[caops-wg] Comment for Auditing Guidelines Doc.

Yoshio Tanaka yoshio.tanaka at aist.go.jp
Wed Sep 17 16:13:43 CDT 2008 

Hi Scott,

I think the proposed revision is appropriate to avoid any confusion.
I'll take this revision.

Thanks,

--
Yoshio Tanaka (yoshio.tanaka at aist.go.jp)
http://ninf.apgrid.org/
http://www.apgridpma.org/


From: Scott Rea <Scott.Rea at Dartmouth.EDU>
Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
Date: Wed, 17 Sep 2008 08:59:40 -0400
Message-ID: <48D0FF3C.8050306 at Dartmouth.EDU>

> How about we amend the last sentence of the 1st paragraph and the entire 
> 2nd paragraph to read as follows to avoid any confusion...
> 
> ------------------
> ...External auditors should be individually and organizationally 
> independent of the PKI that is being audited, internal auditors should 
> at least be individually independent of the PKI that is being audited.
> 
> The specific auditor qualification requirements are that they should be 
> competent, independent, understand PKIs, understand auditing methods, 
> and understand IGTF profiles. The following is a list of considerations 
> to undertake when determining the expertise and qualifications of 
> members of the assessment team carrying out a PKI audit (NOTE: These 
> considerations are provided simply in an advisory capacity and not as 
> hard requirements when determining auditor qualifications):
> ....
> -------------------
> 
> Thoughts?
> 
> Regards,
> _Scott
> 
> 
> Kelsey, DP (David) wrote:
> > Hi Yoshio, Scott,
> >
> > I think it would be better if the text is modified to make it clearer.
> >
> > Cheers
> > Dave
> >
> >
> > ------------------------------------------------
> > Dr David Kelsey
> > Particle Physics Department
> > Rutherford Appleton Laboratory
> > Chilton, DIDCOT, OX11 0QX, UK
> >
> > e-mail: D.P.Kelsey at rl.ac.uk
> > Tel: [+44](0)1235 445746 (direct)
> > Fax: [+44](0)1235 446733
> > ------------------------------------------------
> >
> >
> >
> >   
> >> -----Original Message-----
> >> From: caops-wg-bounces at ogf.org [mailto:caops-wg-bounces at ogf.org] On
> >> Behalf Of Yoshio Tanaka
> >> Sent: 17 September 2008 04:15
> >> To: caops-wg at ggf.org
> >> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
> >>
> >>
> >> Hi Scott,
> >>
> >> Thanks for the prompt reply. I understand.
> >> Do you think the draft should be revised to avoid misunderstanding?
> >> Or, do you think the current draft should be ok?
> >>
> >> Regards,
> >>
> >> --
> >> Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
> >> http://www.apgridpma.org/
> >>
> >>
> >> From: Scott Rea <Scott.Rea at Dartmouth.EDU>
> >> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
> >> Date: Tue, 16 Sep 2008 21:43:26 -0400
> >> Message-ID: <48D060BE.50809 at Dartmouth.edu>
> >>
> >>     
> >>> G'day Yoshio et al,
> >>>
> >>> The dot point list was not meant as a list of "requirements" - it
> >>>       
> > was
> >   
> >>> merely a list of "considerations" when determining qualification
> >>> requirements.
> >>> The real requirements are in the text of the initial paragraph above
> >>> i.e. essentially the auditor should be competent, independent,
> >>> understand PKIs, understand auditing methods, and understand IGTF
> >>>       
> >> profiles.
> >>     
> >>> I.e. no getting the custodial staff, or medical staff, or HR staff
> >>>       
> >> etc
> >>     
> >>> to audit for you - that ain't gonna fly - unless they also have
> >>> relevant qualifications from the subsequent list.  Hope that
> >>>       
> >> clarifies things...
> >>     
> >>> Regards,
> >>> -Scott
> >>>
> >>> Yoshio Tanaka wrote:
> >>>       
> >>>> Hi Scott,
> >>>>
> >>>> As you might see in the meeting minutes which was sent by Dave, we
> >>>> got a comment about Auditor Qualification.
> >>>>
> >>>>
> >>>>         
> > -------------------------------------------------------------------
> >   
> >> -
> >>     
> >>>> --
> >>>> Auditor Qualification
> >>>> The audit/assessment/evaluation team and the individuals on that
> >>>> team, should be qualified to assess the policies and practices of
> >>>>         
> > a
> >   
> >> PKI.
> >>     
> >>>> Auditors should be competent to evaluate the CA management
> >>>>         
> >> processes
> >>     
> >>>> and operational procedures, its related IT security components and
> >>>> its PKI-unique elements. A PKI audit team shall consist of
> >>>> individuals who together have the necessary skills and experience
> >>>>         
> >> to
> >>     
> >>>> assess the policies, procedures and practices of the PKI. Auditors
> >>>> should be individually and organizationally independent of the PKI
> >>>> that is being audited.
> >>>>
> >>>> The following list comprises a set requirements for considering
> >>>>         
> > the
> >   
> >>>> expertise and qualifications of members of the assessment team
> >>>> carrying out a PKI audit:
> >>>> - Professional Certifications such as CISSP and CISA or
> >>>>         
> > equivalent;
> >   
> >>>> - Successful completion of training courses in assessment of IT
> >>>>   security controls;
> >>>> - ...
> >>>>
> >>>>         
> > -------------------------------------------------------------------
> >   
> >> -
> >>     
> >>>> --
> >>>>
> >>>> We got a comment that the list of requirements is very heavy,
> >>>> particularly the  professional certification.
> >>>> Do you intend that auditors must satisfy all the requirements?
> >>>> Would you clarify your intention?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> --
> >>>> Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
> >>>> http://www.apgridpma.org/
> >>>>
> >>>>
> >>>> --
> >>>>   caops-wg mailing list
> >>>>   caops-wg at ogf.org
> >>>>   http://www.ogf.org/mailman/listinfo/caops-wg
> >>>>
> >>>>         
> >>> --
> >>> Scott Rea
> >>> Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI
> >>> Architect Peter Kiewit Computing Services Dartmouth College HB 6238,
> >>> #058 Sudikoff Hanover, NH 03755
> >>>
> >>> Em: Scott.Rea at Dartmouth.edu
> >>> Ph#(603) 646-0968
> >>> Ot#(603) 646-9181
> >>> Ce#(603) 252-7339
> >>>
> >>>       
> >> --
> >>   caops-wg mailing list
> >>   caops-wg at ogf.org
> >>   http://www.ogf.org/mailman/listinfo/caops-wg
> >>     
> > --
> >   caops-wg mailing list
> >   caops-wg at ogf.org
> >   http://www.ogf.org/mailman/listinfo/caops-wg
> >   
> 
> -- 
> Scott Rea
> Director, HEBCA Operating Authority
> Dartmouth College Sr PKI Architect
> Peter Kiewit Computing Services
> Dartmouth College
> HB 6238, #058 Sudikoff
> Hanover, NH 03755
> 
> Em: Scott.Rea at Dartmouth.edu
> Ph#(603) 646-0968
> Ot#(603) 646-9181
> Ce#(603) 252-7339 
>

More information about the caops-wg mailing list