Presentation is loading. Please wait.

Presentation is loading. Please wait.

© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 How Cacert responded to audit...

Published byTobias Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 How Cacert responded to audit..."— Presentation transcript:

1 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 How Cacert responded to audit...

2 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 We are... The community Certification Authority 4000++ Assurers Europe, USA CAcert Inc. (NSW) Challenged by Audit To get into the browsers...

3 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Towards Audit The 1 st Audit 2009 review Primary difficulty: lack of capacity Deeper reason: “someone (else) is doing it.” Realisation that Auditor doesn't 'do' the audit Board cannot 'do' the audit Only the Community can muster the capacity

4 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Towards Audit New strategy for audit 1. Change the message 2. Build up the capacity... 3. Teams fix the problems 4. Distribute the work 5. Engage Auditor: i. RA, ii. CA

5 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Vertical view CAcert has three major business areas: a) Assurance (the “RA”) b) Systems (the “CA”) c) Community (subscribers, “RPs”)

6 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Helping CAcert? 2. the teams - Business: i. Policy + Documentation + Internal Audit ii. Assurance, Events, Education, Org-Assurers iii. Dispute Resolution: Arbitrators + Case Managers

7 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Helping CAcert? 2. the teams - Systems: i. Support: Triage + Support Engineers ii. Software: Testing, Development, Assessment iii. Sysadm: Critical, Access, Infrastructure, Hosting

8 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Basics Every role requires... ✔ The breadth and basics of CAcert. ✔ Assurer c.f., CARS. ✔ Helping with recruiting and training. ✔ Following Policies, Practices, Rulings.

9 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Senior Assurers Senior Assurers help and run ATEs, recruit, develop the reach of Assurance (TTP), and develop the CATS Assurer Challenge. They are strong on Assurance. They are comfortable with people, presentations, and Community. SA: full 50 EPs, attend ATE, co-audit, CARS

10 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 i. Policy Group Write, lead, vote Policies to approval. Watch implementation, rulings. They are strongly aware of the policies and principles of the Community. They are familiar with Security, IT standards and general business processes. Join cacert-policy@ => https://lists.cacert.org/

11 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Organisation Assurers Organisation Assurers verify Orgs. They are good with org regulations, careful and methodical. They are strong on Assurance and understand the needs of business.

12 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Arbitrators are people who show exceptionally good judgement in resolving difficult situations. They are strongly aware of the policies and principles of the Community. Good at listening, researching, thinking, reducing and writing. Arbitrators

13 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Case Managers are organised, good with detail, on top of email, and comfortable with working to the tune of the Arbitrator. And, they do not fall in the trap of letting their opinions carry them away. Case Managers

14 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Triage have: some time, daily, comfortable with webapps (OTRS), able to quickly dive into messy emails, slice and dice them to the right place Support Engineer, Arbitration, etc... Triage is the starting place for a lot of things... Triage

15 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 “Critical Roles” Roles under Security Policy require... ✔ Arbitrated Background Check (ABC) ✔ Team-leader approval ✔ Board approval SP 9.2 process because of the access to data or special features.

16 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Support Engineers are people with lots of time, able to communicate with humans and techies. SEs are very patient, cautious and reliable. SEs are “completers,” very methodical. SP: ABC+approval Support Engineers

17 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 New: larger architecture + design Java (middle/biz), PHP+Javascript, C/C++ likely. Old: patience with old, undocumented PHP. And a desire to get us back on track with fixes! Testers: patient, communicative with techies and can see the human/user view. Software Assessors: approve changes SP: ABC+approval. Software

18 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Infrastructure Sysadms are very good with Linux, and know quite a lot about security practices. Because of our need for 4 eyes and dual control and redundant access to our systems, all sysadms work with 1-3 others in small teams. Follow doco, share brief reports on actions. Infra Team

19 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Access Engineers: located near Ede, NL. Strongly familiar with security access controls and with basics of hardware and hosting. Watches for proper procedures and controls. Follows Security Policy, records actions. SP: ABC+approval. Access Engineers

20 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 The systems administrators on the critical team work to Security Policy (“the bible”) and other documentation. Strongly familiar with security. Working with at least 1 other under 4 eyes or dual control. Follows Security Policy, records actions. SP: ABC+approval. Critical Sysadms

21 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 i. Audit Team Support the Audit – Disclosures Identify the distribution possibilities (leaders, event reports, CARS, co-audit) They are broadly aware of fabric & structure From policies + principles to implementation. Strong on Security, IT standards and general business processes.

22 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 3. Towards Audit Outcome: Evidence-based verification of RAs.

