SlideShare a Scribd company logo

Audit guidance for Federal PKI certfication authorities

David Sweigert
David Sweigert

This document outlines the requirements for compliance audits of cross-certified entities under the Federal Bridge Certification Authority Certificate Policy or Common Policy. It specifies that the auditor and audit must be independent and that the audit must evaluate conformance of the principal certification authority's operations and certificate practices statement to certificate policies, cross-certification agreements, and requirements. The document also describes additional requirements for new certification authorities that have only implemented some procedures in test environments.

Government & Nonprofit
1 of 3
AUDITOR LETTER OF COMPLIANCE Compliance Audit Requirements October 28, 2009 These requirements apply to all cross-certified entities under the FBCA CP or through the Common Policy (other than the C4CA). In order to evaluate a compliance audit, the following background information is required. • Identity of the Auditor and the individuals performing the audit; • Competence of the Auditor to perform audits; • Experience of the individuals performing the audit in auditing PKI systems; • Relationship of the Auditor to the entity that owns the PKI being audited. This relationship must clearly demonstrate the independence of the auditor from the entity operating or managing the PKI. The following information regarding the audit itself is required. • The date the audit was performed. • Whether a particular methodology was used, and if so, what methodology. • Which documents were reviewed as a part of the audit, including document dates and version numbers. In addition to this background, the entity should ensure that, as part of the audit, an audit summary is prepared, signed by the auditor, reporting on the following elements after conducting the compliance audit: • State that the operations of the entity PKI’s Principal CA were evaluated for conformance to the requirements of its CPS. • Report the findings of the evaluation of operational conformance to the Principal CA CPS. • State that the entity PKI’s Principal CA CPS was evaluated for conformance to the entity PKI’s CP. 1
• Report the findings of the evaluation of the Principal CA CPS conformance to the entity PKI CP. • For PKIs with multiple CAs, state whether audit reports showing compliance were on file for any additional CA components of the entity PKI • State that the operations of the Entity PKI’s Principal CA were evaluated for conformance to the requirements of all cross-certification MOAs executed by the Entity PKI with other entities. If there are no MOAs or other comparable agreements, this requirement does not apply. • Report the findings of the evaluation of the Principal CA CPS conformance to the requirements of all cross-certification MOAs executed by the Entity PKI. If there are no MOAs or other comparable agreements, this requirement does not apply. Auditing New CAs Where the Entity PKI being audited is new and some procedures have only been performed in test environments, the report must include the following: 1. State which procedures have been performed using the operational system and could be fully evaluated for conformance to the requirements of the entity PKI CPS; 2. Report the findings of the evaluation in “1.” above; 3. State which procedures have not been performed on the operational system and were evaluated for conformance to the requirements of the entity PKI CPS, but only with respect to training and procedures; 4. Report the findings of the evaluation in “3.” above; 5. State that the entity PKI’s CPS was evaluated for conformance to the supported certificate policies; 6. Report the findings of the evaluation in “5.” above. Note: These requirements are separate and distinct from the certification and accreditation requirements imposed by the Designated Approving Authority (DAA). Since the FBCA/Common Policy CPs are neutral as to audit methodology, and do not prefer one methodology over another, any audit approach is acceptable provided that these points are addressed. At the present time, a default WebTrust for CA audit will not satisfy the requirements set forth above. To meet FBCA/Common Policy requirements, the 2
management assertions of the entity being audited would need to include the substance of the following assertions: 1. The Entity-CPS conforms to the requirements of the Entity-CP 2. The Entity-CA is operated in conformance with the requirements of the Entity-CPS; 3. The Entity-CA has maintained effective controls to provide reasonable assurance that: • Procedures defined in Section 1 of the Entity-CPS are in place and operational. • Procedures defined in Section 2 of the Entity-CPS are in place and operational. • Procedures defined in Section 3 of the Entity-CPS are in place and operational. • Procedures defined in Section 4 of the Entity-CPS are in place and operational. • Procedures defined in Section 5 of the Entity-CPS are in place and operational. • Procedures defined in Section 6 of the Entity-CPS are in place and operational. • Procedures defined in Section 7 of the Entity-CPS are in place and operational. • Procedures defined in Section 8 of the Entity-CPS are in place and operational. • Procedures defined in Section 9 subsections 9.4.4 and 9.6.3 are in place and operational. 4. The Entity-CA is operated in conformance with the requirements of all cross-certification MOAs executed by the Entity-CA. If there are no MOAs or other comparable agreements, this requirement does not apply. Note: The FBCA/Common Policy does not require and will not consider any statements with respect to the entity PKI’s suitability for cross certification with the FBCA/Common Policy or conformance to the FBCA/Common Policy certificate policies. Such a determination is exclusively the purview of the FPKIPA and its working groups. 3

