[caops-wg] Comment for Auditing Guidelines Doc.

Scott Rea Scott.Rea at Dartmouth.EDU
Wed Sep 17 07:59:40 CDT 2008 

How about we amend the last sentence of the 1st paragraph and the entire 
2nd paragraph to read as follows to avoid any confusion...

------------------
...External auditors should be individually and organizationally 
independent of the PKI that is being audited, internal auditors should 
at least be individually independent of the PKI that is being audited.

The specific auditor qualification requirements are that they should be 
competent, independent, understand PKIs, understand auditing methods, 
and understand IGTF profiles. The following is a list of considerations 
to undertake when determining the expertise and qualifications of 
members of the assessment team carrying out a PKI audit (NOTE: These 
considerations are provided simply in an advisory capacity and not as 
hard requirements when determining auditor qualifications):
....
-------------------

Thoughts?

Regards,
_Scott


Kelsey, DP (David) wrote:
> Hi Yoshio, Scott,
>
> I think it would be better if the text is modified to make it clearer.
>
> Cheers
> Dave
>
>
> ------------------------------------------------
> Dr David Kelsey
> Particle Physics Department
> Rutherford Appleton Laboratory
> Chilton, DIDCOT, OX11 0QX, UK
>
> e-mail: D.P.Kelsey at rl.ac.uk
> Tel: [+44](0)1235 445746 (direct)
> Fax: [+44](0)1235 446733
> ------------------------------------------------
>
>
>
>   
>> -----Original Message-----
>> From: caops-wg-bounces at ogf.org [mailto:caops-wg-bounces at ogf.org] On
>> Behalf Of Yoshio Tanaka
>> Sent: 17 September 2008 04:15
>> To: caops-wg at ggf.org
>> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
>>
>>
>> Hi Scott,
>>
>> Thanks for the prompt reply. I understand.
>> Do you think the draft should be revised to avoid misunderstanding?
>> Or, do you think the current draft should be ok?
>>
>> Regards,
>>
>> --
>> Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
>> http://www.apgridpma.org/
>>
>>
>> From: Scott Rea <Scott.Rea at Dartmouth.EDU>
>> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
>> Date: Tue, 16 Sep 2008 21:43:26 -0400
>> Message-ID: <48D060BE.50809 at Dartmouth.edu>
>>
>>     
>>> G'day Yoshio et al,
>>>
>>> The dot point list was not meant as a list of "requirements" - it
>>>       
> was
>   
>>> merely a list of "considerations" when determining qualification
>>> requirements.
>>> The real requirements are in the text of the initial paragraph above
>>> i.e. essentially the auditor should be competent, independent,
>>> understand PKIs, understand auditing methods, and understand IGTF
>>>       
>> profiles.
>>     
>>> I.e. no getting the custodial staff, or medical staff, or HR staff
>>>       
>> etc
>>     
>>> to audit for you - that ain't gonna fly - unless they also have
>>> relevant qualifications from the subsequent list.  Hope that
>>>       
>> clarifies things...
>>     
>>> Regards,
>>> -Scott
>>>
>>> Yoshio Tanaka wrote:
>>>       
>>>> Hi Scott,
>>>>
>>>> As you might see in the meeting minutes which was sent by Dave, we
>>>> got a comment about Auditor Qualification.
>>>>
>>>>
>>>>         
> -------------------------------------------------------------------
>   
>> -
>>     
>>>> --
>>>> Auditor Qualification
>>>> The audit/assessment/evaluation team and the individuals on that
>>>> team, should be qualified to assess the policies and practices of
>>>>         
> a
>   
>> PKI.
>>     
>>>> Auditors should be competent to evaluate the CA management
>>>>         
>> processes
>>     
>>>> and operational procedures, its related IT security components and
>>>> its PKI-unique elements. A PKI audit team shall consist of
>>>> individuals who together have the necessary skills and experience
>>>>         
>> to
>>     
>>>> assess the policies, procedures and practices of the PKI. Auditors
>>>> should be individually and organizationally independent of the PKI
>>>> that is being audited.
>>>>
>>>> The following list comprises a set requirements for considering
>>>>         
> the
>   
>>>> expertise and qualifications of members of the assessment team
>>>> carrying out a PKI audit:
>>>> - Professional Certifications such as CISSP and CISA or
>>>>         
> equivalent;
>   
>>>> - Successful completion of training courses in assessment of IT
>>>>   security controls;
>>>> - ...
>>>>
>>>>         
> -------------------------------------------------------------------
>   
>> -
>>     
>>>> --
>>>>
>>>> We got a comment that the list of requirements is very heavy,
>>>> particularly the  professional certification.
>>>> Do you intend that auditors must satisfy all the requirements?
>>>> Would you clarify your intention?
>>>>
>>>> Thanks,
>>>>
>>>> --
>>>> Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
>>>> http://www.apgridpma.org/
>>>>
>>>>
>>>> --
>>>>   caops-wg mailing list
>>>>   caops-wg at ogf.org
>>>>   http://www.ogf.org/mailman/listinfo/caops-wg
>>>>
>>>>         
>>> --
>>> Scott Rea
>>> Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI
>>> Architect Peter Kiewit Computing Services Dartmouth College HB 6238,
>>> #058 Sudikoff Hanover, NH 03755
>>>
>>> Em: Scott.Rea at Dartmouth.edu
>>> Ph#(603) 646-0968
>>> Ot#(603) 646-9181
>>> Ce#(603) 252-7339
>>>
>>>       
>> --
>>   caops-wg mailing list
>>   caops-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/caops-wg
>>     
> --
>   caops-wg mailing list
>   caops-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/caops-wg
>   

-- 
Scott Rea
Director, HEBCA Operating Authority
Dartmouth College Sr PKI Architect
Peter Kiewit Computing Services
Dartmouth College
HB 6238, #058 Sudikoff
Hanover, NH 03755

Em: Scott.Rea at Dartmouth.edu
Ph#(603) 646-0968
Ot#(603) 646-9181
Ce#(603) 252-7339

More information about the caops-wg mailing list