190 likes | 468 Views
When the Auditor Comes Knocking …. What to Prepare and What to Expect from your CA auditor. Coming Attractions …. To Be Discussed: What kind of CA attestation will it be, and why you should care What to have ready before the auditor arrives What will happen during the auditor’s visit
E N D
When the Auditor Comes Knocking … What to Prepare and What to Expect from your CA auditor
Coming Attractions … • To Be Discussed: • What kind of CA attestation will it be, and why you should care • What to have ready before the auditor arrives • What will happen during the auditor’s visit • What happens when they leave • WIIFM (What’s In It For Me?) • Q & A
Purpose • CA attestations are important: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006
Kinds of CA Attestation • Two varieties: • Web Trust for CAs (WTCA) • http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc • Establishes about 200 criteria points against which to measure the CA • Industry-standard attestation • Widely recognized Web Trust Seal • To receive the WT Seal, Webtrust.org publicly publishes the CA’s CPS, management attestation letter, and auditor’s opinion letter
Kinds of CA Attestation • Two varieties: (cont.) • Management review • Use the CA CP as the criteria – 300+ criteria (e.g., Federal FBCA ~400 elements) • Individualized approach • Final opinion is sent to management for their internal use • All documents may be kept private/ secured/ unavailable, or published at management’s discretion
Kinds of CA Attestation • Consequences: • More criteria often (not always) means more time on-site and more information requests (a.k.a. Prepared By Client [PBC] items) • WTCA – Published documents fully support trust web: Management review – unpublished documents do not fully support trust web • WTCA provided by Big Four-plus; Management review may be provided by any qualified CPA firm
What to Have Ready … • Know the criteria the auditor will be using • Key Generation ceremony documents • Logs, logs, logs – 6 to 12 months’ worth • OS, CA, and other automated logs • Visitor sign-in sheets (lobby, elevator, CA facility, et.al.) • Cameras, badging system, et.al. • Tape backup logs, off-site tracking, tests, test results, etc. • Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities • Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc. • Review of the DR site, documents, and DR test(s) results • … and other areas per source criteria (see first bullet)
Usual events during a CA attestation • Kick off meeting • Prepare and deliver PBC item list • PBC document review to determine physical review steps and interview questions/content • Physical review • Interviews • Write-up results, update PBC list, update attest criteria documents, etc. • Final report/opinion
After We Go … • If opinion qualified: • Review NFRs (Notice of Finding and Recommendation) • Change/update documents and procedures • Perform and document updated tests • Budget and request second attest visit • If opinion unqualified: • For Web Trust: • Opinion letter delivered • CPS and management assertion letters requested and prepped for publication • Web Trust Seal requested, required documents provided • Seal approved and assigned to the client CA site • For Management review: • Opinion letter delivered
Switching gears … • The Federal gov’t arrived first (and why) • Lessons from the Trenches • What You can do to Avoid These Mistakes • Q & A
Experience Speaks: • PMA 2002: http://www.whitehouse.gov/omb/budget/fy2002/mgmt.pdf • HSPD-12 2004: http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html • FPKI PA http://www.cio.gov/fpkipa • FICC http://www.cio.gov/ficc • E-Auth http://www.gsa.gov/eauthentication
Experience Speaks (some more): • Signatures and Access For Everyone (SAFE): http://www.safe-biopharma.org/ • Certipath: http://www.certipath.org/ • And, yes, HEBCA: http://www.educause.edu/HEBCA/623
Lesson #1: Not Ready for PrimeTime • Observed actions: • Requested Web Trust review • Backup CA site not ready • Operations not at full-time strength – few to no logs • Issue(s): • Issued qualified Web Trust opinion letter • Request preliminary review or advisory engagement – set more realistic expectations and resource allocation • Expect a second, completely different team during official WTCA attestation
Lesson #2: Revision Spiral • Observed actions: • A client continued revising documents based on preliminary conversations • Revisions required repetitive document review and criteria mapping • Issues: • Increase resource utilization on attestation – on both sides – staff, time, budget, expected delivery of opinion • Non-stable CA environment (ever changing policies and procedures)
Lesson #3: Do We Have To? • Observed actions: • Delayed RFP / RFQ • Leads to poor resource allocation, engagement timing, etc. • Concludes with delayed opinion letter • Issues: • Budget resources responsibly • Know the criteria that fits the CA goals • To the extent of the level of assurance, expands (or contracts) the trust web/fabric
In Closing … • Be Prepared • Have Appropriate Levels and Amounts of Data • Understand the attest criteria • Use the attest to improve policies, processes, documents, and procedures
WIIFM Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006 • Prove and increase trust in your certificates • Capture weaknesses in your policies, practices, and operational areas • For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology • Increase the Web of Trust between certificate providers and certificate users within and across digital credential-using organizations
Thank You Q & A Nathan Faut KPMG LLP nfaut@kpmg.com