Recommended

Sas 70 Readiness
Sas 70 ReadinessSas 70 Readiness
Sas 70 Readinessmpotorti
 
Internal audit ( pdf drive )
Internal audit ( pdf drive )Internal audit ( pdf drive )
Internal audit ( pdf drive )TaDo8
 
Itaac
ItaacItaac
Itaacrodd29
 
Presentation 2 - Planning and Internal Control Evaluation
Presentation 2 - Planning and Internal Control EvaluationPresentation 2 - Planning and Internal Control Evaluation
Presentation 2 - Planning and Internal Control EvaluationMarzanur Rahman
 
Iso90011
Iso90011Iso90011
Iso90011Dan Junkins
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Support for Improvement in Governance and Management SIGMA
 
Navigating the new Trust Services Criteria
Navigating the new Trust Services CriteriaNavigating the new Trust Services Criteria
Navigating the new Trust Services CriteriaMcKonly & Asbury, LLP
 
Audit Quality
Audit QualityAudit Quality
Audit QualityNik Hasyudeen
 

Recommended

Sas 70 Readiness
Sas 70 ReadinessSas 70 Readiness
Sas 70 Readinessmpotorti
 
Internal audit ( pdf drive )
Internal audit ( pdf drive )Internal audit ( pdf drive )
Internal audit ( pdf drive )TaDo8
 
Itaac
ItaacItaac
Itaacrodd29
 
Presentation 2 - Planning and Internal Control Evaluation
Presentation 2 - Planning and Internal Control EvaluationPresentation 2 - Planning and Internal Control Evaluation
Presentation 2 - Planning and Internal Control EvaluationMarzanur Rahman
 
Iso90011
Iso90011Iso90011
Iso90011Dan Junkins
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Presentation 5, System based audit approach - what is it about?, Workshop on ...
Presentation 5, System based audit approach - what is it about?, Workshop on ...Support for Improvement in Governance and Management SIGMA
 
Navigating the new Trust Services Criteria
Navigating the new Trust Services CriteriaNavigating the new Trust Services Criteria
Navigating the new Trust Services CriteriaMcKonly & Asbury, LLP
 
Audit Quality
Audit QualityAudit Quality
Audit QualityNik Hasyudeen
 
Checklist
ChecklistChecklist
Checklistdygmasnah65
 
Hs14 s-hagen
Hs14 s-hagenHs14 s-hagen
Hs14 s-hagenpandiangv
 
Internal audit and document retention
Internal audit and document retentionInternal audit and document retention
Internal audit and document retentionSanchita Mahale
 
IATF 16949: 2016
IATF 16949: 2016IATF 16949: 2016
IATF 16949: 2016Nimonik
 
audit auto nation
audit auto nationaudit auto nation
audit auto nationfinance14
 
Introduction to auditing, Meaning, Objects and Techniques
Introduction to auditing, Meaning, Objects and TechniquesIntroduction to auditing, Meaning, Objects and Techniques
Introduction to auditing, Meaning, Objects and Techniquesmack19921
 
Presentation 6, Steps of system based auditing, Workshop on System-based audi...
Presentation 6, Steps of system based auditing, Workshop on System-based audi...Presentation 6, Steps of system based auditing, Workshop on System-based audi...
Presentation 6, Steps of system based auditing, Workshop on System-based audi...Support for Improvement in Governance and Management SIGMA
 
IATF 16949 2016 implementation phases
IATF 16949 2016 implementation phasesIATF 16949 2016 implementation phases
IATF 16949 2016 implementation phasesAmit Mishra
 
Iatf 16949 training
Iatf 16949 trainingIatf 16949 training
Iatf 16949 trainingdishashah4993
 
Audit Review & Reliance
Audit Review & RelianceAudit Review & Reliance
Audit Review & RelianceFaraz Mehdi
 
Audit
AuditAudit
AuditSudanPudasaini1
 
Process Audit and ISO
Process Audit and ISOProcess Audit and ISO
Process Audit and ISOSadafhazel
 
