[caops-wg] Comment for Auditing Guidelines Doc.

Kelsey, DP (David) D.P.Kelsey at rl.ac.uk
Thu Sep 18 00:25:15 CDT 2008 

Hi Scott, Yoshio,

I agree that the new text makes it much clearer.

Cheers
Dave


------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK

e-mail: D.P.Kelsey at rl.ac.uk
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------



> -----Original Message-----
> From: caops-wg-bounces at ogf.org [mailto:caops-wg-bounces at ogf.org] On
> Behalf Of Yoshio Tanaka
> Sent: 17 September 2008 22:14
> To: caops-wg at ggf.org
> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
> 
> 
> Hi Scott,
> 
> I think the proposed revision is appropriate to avoid any confusion.
> I'll take this revision.
> 
> Thanks,
> 
> --
> Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
> http://www.apgridpma.org/
> 
> 
> From: Scott Rea <Scott.Rea at Dartmouth.EDU>
> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
> Date: Wed, 17 Sep 2008 08:59:40 -0400
> Message-ID: <48D0FF3C.8050306 at Dartmouth.EDU>
> 
> > How about we amend the last sentence of the 1st paragraph and the
> > entire 2nd paragraph to read as follows to avoid any confusion...
> >
> > ------------------
> > ...External auditors should be individually and organizationally
> > independent of the PKI that is being audited, internal auditors
> should
> > at least be individually independent of the PKI that is being
> audited.
> >
> > The specific auditor qualification requirements are that they should
> > be competent, independent, understand PKIs, understand auditing
> > methods, and understand IGTF profiles. The following is a list of
> > considerations to undertake when determining the expertise and
> > qualifications of members of the assessment team carrying out a PKI
> > audit (NOTE: These considerations are provided simply in an advisory
> > capacity and not as hard requirements when determining auditor
> qualifications):
> > ....
> > -------------------
> >
> > Thoughts?
> >
> > Regards,
> > _Scott
> >
> >
> > Kelsey, DP (David) wrote:
> > > Hi Yoshio, Scott,
> > >
> > > I think it would be better if the text is modified to make it
> clearer.
> > >
> > > Cheers
> > > Dave
> > >
> > >
> > > ------------------------------------------------
> > > Dr David Kelsey
> > > Particle Physics Department
> > > Rutherford Appleton Laboratory
> > > Chilton, DIDCOT, OX11 0QX, UK
> > >
> > > e-mail: D.P.Kelsey at rl.ac.uk
> > > Tel: [+44](0)1235 445746 (direct)
> > > Fax: [+44](0)1235 446733
> > > ------------------------------------------------
> > >
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: caops-wg-bounces at ogf.org [mailto:caops-wg-bounces at ogf.org]
> On
> > >> Behalf Of Yoshio Tanaka
> > >> Sent: 17 September 2008 04:15
> > >> To: caops-wg at ggf.org
> > >> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
> > >>
> > >>
> > >> Hi Scott,
> > >>
> > >> Thanks for the prompt reply. I understand.
> > >> Do you think the draft should be revised to avoid
> misunderstanding?
> > >> Or, do you think the current draft should be ok?
> > >>
> > >> Regards,
> > >>
> > >> --
> > >> Yoshio Tanaka (yoshio.tanaka at aist.go.jp) http://ninf.apgrid.org/
> > >> http://www.apgridpma.org/
> > >>
> > >>
> > >> From: Scott Rea <Scott.Rea at Dartmouth.EDU>
> > >> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
> > >> Date: Tue, 16 Sep 2008 21:43:26 -0400
> > >> Message-ID: <48D060BE.50809 at Dartmouth.edu>
> > >>
> > >>
> > >>> G'day Yoshio et al,
> > >>>
> > >>> The dot point list was not meant as a list of "requirements" -
it
> > >>>
> > > was
> > >
> > >>> merely a list of "considerations" when determining qualification
> > >>> requirements.
> > >>> The real requirements are in the text of the initial paragraph
> > >>> above i.e. essentially the auditor should be competent,
