CA Audit Post

["Sweigert, David" <David.Sweigert@xxxxxxxxx>]

cross-posting, apologies to those of you who have already seen this

-----Original Message-----
From: Ozgar, Gene A [mailto:gozgar@KPMG.COM]
Sent: Sunday, December 05, 1999 10:00 AM
To: ECRULES@SECRETARY.STATE.NC.US
Subject: FW: NC E-Commerce Act Rules,Certificate Autho


John,

I'm a co-chair of the "audit and attestation" section of the ABA ISC working
group that you describe, and happen to be based in Charlotte.  We have
drafted a section of the ABA document which outlines in detail the
characteristics of the CA auditor.  I've been watching these NC EC
discussions with great interest, and would be glad to have a discussion
about this.  Maybe we can speak with the Secretary about this in person.

BTW, our work in the ABA is agnostic regarding the actual designation (CPA,
CISSP, etc.) but rather outlines the desired characteristics.

I believe that the auditor should possess adequate technical training with a
demonstrated proficiency in:

§ Public key infrastructure technology
§ Information security tools and techniques
§ Security auditing
§ The third-party attest function

The auditor should be organizationally independent of the CA's operation and
policy authorities.

The auditor should be accredited by a recognized professional organization
or association.  Membership in the particular organization or association
should require the possession of certain skill sets, quality assurance
measures such as peer review, standards with respect to proper assignment of
staff to engagements, and requirements for continuing professional
education.

If the above is true, then in many cases, the skills necessary to perform
the audit of a CA will not repose in a single individual.  Other important 
requirements for attestation are objectivity and credibility, and the
willingness and ability to take on the liability that may come with the
attestation.  A CA audit will be considered of great value when it is
performed by an organization that is notorious for integrity and possession
of the characteristics described above.  Also, firms who perform attestation
services and meet quality assurance requirements are likely to bring a team
of professionals (CPA, CISSP, others?) to bear that is appropriate to the
risks of the given audit engagement.

If there were one perfectly aligned professional designation I guess we
wouldn't be having this conversation.  Just some ideas.


Gene

Gene Ozgar
KPMG LLP
gozgar@kpmg.com

-----Original Message-----
From: John Messing [mailto:jmessing@LAW-ON-LINE.COM]
Sent: Friday, December 03, 1999 5:59 AM
To: ECRULES@SECRETARY.STATE.NC.US
Subject: Re: NC E-Commerce Act Rules, Certificate Autho


You may recall that we met on the podium of a speaker from Tom Smedinghoff's
law firm at the 1997 or 1998 RSA Security Conference. Your name was one that
stuck in my mind.

I find your comments very interesting. I work with the ABA's ISC, which is
currently authoring a document on audits of certification authorities and
the accreditation of auditors, similar in concept to the Digital Signature
Guidelines which it generated a number of years ago. I would like to forward
these two posts to the list serve for that group, for comment, but I would
like your permission first.

My company, Law-on-Line, does e-filings and uses PGP for its digital
signatures. I am also working with another start-up, Signauthority.com, LLC,
which uses the technology of Extensible Key Infrastructure, XKI, rather than
PKI. If you are interested, we can discuss it at some future time.

I am glad to see how your expertise in this area has developed.

Best regards.

----- Original Message -----
From: Kepa Zubeldia <kepa.zubeldia@ENVOY.COM>
To: <ECRULES@SECRETARY.STATE.NC.US>
Sent: Thursday, December 02, 1999 4:36 PM
Subject: Re: NC E-Commerce Act Rules, Certificate Autho


> Peter,
>
> I believe it is a mistake to remove the Security Audit.  Unless the
Secretary
> wants to perform an Audit or an Accreditation/Certification of each
Licensed CA,
> the Security Audit performed by a third party is the best way to assure
> compliance with the requirements to be a CA.
>
> The problem is that a SAS70 audit is probably not the best metric.  In my
> opinion a CS2 audit using the CPS and Certificate Policies as the
"Security
> Target" for the Audit is the best way to go.  This way the auditors can
certify
> that the CA does in fact meet the terms of the CPS.  The CPS is approved
by the
> Secretary of State, and the Auditor is the one that verifies compliance
with the
> terms of the license.  Of course, the CPS will have to include the fact
that the
> CA is compliant with the Act and the Rules in N.C.
>
> As for the qualifications of the auditor, a CISSP is much better than an
> accountant, but you could require that the auditor be both a CISSP and a
CPA.
>
> As for the risk assessment, I believe that a CA should only be licensed
once
> they are in production and can be audited as being in compliance with
their own
> CPS.  Having a licensed CA that is not in production and is only under
> construction is such a moving target that any attempt to audit it would be
> meaningless in a very short time.
>
> If you want we can discuss this over the phone or on a conference call.
>
> Thanks for the opportunity to comment on these proposed changes.
>
> Kepa Zubeldia
> ARCANVS, Inc.
>
> ____________________Reply Separator____________________
> Subject:    NC E-Commerce Act Rules,                Certificate Authorit
> Author: This is the Electronic Commerce Rules Forum List
> <ECRULES@SECRETARY.STATE.NC.US>
> Date:       11/22/99 12:44 PM
>
> Reference is made to paragraph (4) Security Audits:
>
> And what qualifications and certifications are needed for the person who
> performs the "security audit"?  Can a Certified Information Systems
Security
> Professional (CISSP) perform such an audit or must it be done by a
Chartered
> (or other) Accountant?  What, legally, constitutes an "audit" in this
> context?  Is it defined by the process that is carried out or by the
> certifications and qualifications that the person doing the audit
possesses?
>   If so what are the set of such certifications and qualifications and how
> to they relate to security and the technical knowledge and knowledge of
the
> technology?  Can NC corporations that are NOT independent NATIONALLY
> recognized security audit firm be approved by EC section?  Since there is
no
> professional organization that certifies firms to do security audits only
> the professional themselves www.isc2.org then how does a firm become
> qualified?  A security audit can only be done against a production system
to
> validate that it is in fact secure bsed on the knowledge of the security
> auditor.  Prior to production a risk assessment is perform under the
> methodology of certification and accreditation.  Dont you want a risk
> assessment (C&A) done with a report to EC Section and audits after the
> systems are in production?
>
> To be continued...
>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
****************************************************************************
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
****************************************************************************
*

To unsubscribe send the following in the body of a message to
listserv@abanet.org  - unsubscribe st-isc