© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 How Cacert responded to audit...

Slides:



Advertisements
Similar presentations
CIP Cyber Security – Security Management Controls
Advertisements

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
CPD means adding to your professional knowledge and keeping your skills up to date throughout your career Professional knowledge is based on formal qualifications.
ISO27001 Why you should care.. What? An (the) international standard for Information Security Derived from BS7799 Very comprehensive, very large – ISO27001.
PTA Officer Training May RESTRICTIVE RULES Who Needs Them?
Control environment and control activities. Day II Session III and IV.
Recruiting for Board Members Process I. What Are You Looking For? II. Recruit Candidates for Each Open Seat III. How to Recruit Prospects IV. Application.
1 CHCOHS312A Follow safety procedures for direct care work.
Presentation for Club Development Information Seminar - August 28, 2010 Club Committees – Roles, Structures and Meetings A Set of Standards for Club Committees.
University of Sunderland CIFM03Lecture 3 1 QMS / Standards CIFM03 Lecture 3.
Business and Industry Certification Overview and Notebook Pages  The following is an overview of the required documentation for BIC. The following is.
Elements of Code of Corporate Governance: East Asia Perspective Prof. Stephen Y.L. Cheung Department of Economics & Finance City University of Hong Kong.
Test Organization and Management
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Unit 8:COOP Plan and Procedures  Explain purpose of a COOP plan  Propose an outline for a COOP plan  Identify procedures that can effectively support.
Internal controls. Session objectives Define Internal Controls To understand components of Internal Controls, control environment and types of controls.
1 Growth Centres Commission Corruption Prevention Network – Annual Forum 11 September 2008 Corruption Prevention Network Annual Forum.
Issues in Corporate Governance: Board Structures and Functions Based on a Student Presentation by Joshua Shullaw and Matthew Domeyer.
Your Ambulance Service Foundation Trust Consultation.
Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
Balance Between Audit/Compliance and Risk Management- Best Practices FIRMA 21 st National Training Conference Julia Fredricks, U.S. Chief Compliance Officer.
M I N I S T R Y O F I N D U S T R Y, E M P L O Y M E N T A N D C O M M U N I C A T I O N S OECD Guidelines on Corporate Governance of State Owned Enterprises.
Pro-active Security Measures
S5: Internal controls. What is Internal Control Internal control is a process Internal control is a process Internal control is effected by people Internal.
Policy and Procedure for the Handling of Complaints against the AG Consultation with the Standing Committee on the Auditor-General 9 April 2008 Wandile.
Purchasing Forum – May The integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together.
AFSA Chapter Officer Training Module 1 Officer Roles and Responsibilities.
EN EUROPEAN COMMISSION Budgetary Control Committee of European Parliament Budgetary Control Committee of European Parliament Brian Gray DG BUDGET Workshop.
S19: Documentation of fieldwork. Session Objectives ♂ In the last session, we have discussed the standards of documentation and the standard files to.
EN DG Regional Policy & DG Employment, Social Affairs & Equal Opportunities EUROPEAN COMMISSION Luxembourg, May 2007 Management and control arrangements.
Governance, Risk and Ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Ministry of Finance Compliance assessment of the management and control systems of the managing authorities under the Operational programmes. Conclusions.
Safeguarding Adults in Acute Care The Role of the Safeguarding Lead.
Executive Training Malvern – 2 nd October 2010 Welcome!
GROUP CERTIFICATION: THE INTERNAL CONTROL SYSTEM Istituto per la Certificazione Etica ed Ambientale.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Welcome!
© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 What is the CCA?
© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Participating in the Community.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 The Purpose of an Assurance.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 CAcert and the Audit.
ADMINISTRATIVE STRUCTURE OF A COMPUTER CENTRE. The administrative structure is being organized in such a way that a skilled professional personnel is.
Auditing & Investigations I
CAcert A Communities Way To Professionalism
Chapter 4 – Requirements Engineering
CORPORATE GOVERNANCE IN STATE OWNED COMPANIES
Kode Etik dan IA Standard Dr Rilla Gantino, SE., AK., MM
UNIT V QUALITY SYSTEMS.
BYLAWS of SHENANDOAH UNIVERSITY MUSIC THERAPY ASSOCIATION
CAcert and the Audit.
DNV experiences and viewpoints
Institute and Academy Workload
Board and Staff Roles 2014 Capacity Building Institute
AFSA Chapter Officer Training
IT Development Initiative: Status and Next Steps
End of Year Performance Review Meetings and objective setting for 2018/19 This briefing pack is designed to be used by line managers to brief their teams.
Leadership Orientation
Be Part of Governing your Community Hospital
Systems Construction and Implementation
Governance Ikram ul Haque Syed Associate IPS-Islamabad
HIPAA Policy & Procedure Strategies
System Construction and Implementation
Systems Construction and Implementation
TECHNOLOGY ASSESSMENT
Be Part of Governing your Community Hospital
ESS Management System SSM visit 24th October
Good practices for risk assessment and control activities
ECA Quality Control Arrangements
Presentation transcript:

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 How Cacert responded to audit...

