1 / 11

Audit: Not just for the finance guys any more!

Audit: Not just for the finance guys any more!. What to Prepare and What to Expect from your CA auditor. Agenda. Types of CA attestation What to have ready before the auditor arrives What will happen during the auditor’s visit What happens when they leave WIIFM (What’s In It For Me?)

may
Download Presentation

Audit: Not just for the finance guys any more!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Audit: Not just for the finance guys any more! What to Prepare and What to Expect from your CA auditor

  2. Agenda • Types of CA attestation • What to have ready before the auditor arrives • What will happen during the auditor’s visit • What happens when they leave • WIIFM (What’s In It For Me?) • Q & A

  3. Purpose • CA attestations are important: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006

  4. Kinds of CA Attestation • Two varieties: 1. Web Trust for CAs (WTCA) • http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc • Establishes about 200 criteria points against which to measure the CA • Industry-standard attestation • Widely recognized Web Trust Seal • To receive the WT Seal, Webtrust.org generally publicly publishes the CA’s CPS, management assertion letter, and auditor’s opinion letter

  5. Kinds of CA Attestation • Two varieties: (cont.) 2. “Compliance review” • Use the CA CP as the criteria – 150+ criteria (e.g., Federal FBCA ~200 elements) • Individualized approach • Final opinion is sent to management for their internal use

  6. Kinds of CA Attestation • Consequences: • More criteria often means more time on-site and more information requests • Trust fabric: • WTCA – Published documents fully support trust fabric • “Compliance Review” – unpublished documents do not fully support trust web • Qualified auditors: • WTCA provided by Big Four-plus; • “Compliance Review” may be provided by any CPA or CISA

  7. What to Have Ready … • Know the criteria the auditor will be using • Key Generation ceremony documents • Logs, logs, logs – 6 to 12 months’ worth • OS, CA, and other automated logs • Visitor sign-in sheets (lobby, elevator, CA facility, et.al.) • Cameras, badging system, et.al. • Tape backup logs, off-site tracking, tests, test results, etc. • Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities • Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc. • Review of the DR site, documents, and DR test(s) results • … and other areas per source criteria (see first bullet)

  8. Usual events during a CA attestation • Kick off meeting • Prepared by Client (“PBC”) document/item list • Physical review • Interviews • Status meetings • Update PBC list, etc. • Draft Findings, Draft opinion letter, Draft Representation and Assertion letters • Final report/opinion

  9. After We Go … • If opinion qualified: • Review NFRs (Notice/s of Finding and Recommendation) • Change/update documents and procedures • Perform and document updates • Budget and request second attest visit • If opinion unqualified: • For Web Trust: • Opinion letter delivered • CPS and management assertion letter requested and prepped for publication • Web Trust Seal requested, required documents provided • Seal approved and assigned to the client CA site • For “Compliance review”: • Opinion letter delivered

  10. WIIFM Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006 • Prove and increase trust in your certificates • Capture and address weaknesses in your policies, practices, and operational areas • For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology • Increase the Trust Fabric between certificate providers, certificate users, and relying parties within and across digital credential-using organizations

  11. Thank You Q & A Nathan Faut KPMG LLP nfaut@kpmg.com

More Related