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCE
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCEOPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCE
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCEAditi Roy
 
Quality audit- Quality audit is the process of systematic examination of a qu...
Quality audit- Quality audit is the process of systematic examination of a qu...Quality audit- Quality audit is the process of systematic examination of a qu...
Quality audit- Quality audit is the process of systematic examination of a qu...Sanchit Dhankhar
 
Internal audit of manufacturing co
Internal audit of manufacturing coInternal audit of manufacturing co
Internal audit of manufacturing comaheshr254
 
Operations auditing
Operations auditingOperations auditing
Operations auditingRod Licayan
 
Telefonica Case Study
Telefonica Case Study Telefonica Case Study
Telefonica Case Study Felipe Scholz
 
Audit & compliance
Audit & complianceAudit & compliance
Audit & complianceGDE Coaching - Jean Noel Macaque
 
Sppt chap017
Sppt chap017Sppt chap017
Sppt chap017Awais Ahmed
 
04 Audit documentation
04 Audit documentation 04 Audit documentation
04 Audit documentation CA. (Dr.) Rajkumar Adukia
 
Psqc redrafted
Psqc redraftedPsqc redrafted
Psqc redraftedRS NAVARRO
 
audit-charts-by-pankaj-garg.pdf
audit-charts-by-pankaj-garg.pdfaudit-charts-by-pankaj-garg.pdf
audit-charts-by-pankaj-garg.pdfKhushal3898
 

More Related Content

What's hot

Hs14 s-hagen
Hs14 s-hagenHs14 s-hagen
Hs14 s-hagenpandiangv
 
Internal audit and document retention
Internal audit and document retentionInternal audit and document retention
Internal audit and document retentionSanchita Mahale
 
IATF 16949: 2016
IATF 16949: 2016IATF 16949: 2016
IATF 16949: 2016Nimonik
 
audit auto nation
audit auto nationaudit auto nation
audit auto nationfinance14
 
Introduction to auditing, Meaning, Objects and Techniques
Introduction to auditing, Meaning, Objects and TechniquesIntroduction to auditing, Meaning, Objects and Techniques
Introduction to auditing, Meaning, Objects and Techniquesmack19921
 
IATF 16949 2016 implementation phases
IATF 16949 2016 implementation phasesIATF 16949 2016 implementation phases
IATF 16949 2016 implementation phasesAmit Mishra
 
Audit Review & Reliance
Audit Review & RelianceAudit Review & Reliance
Audit Review & RelianceFaraz Mehdi
 
Process Audit and ISO
Process Audit and ISOProcess Audit and ISO
Process Audit and ISOSadafhazel
 
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCE
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCEOPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCE
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCEAditi Roy
 
Quality audit- Quality audit is the process of systematic examination of a qu...
Quality audit- Quality audit is the process of systematic examination of a qu...Quality audit- Quality audit is the process of systematic examination of a qu...
Quality audit- Quality audit is the process of systematic examination of a qu...Sanchit Dhankhar
 
Internal audit of manufacturing co
Internal audit of manufacturing coInternal audit of manufacturing co
Internal audit of manufacturing comaheshr254
 
Operations auditing
Operations auditingOperations auditing
Operations auditingRod Licayan
 
Telefonica Case Study
Telefonica Case Study Telefonica Case Study
Telefonica Case Study Felipe Scholz
 

What's hot (20)

Checklist
ChecklistChecklist
Checklist
 
Hs14 s-hagen
Hs14 s-hagenHs14 s-hagen
Hs14 s-hagen
 
Internal audit and document retention
Internal audit and document retentionInternal audit and document retention
Internal audit and document retention
 
IATF 16949: 2016
IATF 16949: 2016IATF 16949: 2016
IATF 16949: 2016
 
audit auto nation
audit auto nationaudit auto nation
audit auto nation
 
Introduction to auditing, Meaning, Objects and Techniques
Introduction to auditing, Meaning, Objects and TechniquesIntroduction to auditing, Meaning, Objects and Techniques
Introduction to auditing, Meaning, Objects and Techniques
 
Presentation 6, Steps of system based auditing, Workshop on System-based audi...
Presentation 6, Steps of system based auditing, Workshop on System-based audi...Presentation 6, Steps of system based auditing, Workshop on System-based audi...
Presentation 6, Steps of system based auditing, Workshop on System-based audi...
 
