[caops-wg] Comment for Auditing Guidelines Doc.
Yoshio Tanaka
yoshio.tanaka at aist.go.jp
Tue Sep 16 20:06:29 CDT 2008
Hi Scott,
As you might see in the meeting minutes which was sent by Dave, we got
a comment about Auditor Qualification.
----------------------------------------------------------------------
Auditor Qualification
The audit/assessment/evaluation team and the individuals on that team,
should be qualified to assess the policies and practices of a PKI.
Auditors should be competent to evaluate the CA management processes
and operational procedures, its related IT security components and its
PKI-unique elements. A PKI audit team shall consist of individuals who
together have the necessary skills and experience to assess the
policies, procedures and practices of the PKI. Auditors should be
individually and organizationally independent of the PKI that is being
audited.
The following list comprises a set requirements for considering the
expertise and qualifications of members of the assessment team
carrying out a PKI audit:
- Professional Certifications such as CISSP and CISA or equivalent;
- Successful completion of training courses in assessment of IT
security controls;
- ...
----------------------------------------------------------------------
We got a comment that the list of requirements is very heavy,
particularly the professional certification.
Do you intend that auditors must satisfy all the requirements?
Would you clarify your intention?
Thanks,
--
Yoshio Tanaka (yoshio.tanaka at aist.go.jp)
http://ninf.apgrid.org/
http://www.apgridpma.org/
More information about the caops-wg
mailing list