[caops-wg] Comment for Auditing Guidelines Doc.
Kelsey, DP (David)
D.P.Kelsey at rl.ac.uk
Tue Sep 16 23:20:55 CDT 2008
Hi Yoshio, Scott,
I think it would be better if the text is modified to make it clearer.
Cheers
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey at rl.ac.uk
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
> -----Original Message-----
> From: caops-wg-bounces at ogf.org [mailto:caops-wg-bounces at ogf.org] On
> Behalf Of Yoshio Tanaka
> Sent: 17 September 2008 04:15
> To: caops-wg at ggf.org
> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
>
>
> Hi Scott,
>
> Thanks for the prompt reply. I understand.
> Do you think the draft should be revised to avoid misunderstanding?
> Or, do you think the current draft should be ok?
>
> Regards,
>
> --
> Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
> http://www.apgridpma.org/
>
>
> From: Scott Rea <Scott.Rea at Dartmouth.EDU>
> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
> Date: Tue, 16 Sep 2008 21:43:26 -0400
> Message-ID: <48D060BE.50809 at Dartmouth.edu>
>
> > G'day Yoshio et al,
> >
> > The dot point list was not meant as a list of "requirements" - it
was
> > merely a list of "considerations" when determining qualification
> > requirements.
> > The real requirements are in the text of the initial paragraph above
> > i.e. essentially the auditor should be competent, independent,
> > understand PKIs, understand auditing methods, and understand IGTF
> profiles.
> >
> > I.e. no getting the custodial staff, or medical staff, or HR staff
> etc
> > to audit for you - that ain't gonna fly - unless they also have
> > relevant qualifications from the subsequent list. Hope that
> clarifies things...
> >
> > Regards,
> > -Scott
> >
> > Yoshio Tanaka wrote:
> > > Hi Scott,
> > >
> > > As you might see in the meeting minutes which was sent by Dave, we
> > > got a comment about Auditor Qualification.
> > >
> > >
-------------------------------------------------------------------
> -
> > > --
> > > Auditor Qualification
> > > The audit/assessment/evaluation team and the individuals on that
> > > team, should be qualified to assess the policies and practices of
a
> PKI.
> > > Auditors should be competent to evaluate the CA management
> processes
> > > and operational procedures, its related IT security components and
> > > its PKI-unique elements. A PKI audit team shall consist of
> > > individuals who together have the necessary skills and experience
> to
> > > assess the policies, procedures and practices of the PKI. Auditors
> > > should be individually and organizationally independent of the PKI
> > > that is being audited.
> > >
> > > The following list comprises a set requirements for considering
the
> > > expertise and qualifications of members of the assessment team
> > > carrying out a PKI audit:
> > > - Professional Certifications such as CISSP and CISA or
equivalent;
> > > - Successful completion of training courses in assessment of IT
> > > security controls;
> > > - ...
> > >
-------------------------------------------------------------------
> -
> > > --
> > >
> > > We got a comment that the list of requirements is very heavy,
> > > particularly the professional certification.
> > > Do you intend that auditors must satisfy all the requirements?
> > > Would you clarify your intention?
> > >
> > > Thanks,
> > >
> > > --
> > > Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
> > > http://www.apgridpma.org/
> > >
> > >
> > > --
> > > caops-wg mailing list
> > > caops-wg at ogf.org
> > > http://www.ogf.org/mailman/listinfo/caops-wg
> > >
> >
> > --
> > Scott Rea
> > Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI
> > Architect Peter Kiewit Computing Services Dartmouth College HB 6238,
> > #058 Sudikoff Hanover, NH 03755
> >
> > Em: Scott.Rea at Dartmouth.edu
> > Ph#(603) 646-0968
> > Ot#(603) 646-9181
> > Ce#(603) 252-7339
> >
> --
> caops-wg mailing list
> caops-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/caops-wg
More information about the caops-wg
mailing list