1 / 8

PKI Audits and Assessments: An insider’s view

PKI Audits and Assessments: An insider’s view. Nathan Faut, Senior Associate KPMG. Agenda. Background PKI “Audit” Activities PKI and other “Audit” Activities Short-term look into what’s ahead Q&A. Background. CISA, December 2005 Completed Web Trust engagements for DEA, USPS

holland
Download Presentation

PKI Audits and Assessments: An insider’s view

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PKI Audits and Assessments: An insider’s view Nathan Faut, Senior Associate KPMG

  2. Agenda • Background • PKI “Audit” Activities • PKI and other “Audit” Activities • Short-term look into what’s ahead • Q&A

  3. Background • CISA, December 2005 • Completed Web Trust engagements for DEA, USPS • Previously helped establish HEPKI PA • Previously worked with Cybertrust, a PKI vendor

  4. PKI “Audit” Activities • Audit vs. attestation • ABA PKI Assessment Guidelines • CA Control Objectives • CA Audit criteria • AICPA/CICA Web Trust for CA • FBCA Compliance Assessments • “The trust is in the auditor’s opinion” – Judy Spencer

  5. Other “Audit” Criteria and Controls • Certification & Accreditation (C&A) per OMB A-130, NIST 800-37, 800-53, et.al. • Federal Information Security Management Act (FISMA) • Financial Audits

  6. CA “Audit” Expectations • Have all CA documents in final form and ready (tip: do a pre-audit CP-to-CPS map) • Plan to reproduce 6 to 12 months of data including physical access logs, server logs, incident logs and reports, etc. • Decide what documents or parts of documents to make public • Expect to educate and be educated

  7. What’s Next? • HSPD 12 credentials • Bridge-to-Bridge Cross Certifications, e.g. FBCA-Certipath • Federation Compliance • Registration Compliance • Commoditization

  8. Q&A Thank You Nathan Faut nfaut@kpmg.com 202-533-4471

More Related