[caops-wg] Comment for Auditing Guidelines Doc.

Scott Rea Scott.Rea at Dartmouth.EDU
Tue Sep 16 20:43:26 CDT 2008 

G'day Yoshio et al,

The dot point list was not meant as a list of "requirements" - it was 
merely a list of "considerations" when determining qualification 
requirements.
The real requirements are in the text of the initial paragraph above 
i.e. essentially the auditor should be competent, independent, 
understand PKIs, understand auditing methods, and understand IGTF profiles.

I.e. no getting the custodial staff, or medical staff, or HR staff etc 
to audit for you - that ain't gonna fly - unless they also have relevant 
qualifications from the subsequent list.  Hope that clarifies things...

Regards,
-Scott

Yoshio Tanaka wrote:
> Hi Scott,
>
> As you might see in the meeting minutes which was sent by Dave, we got
> a comment about Auditor Qualification.
>
> ----------------------------------------------------------------------
> Auditor Qualification
> The audit/assessment/evaluation team and the individuals on that team,
> should be qualified to assess the policies and practices of a PKI.
> Auditors should be competent to evaluate the CA management processes
> and operational procedures, its related IT security components and its
> PKI-unique elements. A PKI audit team shall consist of individuals who
> together have the necessary skills and experience to assess the
> policies, procedures and practices of the PKI. Auditors should be
> individually and organizationally independent of the PKI that is being
> audited.
>
> The following list comprises a set requirements for considering the
> expertise and qualifications of members of the assessment team
> carrying out a PKI audit:
> - Professional Certifications such as CISSP and CISA or equivalent;
> - Successful completion of training courses in assessment of IT
>   security controls;
> - ...
> ----------------------------------------------------------------------
>
> We got a comment that the list of requirements is very heavy,
> particularly the  professional certification.
> Do you intend that auditors must satisfy all the requirements?
> Would you clarify your intention?
>
> Thanks,
>
> --
> Yoshio Tanaka (yoshio.tanaka at aist.go.jp)
> http://ninf.apgrid.org/
> http://www.apgridpma.org/
>
>
> --
>   caops-wg mailing list
>   caops-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/caops-wg
>   

-- 
Scott Rea
Director, HEBCA|USHER Operating Authority
Dartmouth Senior PKI Architect
Peter Kiewit Computing Services
Dartmouth College
HB 6238, #058 Sudikoff
Hanover, NH 03755

Em: Scott.Rea at Dartmouth.edu
Ph#(603) 646-0968
Ot#(603) 646-9181
Ce#(603) 252-7339

More information about the caops-wg mailing list