Policy-Discussion

["Peter Williams" <home_pw AT msn.com>]

> From: Duane 
> <duane AT cacert.org>
> Reply-To: Policy-Discussion 
> <cacert-policy AT lists.cacert.org>
> To: Policy-Discussion 
> <cacert-policy AT lists.cacert.org>
> Subject: Re: [CAcert-Policy] What's the name for?
> Date: Fri, 22 Jul 2005 10:48:26 -0400
>
> Russell Smith wrote:
>
> > What audit, there has been no audit that I am aware of.
>
> We actually have had a "first run" draft type audit where someone has
> read over everything and inspected what documentation existed and gave
> us some feed back on it.

sounds like the FIRST phase of an audit: the reading of the disclosures (and 
the proprietary security policies) to see if they are complete with respect 
to hte requiremnets of the evalulation criteria, of choice.

The art of audit is really in the testing process, not just in interpreting 
the current regulations.

If one is prepping for an audit, its worth constructing our own tests in  
certain area - areas that any auditor is likey to construct tests:

(a) does the record system allow reconstruction of the events showing that a 
sample of security criritical actions were in compliance with the 
disclosures (e.g. a root key cert was reissued with a 20 year expiry, as it 
approaches its end of life)

(b) Do the company records show that specific humans had the explicit legal 
authority to perform their duties (e.g. do assurers have a legal memo  they 
can show that embues them with their authorities)

(c) does management know and peform the best practices of the industry, when 
executing operations using bits of technology (servers, crypto hardware, key 
arming, algorithms)

I remember one Big 5 auditor tested a VeriSign claim that all its crypto 
devices were under "constant control" and "accountable to particular 
individuals." This meant, suddenly ring up 5 people on the list of 50 people 
listed as being in control of keying material, and have them show that (a) 
they could account for their arming keys, and (b) could show they knew the 
security policy concering their being locked up in a secure cabinet every 
night (not left out on the desk, etc; fed to the dog, etc.)

This particular test really tested (a) records (b) authority (c) attitude. 
It was a good test - one that focussed on posture re the policy disclosures, 
versus facts conformance or process failures. A public CPA is really making 
a public representation after all: is the organization really "trying" to 
meet the public's expectations, when assigning their trust!