ISO/IEC INTERNATIONAL 24745 STANDARD Second edition 2022-02 Information security, cybersecurity and privacy protection Biometric information protection Securité de I'information, cybersécurité et protection de la vie privée - Protection des informations biométriques Reference number IS0/IEC 24745:2022(E) IEC 4 @IS0/IEC2022 IS0/IEC24745:2022(E) COPYRIGHT PROTECTED DOCUMENT @IS0/IEC2022 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below orIso'smemberbodyinthecountryoftherequester. ISO copyright office CP401·Ch.deBlandonnet8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Email: [email protected] Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2022 - All rights reserved IS0/IEC24745:2022(E) Contents Page Foreword .V Introduction vi 1 Scope. .1 2 .1 Normative references. 3 Terms and definitions. .1 4 Abbreviated terms .6 5 Biometric systems .7 5.1 General. 5.2 Biometric system operations. 9 5.3 Biometric references and identity references (IRs) 11 5.4 Biometric systems and identity management systems 11 5.5 Personally identifiable information (PIl) and privacy 12 5.6 Societal considerations... 12 Security aspects of a biometric system 13 6 Security requirements for biometric systems to protect biometric information 6.1 13 Confidentiality. 6.1.1 13 Integrity. 13 6.1.2 6.1.3 Renewability and revocability 13 6.1.4 14 Availability 6.2 Security threats and countermeasures in biometric systems. 14 6.2.1 Threats and countermeasures against biometric system components 14 6.2.2 Threats and countermeasures during the transmission of biometric 16 information Renewable biometric references as countermeasure technology 6.2.3 17 6.3 Security of data records containing biometric information. 19 6.3.1 Security for biometric information processing in a single database 19 6.3.2 Security for biometric information processing in separated databases 21 .22 7 Biometric information privacy management 7.1 Biometric information privacy threats.. 22 22 7.2 Biometric information privacy requirements and guidelines 22 7.2.1 Irreversibility. 32 7.2.2 Unlinkability 7.2.3 Confidentiality 23 7.3 Biometric information lifecycle privacy management 23 7.3.1 Collection 24 7.3.2 Transfer (disclosure of information to a third party) 忆记 7.3.3 Use. 7.3.4 Storage Retention. 25 7.3.5 7.3.6 25 Archiving and data backup 7.3.7 25 Disposal 7.4 Responsibilities of a biometric system owner 25 Biometric system application models and security 26 8 .26 8.1 Biometric system application models 8.2 .27 Security in each biometric application model .27 8.2.1 General 8.2.2 .28 Model A - Store on server and compare on server .29 8.2.3 Model B - Store on token and compare on server - Store on server and compare on client 31 8.2.4 Model C .32 8.2.5 Model D Store on client and compare on client 8.2.6 Model E - Store on token and compare on client 34 iii @ IS0/IEC 2022 - All rights reserved