IATF 16949 2016 implementation phases
IATF 16949 2016 implementation phasesIATF 16949 2016 implementation phases
IATF 16949 2016 implementation phases
 
Iatf 16949 training
Iatf 16949 trainingIatf 16949 training
Iatf 16949 training
 
Audit Review & Reliance
Audit Review & RelianceAudit Review & Reliance
Audit Review & Reliance
 
Audit
AuditAudit
Audit
 
Process Audit and ISO
Process Audit and ISOProcess Audit and ISO
Process Audit and ISO
 
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCE
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCEOPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCE
OPERATING AND MANAGEMENT OF AUDIT IN AUDIT AND REGULATORY COMPLIANCE
 
Quality audit- Quality audit is the process of systematic examination of a qu...
Quality audit- Quality audit is the process of systematic examination of a qu...Quality audit- Quality audit is the process of systematic examination of a qu...
Quality audit- Quality audit is the process of systematic examination of a qu...
 
Internal audit of manufacturing co
Internal audit of manufacturing coInternal audit of manufacturing co
Internal audit of manufacturing co
 
Operations auditing
Operations auditingOperations auditing
Operations auditing
 
Telefonica Case Study
Telefonica Case Study Telefonica Case Study
Telefonica Case Study
 
Audit & compliance
Audit & complianceAudit & compliance
Audit & compliance
 
Sppt chap017
Sppt chap017Sppt chap017
Sppt chap017
 
04 Audit documentation
04 Audit documentation 04 Audit documentation
04 Audit documentation
 

Similar to Audit guidance for Federal PKI certfication authorities

Psqc redrafted
Psqc redraftedPsqc redrafted
Psqc redraftedRS NAVARRO
 
audit-charts-by-pankaj-garg.pdf
audit-charts-by-pankaj-garg.pdfaudit-charts-by-pankaj-garg.pdf
audit-charts-by-pankaj-garg.pdfKhushal3898
 
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En InglesNicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Inglesguest4a971d
 
Psa 220-redrafted
Psa 220-redraftedPsa 220-redrafted
Psa 220-redraftedRS NAVARRO
 
Pb02 c accreditation process for cb
Pb02 c accreditation process for cbPb02 c accreditation process for cb
Pb02 c accreditation process for cbyoussefpec
 
As9100 interpretations
As9100 interpretationsAs9100 interpretations
As9100 interpretationsoziel2015
 
Nia 220 Quality Control For An Audit Of Financial En Ingles
Nia 220 Quality Control For An Audit Of Financial En InglesNia 220 Quality Control For An Audit Of Financial En Ingles
Nia 220 Quality Control For An Audit Of Financial En Inglesguest4a971d
 
A007 2010-iaasb-handbook-isqc-1
A007 2010-iaasb-handbook-isqc-1A007 2010-iaasb-handbook-isqc-1
A007 2010-iaasb-handbook-isqc-1RS NAVARRO
 
Process monitoring and_audit_sadhana
Process monitoring and_audit_sadhanaProcess monitoring and_audit_sadhana
Process monitoring and_audit_sadhanaSadhana28
 
A010 2010-iaasb-handbook-isa-220
A010 2010-iaasb-handbook-isa-220A010 2010-iaasb-handbook-isa-220
A010 2010-iaasb-handbook-isa-220RS NAVARRO
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007Danial Khan
 
Psae 3402-final
Psae 3402-finalPsae 3402-final
Psae 3402-finalRS NAVARRO
 
Topic 4 internal control system (ics)
Topic 4 internal control system (ics)Topic 4 internal control system (ics)
Topic 4 internal control system (ics)sakura rena
 
How to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality AuditHow to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality AuditGreenlight Guru
 
Audit standards for Federal PKI Certification Authorities using PKI
Audit standards for Federal PKI Certification Authorities using PKIAudit standards for Federal PKI Certification Authorities using PKI
Audit standards for Federal PKI Certification Authorities using PKIDavid Sweigert
 
The internal audit compliance designed to relevant audit assessment
The internal audit compliance designed to relevant audit assessmentThe internal audit compliance designed to relevant audit assessment
The internal audit compliance designed to relevant audit assessmentMohammad Wahid Abdullah Khan
 