> > >>> independent, understand PKIs, understand auditing methods, and
> > >>> understand IGTF
> > >>>
> > >> profiles.
> > >>
> > >>> I.e. no getting the custodial staff, or medical staff, or HR
> staff
> > >>>
> > >> etc
> > >>
> > >>> to audit for you - that ain't gonna fly - unless they also have
> > >>> relevant qualifications from the subsequent list.  Hope that
> > >>>
> > >> clarifies things...
> > >>
> > >>> Regards,
> > >>> -Scott
> > >>>
> > >>> Yoshio Tanaka wrote:
> > >>>
> > >>>> Hi Scott,
> > >>>>
> > >>>> As you might see in the meeting minutes which was sent by Dave,
> > >>>> we got a comment about Auditor Qualification.
> > >>>>
> > >>>>
> > >>>>
> > >
-------------------------------------------------------------------
> > >
> > >> -
> > >>
> > >>>> --
> > >>>> Auditor Qualification
> > >>>> The audit/assessment/evaluation team and the individuals on
that
> > >>>> team, should be qualified to assess the policies and practices
> of
> > >>>>
> > > a
> > >
> > >> PKI.
> > >>
> > >>>> Auditors should be competent to evaluate the CA management
> > >>>>
> > >> processes
> > >>
> > >>>> and operational procedures, its related IT security components
> > >>>> and its PKI-unique elements. A PKI audit team shall consist of
> > >>>> individuals who together have the necessary skills and
> experience
> > >>>>
> > >> to
> > >>
> > >>>> assess the policies, procedures and practices of the PKI.
> > >>>> Auditors should be individually and organizationally
independent
> > >>>> of the PKI that is being audited.
> > >>>>
> > >>>> The following list comprises a set requirements for considering
> > >>>>
> > > the
> > >
> > >>>> expertise and qualifications of members of the assessment team
> > >>>> carrying out a PKI audit:
> > >>>> - Professional Certifications such as CISSP and CISA or
> > >>>>
> > > equivalent;
> > >
> > >>>> - Successful completion of training courses in assessment of IT
> > >>>>   security controls;
> > >>>> - ...
> > >>>>
> > >>>>
> > >
-------------------------------------------------------------------
> > >
> > >> -
> > >>
> > >>>> --
> > >>>>
> > >>>> We got a comment that the list of requirements is very heavy,
> > >>>> particularly the  professional certification.
> > >>>> Do you intend that auditors must satisfy all the requirements?
> > >>>> Would you clarify your intention?
> > >>>>
> > >>>> Thanks,
> > >>>>
> > >>>> --
> > >>>> Yoshio Tanaka (yoshio.tanaka at aist.go.jp)
http://ninf.apgrid.org/
> > >>>> http://www.apgridpma.org/
> > >>>>
> > >>>>
> > >>>> --
> > >>>>   caops-wg mailing list
> > >>>>   caops-wg at ogf.org
> > >>>>   http://www.ogf.org/mailman/listinfo/caops-wg
> > >>>>
> > >>>>
> > >>> --
> > >>> Scott Rea
> > >>> Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI
> > >>> Architect Peter Kiewit Computing Services Dartmouth College HB
> > >>> 6238,
> > >>> #058 Sudikoff Hanover, NH 03755
> > >>>
> > >>> Em: Scott.Rea at Dartmouth.edu
> > >>> Ph#(603) 646-0968
> > >>> Ot#(603) 646-9181
> > >>> Ce#(603) 252-7339
> > >>>
> > >>>
> > >> --
> > >>   caops-wg mailing list
> > >>   caops-wg at ogf.org
> > >>   http://www.ogf.org/mailman/listinfo/caops-wg
> > >>
> > > --
> > >   caops-wg mailing list
> > >   caops-wg at ogf.org
> > >   http://www.ogf.org/mailman/listinfo/caops-wg
> > >
> >
> > --
> > Scott Rea
> > Director, HEBCA Operating Authority
> > Dartmouth College Sr PKI Architect
> > Peter Kiewit Computing Services
> > Dartmouth College
> > HB 6238, #058 Sudikoff
> > Hanover, NH 03755
> >
> > Em: Scott.Rea at Dartmouth.edu
> > Ph#(603) 646-0968
> > Ot#(603) 646-9181
> > Ce#(603) 252-7339
> >
> --
>   caops-wg mailing list
>   caops-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/caops-wg

More information about the caops-wg mailing list