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 We are... The community Certification Authority Assurers Europe, USA CAcert Inc. (NSW) Challenged by Audit To get into the browsers...

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Towards Audit The 1 st Audit 2009 review Primary difficulty: lack of capacity Deeper reason: “someone (else) is doing it.” Realisation that Auditor doesn't 'do' the audit Board cannot 'do' the audit Only the Community can muster the capacity

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Towards Audit New strategy for audit 1. Change the message 2. Build up the capacity Teams fix the problems 4. Distribute the work 5. Engage Auditor: i. RA, ii. CA

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Vertical view CAcert has three major business areas: a) Assurance (the “RA”) b) Systems (the “CA”) c) Community (subscribers, “RPs”)

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Helping CAcert? 2. the teams - Business: i. Policy + Documentation + Internal Audit ii. Assurance, Events, Education, Org-Assurers iii. Dispute Resolution: Arbitrators + Case Managers

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Helping CAcert? 2. the teams - Systems: i. Support: Triage + Support Engineers ii. Software: Testing, Development, Assessment iii. Sysadm: Critical, Access, Infrastructure, Hosting

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Basics Every role requires... ✔ The breadth and basics of CAcert. ✔ Assurer c.f., CARS. ✔ Helping with recruiting and training. ✔ Following Policies, Practices, Rulings.

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Senior Assurers Senior Assurers help and run ATEs, recruit, develop the reach of Assurance (TTP), and develop the CATS Assurer Challenge. They are strong on Assurance. They are comfortable with people, presentations, and Community. SA: full 50 EPs, attend ATE, co-audit, CARS

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 i. Policy Group Write, lead, vote Policies to approval. Watch implementation, rulings. They are strongly aware of the policies and principles of the Community. They are familiar with Security, IT standards and general business processes. Join =>

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Organisation Assurers Organisation Assurers verify Orgs. They are good with org regulations, careful and methodical. They are strong on Assurance and understand the needs of business.

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Arbitrators are people who show exceptionally good judgement in resolving difficult situations. They are strongly aware of the policies and principles of the Community. Good at listening, researching, thinking, reducing and writing. Arbitrators

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Case Managers are organised, good with detail, on top of , and comfortable with working to the tune of the Arbitrator. And, they do not fall in the trap of letting their opinions carry them away. Case Managers

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Triage have: some time, daily, comfortable with webapps (OTRS), able to quickly dive into messy s, slice and dice them to the right place Support Engineer, Arbitration, etc... Triage is the starting place for a lot of things... Triage

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 “Critical Roles” Roles under Security Policy require... ✔ Arbitrated Background Check (ABC) ✔ Team-leader approval ✔ Board approval SP 9.2 process because of the access to data or special features.

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Support Engineers are people with lots of time, able to communicate with humans and techies. SEs are very patient, cautious and reliable. SEs are “completers,” very methodical. SP: ABC+approval Support Engineers

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 New: larger architecture + design Java (middle/biz), PHP+Javascript, C/C++ likely. Old: patience with old, undocumented PHP. And a desire to get us back on track with fixes! Testers: patient, communicative with techies and can see the human/user view. Software Assessors: approve changes SP: ABC+approval. Software

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Infrastructure Sysadms are very good with Linux, and know quite a lot about security practices. Because of our need for 4 eyes and dual control and redundant access to our systems, all sysadms work with 1-3 others in small teams. Follow doco, share brief reports on actions. Infra Team

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Access Engineers: located near Ede, NL. Strongly familiar with security access controls and with basics of hardware and hosting. Watches for proper procedures and controls. Follows Security Policy, records actions. SP: ABC+approval. Access Engineers

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 The systems administrators on the critical team work to Security Policy (“the bible”) and other documentation. Strongly familiar with security. Working with at least 1 other under 4 eyes or dual control. Follows Security Policy, records actions. SP: ABC+approval. Critical Sysadms

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 i. Audit Team Support the Audit – Disclosures Identify the distribution possibilities (leaders, event reports, CARS, co-audit) They are broadly aware of fabric & structure From policies + principles to implementation. Strong on Security, IT standards and general business processes.

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April Towards Audit Outcome: Evidence-based verification of RAs.

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Legal entity: NSW Association of Members. 60 members on book, at GMs. Resolutions, committee elections, S+AGMs. Counter-party to contracts like CCA. Application, nominator, seconder, $10. CAcert Incorporated

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Committee of the Association is „executive“. 7 members. Appoint t/ls, Arbs, criticals. Manage Ops. Implement the policies + rulings. Broad IT & business experience. Voted at AGM or SGM, or appointed. Board

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Governance

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Helping CAcert? Building the teams (redux) i. All of these teams exist ii. More in Annual Reports: iii. svn.cacert.org/CAcert_Inc/General_Meetings/ iv. AGM /CAcert_Annual_Report_2009.pdf v. 13 teams, 28 pages, 20 cats, 3 kangaroos... vi Straw poll: = 39 vii. No HR department, just ask...

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Towards Audit What can I do for my audit?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.