六合彩-香港六合彩
六合彩-香港六合彩六合彩-香港六合彩
六合彩-香港六合彩weige
 
香港六合彩
香港六合彩香港六合彩
香港六合彩cctv
 

Similar to Audit guidance for Federal PKI certfication authorities (20)

Psqc redrafted
Psqc redraftedPsqc redrafted
Psqc redrafted
 
audit-charts-by-pankaj-garg.pdf
audit-charts-by-pankaj-garg.pdfaudit-charts-by-pankaj-garg.pdf
audit-charts-by-pankaj-garg.pdf
 
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En InglesNicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
Nicc 1 Normas Internacionales Sobre Control De Calidad 1 En Ingles
 
Psa 220-redrafted
Psa 220-redraftedPsa 220-redrafted
Psa 220-redrafted
 
Pb02 c accreditation process for cb
Pb02 c accreditation process for cbPb02 c accreditation process for cb
Pb02 c accreditation process for cb
 
As9100 interpretations
As9100 interpretationsAs9100 interpretations
As9100 interpretations
 
Nia 220 Quality Control For An Audit Of Financial En Ingles
Nia 220 Quality Control For An Audit Of Financial En InglesNia 220 Quality Control For An Audit Of Financial En Ingles
Nia 220 Quality Control For An Audit Of Financial En Ingles
 
A007 2010-iaasb-handbook-isqc-1
A007 2010-iaasb-handbook-isqc-1A007 2010-iaasb-handbook-isqc-1
A007 2010-iaasb-handbook-isqc-1
 
Process monitoring and_audit_sadhana
Process monitoring and_audit_sadhanaProcess monitoring and_audit_sadhana
Process monitoring and_audit_sadhana
 
A010 2010-iaasb-handbook-isa-220
A010 2010-iaasb-handbook-isa-220A010 2010-iaasb-handbook-isa-220
A010 2010-iaasb-handbook-isa-220
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007
 
Psae 3402-final
Psae 3402-finalPsae 3402-final
Psae 3402-final
 
Legal Compliance Management Systems - Companies Act, 2013
Legal Compliance Management Systems - Companies Act, 2013Legal Compliance Management Systems - Companies Act, 2013
Legal Compliance Management Systems - Companies Act, 2013
 
Topic 4 internal control system (ics)
Topic 4 internal control system (ics)Topic 4 internal control system (ics)
Topic 4 internal control system (ics)
 
How to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality AuditHow to Perform a Successful Internal Quality Audit
How to Perform a Successful Internal Quality Audit
 
Audit standards for Federal PKI Certification Authorities using PKI
Audit standards for Federal PKI Certification Authorities using PKIAudit standards for Federal PKI Certification Authorities using PKI
Audit standards for Federal PKI Certification Authorities using PKI
 
The internal audit compliance designed to relevant audit assessment
The internal audit compliance designed to relevant audit assessmentThe internal audit compliance designed to relevant audit assessment
The internal audit compliance designed to relevant audit assessment
 
六合彩-香港六合彩
六合彩-香港六合彩六合彩-香港六合彩
六合彩-香港六合彩
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterDavid Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartDavid Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackDavid Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionDavid Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanDavid Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...aartirawatdelhi
 
2024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 282024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 28JSchaus & Associates
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...Suhani Kapoor
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...ResolutionFoundation
 
Climate change and occupational safety and health.
Climate change and occupational safety and health.Climate change and occupational safety and health.
Climate change and occupational safety and health.Christina Parmionova
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfahcitycouncil
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCongressional Budget Office
 
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...ranjana rawat
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)Congressional Budget Office
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxaaryamanorathofficia
 
Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024ARCResearch
 
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...CedZabala
 
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...tanu pandey
 
PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)ahcitycouncil
 
Postal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptxPostal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptxSwastiRanjanNayak
 
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 

Recently uploaded (20)

Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
 
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
 
2024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 282024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 28
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
 
Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...Precarious profits? Why firms use insecure contracts, and what would change t...
Precarious profits? Why firms use insecure contracts, and what would change t...
 
Climate change and occupational safety and health.
Climate change and occupational safety and health.Climate change and occupational safety and health.
Climate change and occupational safety and health.
 
Call Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCeCall Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Rohini ꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdf
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related Topics
 
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
 
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptx
 
Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024
 
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
 
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
Call On 6297143586 Viman Nagar Call Girls In All Pune 24/7 Provide Call With...
 
PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)
 
Postal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptxPostal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptx
 
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
 

Audit guidance for Federal PKI certfication authorities

  • 1. AUDITOR LETTER OF COMPLIANCE Compliance Audit Requirements October 28, 2009 These requirements apply to all cross-certified entities under the FBCA CP or through the Common Policy (other than the C4CA). In order to evaluate a compliance audit, the following background information is required. • Identity of the Auditor and the individuals performing the audit; • Competence of the Auditor to perform audits; • Experience of the individuals performing the audit in auditing PKI systems; • Relationship of the Auditor to the entity that owns the PKI being audited. This relationship must clearly demonstrate the independence of the auditor from the entity operating or managing the PKI. The following information regarding the audit itself is required. • The date the audit was performed. • Whether a particular methodology was used, and if so, what methodology. • Which documents were reviewed as a part of the audit, including document dates and version numbers. In addition to this background, the entity should ensure that, as part of the audit, an audit summary is prepared, signed by the auditor, reporting on the following elements after conducting the compliance audit: • State that the operations of the entity PKI’s Principal CA were evaluated for conformance to the requirements of its CPS. • Report the findings of the evaluation of operational conformance to the Principal CA CPS. • State that the entity PKI’s Principal CA CPS was evaluated for conformance to the entity PKI’s CP. 1
  • 2. • Report the findings of the evaluation of the Principal CA CPS conformance to the entity PKI CP. • For PKIs with multiple CAs, state whether audit reports showing compliance were on file for any additional CA components of the entity PKI • State that the operations of the Entity PKI’s Principal CA were evaluated for conformance to the requirements of all cross-certification MOAs executed by the Entity PKI with other entities. If there are no MOAs or other comparable agreements, this requirement does not apply. • Report the findings of the evaluation of the Principal CA CPS conformance to the requirements of all cross-certification MOAs executed by the Entity PKI. If there are no MOAs or other comparable agreements, this requirement does not apply. Auditing New CAs Where the Entity PKI being audited is new and some procedures have only been performed in test environments, the report must include the following: 1. State which procedures have been performed using the operational system and could be fully evaluated for conformance to the requirements of the entity PKI CPS; 2. Report the findings of the evaluation in “1.” above; 3. State which procedures have not been performed on the operational system and were evaluated for conformance to the requirements of the entity PKI CPS, but only with respect to training and procedures; 4. Report the findings of the evaluation in “3.” above; 5. State that the entity PKI’s CPS was evaluated for conformance to the supported certificate policies; 6. Report the findings of the evaluation in “5.” above. Note: These requirements are separate and distinct from the certification and accreditation requirements imposed by the Designated Approving Authority (DAA). Since the FBCA/Common Policy CPs are neutral as to audit methodology, and do not prefer one methodology over another, any audit approach is acceptable provided that these points are addressed. At the present time, a default WebTrust for CA audit will not satisfy the requirements set forth above. To meet FBCA/Common Policy requirements, the 2
  • 3. management assertions of the entity being audited would need to include the substance of the following assertions: 1. The Entity-CPS conforms to the requirements of the Entity-CP 2. The Entity-CA is operated in conformance with the requirements of the Entity-CPS; 3. The Entity-CA has maintained effective controls to provide reasonable assurance that: • Procedures defined in Section 1 of the Entity-CPS are in place and operational. • Procedures defined in Section 2 of the Entity-CPS are in place and operational. • Procedures defined in Section 3 of the Entity-CPS are in place and operational. • Procedures defined in Section 4 of the Entity-CPS are in place and operational. • Procedures defined in Section 5 of the Entity-CPS are in place and operational. • Procedures defined in Section 6 of the Entity-CPS are in place and operational. • Procedures defined in Section 7 of the Entity-CPS are in place and operational. • Procedures defined in Section 8 of the Entity-CPS are in place and operational. • Procedures defined in Section 9 subsections 9.4.4 and 9.6.3 are in place and operational. 4. The Entity-CA is operated in conformance with the requirements of all cross-certification MOAs executed by the Entity-CA. If there are no MOAs or other comparable agreements, this requirement does not apply. Note: The FBCA/Common Policy does not require and will not consider any statements with respect to the entity PKI’s suitability for cross certification with the FBCA/Common Policy or conformance to the FBCA/Common Policy certificate policies. Such a determination is exclusively the purview of the FPKIPA and its working groups. 3