Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc.

Slides:

Advertisements

Similar presentations

Auditing, Assurance and Governance in Local Government

Advertisements

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Control and Accounting Information Systems

B-BBEE VERIFICATION FRAMEWORK.  The BEE Verification process evolved since the release of the B- BBEE strategy in 2003  The dti was requested to provide.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

How to Document A Business Management System

Discussion on SA-500 – AUDIT EVIDENCE

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Auditing Computer-Based Information Systems

Kansas PKI Model Brian Stevenson General Manager Nebraska.gov.

Security Controls – What Works

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

First Practice - Information Security Management System Implementation and ISO Certification.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.

Section 1 Guidelines for Office of Inspector General Quality Control and Assurance Programs Peer Review Training – National Science Foundation August 16,

SAS No. 70 BADM 559 Jong Choi. Overview of SAS 70 Definition ▫SAS 70 helps service auditors to assess operational and technical controls of a service.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Internal Auditing and Outsourcing

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction to IT audits PART II IT.

Compliance & Internal Auditing By David N. Ricchiute

Auditing Internal Control over Financial Reporting

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.

Chapter Three IT Risks and Controls.

Internal Control in a Financial Statement Audit

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

ISSAI 4000: Issues coming out of the maintenance groups Mona Paulsrud CAS meeting, Oslo 17th of September

Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.

Evaluation of Internal Control System

© Securities Commission, Malaysia 1 What the Audit Oversight Board will do ICAA-MICPA Audit Forum 3 August 2010.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Higher Education PKI Summit Meeting August 8, 2001 The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology.

College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Harmonization Project FAS Meeting Harmonization project and ISSAI 200 Purpose and scope of the project The purpose is to provide a conceptual basis.

Harmonization project CAS project group (Chair, Slovakia, European Court of Auditors) CAS meeting Batumi, Georgia 27th of September 2011.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

ISSAI 400 Compliance Auditing

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.

E-SIGNED DocFlow SYSTEM in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE – E-Business Development Consultant.

Chapter 3-Auditing Computer-based Information Systems.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.

Internal Control. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition A process...designed.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

 Planning an audit of cost statements, records and other related documents is considered necessary to ensure achievement of audit objectives with available.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Alternative Governance Models for PKI

IS4680 Security Auditing for Compliance

The Demand for Audit and Other Assurance Services

Michael Romeu-Lugo MBA, CISA March 27, 2017

The ISSAIs for Financial Audit ISSAIs

جايگاه گواهی ديجيتالی در ايران

Canadian Auditing Standards (CAS)

Internal controls 01-Nov-2017.

Taking the STANDARDS Seriously

Final Rule on Foreign Supplier Verification Programs

Presentation transcript:

Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc

The Parties of a Digital Transaction Originator of the ‘bits’ Aka, Originator, Signer, Alice Receiver of the ‘bits’ Aka, Recipient, Verifier, Bob Both parties may rely on digital certificates Proper receiver ID is nice if a contract is based on a digital signature or one is using encryption The receiver may base his business processes on how a CA fills in certificates. How can we tell if a CA is doing what we want?

General Plan The Certificate Policy (CP) is the public rules that govern a PKI. This may be handed down from on high or developed by a CA/OA. The Certificate Practice Statement defines ‘how’ the PKI meets its obligations in the CP. The CPS may or may not be publicly available. Portions may not be available to all subscribers. An independent party should be able to verify the PKI’s compliance with the CP.

The Purpose of An Audit To show compliance with a CP or CPS Superior CA needs assurance you comply Customers/Users/EE/(lawyers) may want assurance Good PR Show insurers or regulators you comply with laws There is no ‘standard’ PKI audit Audits to show compliance with superior entity Fed Bridge CA Web/Sys Trust, Truste Verisign class n, n+1, n*n SAS70 audit to show your policies match operations ISO17799 audit to show you have a security plan

A Process The ABA InfoSec Committee generated guidance on what goes into CPs and CPS’ and how to accurately audit a PKI. Annex C of the PKI Assessment Guidelines The goal is to get the lawyers, regulators, insurers, customers, and lawyers to agree that the output of the PKI is acceptable before the PKI starts cranking out stuff

Prerequisites for a CA evaluation a threat and risk assessment (TRA) should be conducted; a documented Certificate Policy is required. (Adherence of the Certificate Policy to the IETF PKIX Part Framework is recommended;) a supporting Certification Practice Statement is required. Adherence of the Certification Practice Statement to the IETF PKIX Part 4 framework is recommended; and a written assertion, by the operational authority, to assert that it has appropriately designed and implemented certification practices to reasonably achieve the requirements of the Certificate Policy and that such certification practices have operated with sufficient effectiveness, during some defined period of time.

The Audit Process Planning Generate Controls Table for the CPS Operating authority buys into controls table Read docs; talk to people; get documentation; do a site visit Generate draft report Receive comments on report from auditte Finalize report

Is an Audit Painful? The CP, CPs, and procedures must exist ‘virtual documents’ don’t cut it These docs should already be approved and tested If you pass the audit then change the procedures….. An audit is for a point-in-time They get to be redone periodically If the audit discovers discrepancies: They can/may be fixed on the fly and noted in the auditor’s report You and the auditor work together on this…

More Information The ABA Digital Signature Guidelines The ABA PKI Assessment Guide Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc