80 likes | 194 Views
PKI Audits and Assessments: An insider’s view. Nathan Faut, Senior Associate KPMG. Agenda. Background PKI “Audit” Activities PKI and other “Audit” Activities Short-term look into what’s ahead Q&A. Background. CISA, December 2005 Completed Web Trust engagements for DEA, USPS
E N D
PKI Audits and Assessments: An insider’s view Nathan Faut, Senior Associate KPMG
Agenda • Background • PKI “Audit” Activities • PKI and other “Audit” Activities • Short-term look into what’s ahead • Q&A
Background • CISA, December 2005 • Completed Web Trust engagements for DEA, USPS • Previously helped establish HEPKI PA • Previously worked with Cybertrust, a PKI vendor
PKI “Audit” Activities • Audit vs. attestation • ABA PKI Assessment Guidelines • CA Control Objectives • CA Audit criteria • AICPA/CICA Web Trust for CA • FBCA Compliance Assessments • “The trust is in the auditor’s opinion” – Judy Spencer
Other “Audit” Criteria and Controls • Certification & Accreditation (C&A) per OMB A-130, NIST 800-37, 800-53, et.al. • Federal Information Security Management Act (FISMA) • Financial Audits
CA “Audit” Expectations • Have all CA documents in final form and ready (tip: do a pre-audit CP-to-CPS map) • Plan to reproduce 6 to 12 months of data including physical access logs, server logs, incident logs and reports, etc. • Decide what documents or parts of documents to make public • Expect to educate and be educated
What’s Next? • HSPD 12 credentials • Bridge-to-Bridge Cross Certifications, e.g. FBCA-Certipath • Federation Compliance • Registration Compliance • Commoditization
Q&A Thank You Nathan Faut nfaut@kpmg.com 202-533-4471