Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAcert and the Audit.

Published byMadeleine Wright Modified over 6 years ago

Similar presentations

Presentation on theme: "CAcert and the Audit."— Presentation transcript:

1 CAcert and the Audit

2 CAcert and the Audit To get CAcert Root into Browsers
=> Audit is required => which requires: management policies review of business & systems => against policies!

3 CAcert and the Audit CAcert has three major business areas:
Assurance (the “RA”) Systems (the “CA”) Community (subscribers, RPs)

4 c. Audit and Assurance

5 Audit - Assurance a. Assurance
Assurance Policy is in full POLICY status It is binding on all Assurers The process of Assurance can be reviewed.

6 Audit - Assurance a.i Three major processes for Audit:
CATS Assurer Challenge ATE – Assurer Training Event. Co-audit

7 Audit - Assurance CATS Assurer Challenge
CAcert Automated Testing System 25 multiple-choice questions, 80% to pass. You can do it as many times as you like Sets a minimum standard

8 Audit - Assurance Assurer Training Event ATE is here today!
20 so far in Europe Germany, Innsbruck, Belgium, Denmark, Paris, London, Prague, Budapest Tells you what you need to know Highly recommended

9 Audit - Assurance Co-Audit You assure the Co-Auditor
Collect Evidence of Assurance-to- policy verifies quality of assurance: “A.2.y The CP details how the CA verifies that RAs operate in accord with the CA's policies. (Also: lots of feedback)

10 Audit - Assurance a.ii Detailed Changes to Assurance Member statements
„Information is correct” „I agree to CCA” Assurer states: „was conducted to Assurance Policy” CARS: CAcert Assurer Reliable Statement

11 Audit - Assurance a.iii The review of Assurance
2009 February – June evidence gathered Audit terminated for other reasons. Possibility of Assurance Review late 2010

12 b. Audit and the Systems

13 Audit - Systems b.i Systems Review required: secure hosting
(Teams, Facility, Machines) Security Policy Software

14 Audit - Systems b.ii Systems now has
Teams: critical sysadms, access engineers Systems in secure facility: BIT Ede, NL. 1st Oct 2008 Security Policy → DRAFT p Binding on critical roles: Sysadms, Access Engineers, Support, Software

15 Audit - Systems b.iii Issues to resolve:
Non-critical systems - underway Roots - planning Disaster Recovery - thinking Team size – need more capacity

16 Audit - Systems b.iv Software
Review at Innsbruck April 2009: „Serious difficulties in maintaining, improving and securing.” „Cannot form conclusion over software.” CPS → DRAFT July 2009 p

17 Audit - Systems b.iv Rebuilding Software
Track 1: New software development team, new design, new build: “BirdShack” good start in 2009, interrupted, now re-forming Track 2: Old software in “maintenance mode” slow start, but now 5 on the job

18 c. Audit and the Community

19 Audit - Community The audit criteria: DRC for "David Ross Criteria".
David is a retired quality engineer He started CAcert's Audit in 2005 Was called to Grand Jury duty

20 Audit - Community DRC has a strong feature. It requires the Risks,
Liabilities, and Obligations to be clearly stated to everyone!

21 Audit - Community This raised several huge barriers for the CA:
what exactly are the R/L/O? who do they apply to? are they reasonable? and, how do we deal with them?

22 Audit - Community The barrier of R/L/O is subtle:
DRC doesn't ask them to be fair, but disclosure makes us consider them, and CAcert people want things to be fair! which means we have to deal with them!

23 Audit -Community One big result of this thinking process was that we required a: CAcert Community Agreement and, it had to do many things....

24 Audit - Community The CCA had to:
a. make us into a mutually-binding Community. b. state the R/L/O c. limit the liabilities → 1000 Euros d. allocate the liabilities → back to the Members

25 Audit - Community How do we allocate the liabilities?
By making our own forum of dispute resolution „Arbitration” agreeing to be bound to that resolution, CAcert Community Agreement 3.2 writing a Policy to control that process: Dispute Resolution Policy

26 Audit - Community Summary: The original “Why” of Arbitration:
Audit (DRC) forced disclosure of Liabilities simple fix: limiting complex fix: allocation the safe and cheap way to allocate is: to use our own Arbitration (Last section discusses „How“.)

27 d. Back to the Audit

28 Audit - Past Audit went into high gear early 2009, but:
Lack of capacity Overruns in time Lack of funding Audit terminated July 2009

29 Audit - Future What is Community doing next? Rebuild Software
as with: Assurance, Arbitration, Support, Systems, Management Push Audit Work to the Community Only the Community has the scale and capability Prepare for Review over Assurance Today, your chance: ATE! Funding!

30 CAcert Plan 2010

Download ppt "CAcert and the Audit."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
NGSU Regional Councils – Oct/Nov 2014 Fair Treatment at Work Nationwide Group Staff Union.

NGSU Regional Councils – Oct/Nov 2014 Fair Treatment at Work Nationwide Group Staff Union.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
More CMM Part Two : Details.

More CMM Part Two : Details.
Auditing Concepts.

Auditing Concepts.
Integration of Quality Into Accident Investigation Processes ASQ Columbia Basin Section 614 John Cornelison January 2008.

Integration of Quality Into Accident Investigation Processes ASQ Columbia Basin Section 614 John Cornelison January 2008.
Overview Lesson 10,11 - Software Quality Assurance

Overview Lesson 10,11 - Software Quality Assurance
Chapter 16 Software Quality Assurance

Chapter 16 Software Quality Assurance
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Company Confidential Registration Management Committee 1 Asking the Right Questions Right Dale Gordon Aerojet Rocketdyne July 16, 2014.

Company Confidential Registration Management Committee 1 Asking the Right Questions Right Dale Gordon Aerojet Rocketdyne July 16, 2014.
Branch Chairs' Day 1 July 2010 Supporting and Overseeing Volunteers Marianne Wyles, Institute Secretary Rebecca Emmott, Assistant Institute Secretary Cheryl.

Branch Chairs' Day 1 July 2010 Supporting and Overseeing Volunteers Marianne Wyles, Institute Secretary Rebecca Emmott, Assistant Institute Secretary Cheryl.
Oregon’s Online Assessment Tony Alpert Oregon Department of Education CCSSO- NCSA June 21, 2010.

Oregon’s Online Assessment Tony Alpert Oregon Department of Education CCSSO- NCSA June 21, 2010.
M253 Team Work in Distributed Environments Week (3) By Dr. Dina Tbaishat.

M253 Team Work in Distributed Environments Week (3) By Dr. Dina Tbaishat.
 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.

 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.

ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
Software Quality Assurance SOFTWARE DEFECT. Defect Repair Defect Repair is a process of repairing the defective part or replacing it, as needed. For example,

Software Quality Assurance SOFTWARE DEFECT. Defect Repair Defect Repair is a process of repairing the defective part or replacing it, as needed. For example,
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Reflections on applying for TDAP and institutional designation Haymo Thiel Principal.

Reflections on applying for TDAP and institutional designation Haymo Thiel Principal.
© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Welcome!

© CAcert, 2009 Ulrich Schroeter, Assurer Training Evetns, April 2009, #2 Welcome!

Similar presentations

Ads by Google