1 / 18

When the Auditor Comes Knocking …

When the Auditor Comes Knocking …. What to Prepare and What to Expect from your CA auditor. Coming Attractions …. To Be Discussed: What kind of CA attestation will it be, and why you should care What to have ready before the auditor arrives What will happen during the auditor’s visit

eliza
Download Presentation

When the Auditor Comes Knocking …

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor

  2. Coming Attractions … • To Be Discussed: • What kind of CA attestation will it be, and why you should care • What to have ready before the auditor arrives • What will happen during the auditor’s visit • What happens when they leave • WIIFM (What’s In It For Me?) • Q & A

  3. Purpose • CA attestations are important: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006

  4. Kinds of CA Attestation • Two varieties: • Web Trust for CAs (WTCA) • http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc • Establishes about 200 criteria points against which to measure the CA • Industry-standard attestation • Widely recognized Web Trust Seal • To receive the WT Seal, Webtrust.org publicly publishes the CA’s CPS, management attestation letter, and auditor’s opinion letter

  5. Kinds of CA Attestation • Two varieties: (cont.) • Management review • Use the CA CP as the criteria – 300+ criteria (e.g., Federal FBCA ~400 elements) • Individualized approach • Final opinion is sent to management for their internal use • All documents may be kept private/ secured/ unavailable, or published at management’s discretion

  6. Kinds of CA Attestation • Consequences: • More criteria often (not always) means more time on-site and more information requests (a.k.a. Prepared By Client [PBC] items) • WTCA – Published documents fully support trust web: Management review – unpublished documents do not fully support trust web • WTCA provided by Big Four-plus; Management review may be provided by any qualified CPA firm

  7. What to Have Ready … • Know the criteria the auditor will be using • Key Generation ceremony documents • Logs, logs, logs – 6 to 12 months’ worth • OS, CA, and other automated logs • Visitor sign-in sheets (lobby, elevator, CA facility, et.al.) • Cameras, badging system, et.al. • Tape backup logs, off-site tracking, tests, test results, etc. • Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities • Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc. • Review of the DR site, documents, and DR test(s) results • … and other areas per source criteria (see first bullet)

  8. Usual events during a CA attestation • Kick off meeting • Prepare and deliver PBC item list • PBC document review to determine physical review steps and interview questions/content • Physical review • Interviews • Write-up results, update PBC list, update attest criteria documents, etc. • Final report/opinion

  9. After We Go … • If opinion qualified: • Review NFRs (Notice of Finding and Recommendation) • Change/update documents and procedures • Perform and document updated tests • Budget and request second attest visit • If opinion unqualified: • For Web Trust: • Opinion letter delivered • CPS and management assertion letters requested and prepped for publication • Web Trust Seal requested, required documents provided • Seal approved and assigned to the client CA site • For Management review: • Opinion letter delivered

  10. Switching gears … • The Federal gov’t arrived first (and why) • Lessons from the Trenches • What You can do to Avoid These Mistakes • Q & A

  11. Experience Speaks: • PMA 2002: http://www.whitehouse.gov/omb/budget/fy2002/mgmt.pdf • HSPD-12 2004: http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html • FPKI PA http://www.cio.gov/fpkipa • FICC http://www.cio.gov/ficc • E-Auth http://www.gsa.gov/eauthentication

  12. Experience Speaks (some more): • Signatures and Access For Everyone (SAFE): http://www.safe-biopharma.org/ • Certipath: http://www.certipath.org/ • And, yes, HEBCA: http://www.educause.edu/HEBCA/623

  13. Lesson #1: Not Ready for PrimeTime • Observed actions: • Requested Web Trust review • Backup CA site not ready • Operations not at full-time strength – few to no logs • Issue(s): • Issued qualified Web Trust opinion letter • Request preliminary review or advisory engagement – set more realistic expectations and resource allocation • Expect a second, completely different team during official WTCA attestation

  14. Lesson #2: Revision Spiral • Observed actions: • A client continued revising documents based on preliminary conversations • Revisions required repetitive document review and criteria mapping • Issues: • Increase resource utilization on attestation – on both sides – staff, time, budget, expected delivery of opinion • Non-stable CA environment (ever changing policies and procedures)

  15. Lesson #3: Do We Have To? • Observed actions: • Delayed RFP / RFQ • Leads to poor resource allocation, engagement timing, etc. • Concludes with delayed opinion letter • Issues: • Budget resources responsibly • Know the criteria that fits the CA goals • To the extent of the level of assurance, expands (or contracts) the trust web/fabric

  16. In Closing … • Be Prepared • Have Appropriate Levels and Amounts of Data • Understand the attest criteria • Use the attest to improve policies, processes, documents, and procedures

  17. WIIFM Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006 • Prove and increase trust in your certificates • Capture weaknesses in your policies, practices, and operational areas • For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology • Increase the Web of Trust between certificate providers and certificate users within and across digital credential-using organizations

  18. Thank You Q & A Nathan Faut KPMG LLP nfaut@kpmg.com

More Related