23 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Legal entity: NSW Association of Members. 60 members on book, 30-40 at GMs. Resolutions, committee elections, S+AGMs. Counter-party to contracts like CCA. Application, nominator, seconder, $10. CAcert Incorporated

24 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Committee of the Association is „executive“. 7 members. Appoint t/ls, Arbs, criticals. Manage Ops. Implement the policies + rulings. Broad IT & business experience. Voted at AGM or SGM, or appointed. Board

25 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Governance

26 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Helping CAcert? Building the teams (redux) i. All of these teams exist ii. More in Annual Reports: iii. svn.cacert.org/CAcert_Inc/General_Meetings/ iv. AGM-20100130/CAcert_Annual_Report_2009.pdf v. 13 teams, 28 pages, 20 cats, 3 kangaroos... vi. 2009 Straw poll: 3+4+5+5+4+2+4+5+6+2 = 39 vii. No HR department, just ask...

27 www.cacert.orgwww.cacert.org © CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 Towards Audit What can I do for my audit?

Download ppt "© CAcert, 2009 Ulrich Schroeter, Assurer Training Events, April 2009 How Cacert responded to audit..."

Similar presentations

CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
CPD means adding to your professional knowledge and keeping your skills up to date throughout your career Professional knowledge is based on formal qualifications.

CPD means adding to your professional knowledge and keeping your skills up to date throughout your career Professional knowledge is based on formal qualifications.
ISO27001 Why you should care.. What? An (the) international standard for Information Security Derived from BS7799 Very comprehensive, very large – ISO27001.

ISO27001 Why you should care.. What? An (the) international standard for Information Security Derived from BS7799 Very comprehensive, very large – ISO27001.
PTA Officer Training May 2014. RESTRICTIVE RULES Who Needs Them?

PTA Officer Training May RESTRICTIVE RULES Who Needs Them?
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Recruiting for Board Members Process I. What Are You Looking For? II. Recruit Candidates for Each Open Seat III. How to Recruit Prospects IV. Application.

Recruiting for Board Members Process I. What Are You Looking For? II. Recruit Candidates for Each Open Seat III. How to Recruit Prospects IV. Application.
1 CHCOHS312A Follow safety procedures for direct care work.

1 CHCOHS312A Follow safety procedures for direct care work.
Presentation for Club Development Information Seminar - August 28, 2010 Club Committees – Roles, Structures and Meetings A Set of Standards for Club Committees.

Presentation for Club Development Information Seminar - August 28, 2010 Club Committees – Roles, Structures and Meetings A Set of Standards for Club Committees.
University of Sunderland CIFM03Lecture 3 1 QMS / Standards CIFM03 Lecture 3.

University of Sunderland CIFM03Lecture 3 1 QMS / Standards CIFM03 Lecture 3.
Business and Industry Certification Overview and Notebook Pages  The following is an overview of the required documentation for BIC. The following is.

Business and Industry Certification Overview and Notebook Pages  The following is an overview of the required documentation for BIC. The following is.
Elements of Code of Corporate Governance: East Asia Perspective Prof. Stephen Y.L. Cheung Department of Economics & Finance City University of Hong Kong.

Elements of Code of Corporate Governance: East Asia Perspective Prof. Stephen Y.L. Cheung Department of Economics & Finance City University of Hong Kong.
Test Organization and Management

Test Organization and Management
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Unit 8:COOP Plan and Procedures  Explain purpose of a COOP plan  Propose an outline for a COOP plan  Identify procedures that can effectively support.

Unit 8:COOP Plan and Procedures  Explain purpose of a COOP plan  Propose an outline for a COOP plan  Identify procedures that can effectively support.
Internal controls. Session objectives Define Internal Controls To understand components of Internal Controls, control environment and types of controls.

Internal controls. Session objectives Define Internal Controls To understand components of Internal Controls, control environment and types of controls.
1 Growth Centres Commission www.gcc.nsw.gov.au Corruption Prevention Network – Annual Forum 11 September 2008 Corruption Prevention Network Annual Forum.

1 Growth Centres Commission Corruption Prevention Network – Annual Forum 11 September 2008 Corruption Prevention Network Annual Forum.
Issues in Corporate Governance: Board Structures and Functions Based on a Student Presentation by Joshua Shullaw and Matthew Domeyer.

Issues in Corporate Governance: Board Structures and Functions Based on a Student Presentation by Joshua Shullaw and Matthew Domeyer.
Your Ambulance Service Foundation Trust Consultation.

Your Ambulance Service Foundation Trust Consultation.

Similar presentations

Ads by Google