110 likes | 437 Views
Audit: Not just for the finance guys any more!. What to Prepare and What to Expect from your CA auditor. Agenda. Types of CA attestation What to have ready before the auditor arrives What will happen during the auditor’s visit What happens when they leave WIIFM (What’s In It For Me?)
E N D
Audit: Not just for the finance guys any more! What to Prepare and What to Expect from your CA auditor
Agenda • Types of CA attestation • What to have ready before the auditor arrives • What will happen during the auditor’s visit • What happens when they leave • WIIFM (What’s In It For Me?) • Q & A
Purpose • CA attestations are important: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006
Kinds of CA Attestation • Two varieties: 1. Web Trust for CAs (WTCA) • http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc • Establishes about 200 criteria points against which to measure the CA • Industry-standard attestation • Widely recognized Web Trust Seal • To receive the WT Seal, Webtrust.org generally publicly publishes the CA’s CPS, management assertion letter, and auditor’s opinion letter
Kinds of CA Attestation • Two varieties: (cont.) 2. “Compliance review” • Use the CA CP as the criteria – 150+ criteria (e.g., Federal FBCA ~200 elements) • Individualized approach • Final opinion is sent to management for their internal use
Kinds of CA Attestation • Consequences: • More criteria often means more time on-site and more information requests • Trust fabric: • WTCA – Published documents fully support trust fabric • “Compliance Review” – unpublished documents do not fully support trust web • Qualified auditors: • WTCA provided by Big Four-plus; • “Compliance Review” may be provided by any CPA or CISA
What to Have Ready … • Know the criteria the auditor will be using • Key Generation ceremony documents • Logs, logs, logs – 6 to 12 months’ worth • OS, CA, and other automated logs • Visitor sign-in sheets (lobby, elevator, CA facility, et.al.) • Cameras, badging system, et.al. • Tape backup logs, off-site tracking, tests, test results, etc. • Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities • Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc. • Review of the DR site, documents, and DR test(s) results • … and other areas per source criteria (see first bullet)
Usual events during a CA attestation • Kick off meeting • Prepared by Client (“PBC”) document/item list • Physical review • Interviews • Status meetings • Update PBC list, etc. • Draft Findings, Draft opinion letter, Draft Representation and Assertion letters • Final report/opinion
After We Go … • If opinion qualified: • Review NFRs (Notice/s of Finding and Recommendation) • Change/update documents and procedures • Perform and document updates • Budget and request second attest visit • If opinion unqualified: • For Web Trust: • Opinion letter delivered • CPS and management assertion letter requested and prepped for publication • Web Trust Seal requested, required documents provided • Seal approved and assigned to the client CA site • For “Compliance review”: • Opinion letter delivered
WIIFM Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006 • Prove and increase trust in your certificates • Capture and address weaknesses in your policies, practices, and operational areas • For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology • Increase the Trust Fabric between certificate providers, certificate users, and relying parties within and across digital credential-using organizations
Thank You Q & A Nathan Faut KPMG LLP nfaut@kpmg.com