.
- The identity management practice statement should be short and to the point.
- Describe essential processes in detail - bullet points and short descriptions are usually enough.
- Make sure the description matches reality. In the case of a security breach you will be audited against your current practice statement.
- An identity management practice statement template is available at SWAMID Assurance How-To.