Gatekeeper Compliance Audit Program
Version 1.0 (Issue Date 15 November 2002)
6. Appendix A - Self Assessment Questionnaire
6.1 Overview
The purpose of this Self-Assessment Questionnaire is to compile the information required by an Authorised Auditor to assess the situation of a Service Provider. There is a requirement to perform an on-site Audit to review and test the Service Provider's established operations and controls.
The Self Assessment Questionnaire is designed to facilitate the collection of information necessary to understand the current environment in which the Service Provider operates and any changes that may have been implemented. This should enable the Authorised Auditor to consider whether a Modular approach may be proposed under the GCAP, allowing previous work to be taken into account.
The Self Assessment Questionnaire will then form part of the supporting work-papers for the GCAP carried out by the Authorised Auditor.
6.2 Instructions to the Service Provider
In completing the Questionnaire the Service Provider is required to respond to a majority of the Self-Assessment questions with a 'Yes' or 'No. There are a number of questions that require the Service Provider to enter information into the Notes field.
All information provided by the Service Provider in the Self Assessment Questionnaire will be taken as a management representation of the Service Provider and deemed to be accurate by the Authorised Auditor. It should be understood that all responses provided by the Service Provider in this Self Assessment Questionnaire will be taken as a representation of the Service Provider's activities, which can be subject to testing during the on site visits.
6.3 Self Assessment Questionnaire
|
Number |
Self-Assessment Question |
NOTES |
Yes |
No |
| 1 |
GENERAL BACKGROUND |
|||
| 1.1 |
Name of Service Provider |
(Please enter details) | ||
| 1.2 |
Type of Accredited service (CA, CA & RA, RA, RAES): |
(Please enter details) | ||
| 1.3 |
Location/URL of Approved CPs (Public Document): |
(Please enter details) | ||
| 1.4 |
Location/URL of Approved CPS (Public Document): |
(Please enter details) | ||
| 1.5 |
What is the date of your accreditation? |
(Please enter details) | ||
| 1.6 |
Do you remain compliant with the latest Gatekeeper Accreditation Criteria and Policies? (ie not exercised your rights under Clause 11.6 of the Head Agreement?) |
|||
| 2 |
PRIOR AUDITS |
|||
| 2.1 |
Has a CATrust Audit been conducted on your PKI within the last year? |
|||
| 2.2 |
Did the scope of the CATrust Audit cover your Gatekeeper Service? |
|||
| 2.3 |
When was the CATrust Audit signed off? |
(Please enter details) | ||
| 2.4 |
When do your CATrust "Updates" occur? |
(Please enter details) | ||
| 2.5 |
What is the URL / Website address where the Audit Report is viewable? |
(Please enter details) | ||
| 2.6 |
What was the overall time period of all the testing? |
(Please enter details) | ||
| 2.7 |
Who was the Auditor who conducted the CATrust Audit? |
(Please enter details) | ||
| 2.8 |
Is the Auditor who conducted the CATrust Audit also on the list of Gatekeeper Authorised Auditors? |
|||
| 2.9 |
Are the work papers used available for release to your eventual GCAP Auditor? |
|||
| 2.10 |
Please specify any issues that were identified. |
(Please enter details) | ||
| 2.11 |
Have you conducted any other PKI Audit/Review programs (e.g. SAS70, Annual Internal Audit, ISO9000, External Audit to another PKI Standard or Program), please specify all details. |
|||
| 3 | RELATIONSHIPS |
|||
| 3.1 |
Is your Accredited service entirely located in your own facilities? |
|||
| 3.2 |
Is your Accredited service entirely managed and operated by your own personnel? If No, please state which other Gatekeeper Accredited Service Provider you use and which aspects of your activities are managed/operated by this organisation. |
|||
| 3.3 |
Are you reliant on another Service Provider's CPS? (If you use a CPS of another organisation, please specify location and reason) |
|||
| 3.4 |
Do you have any other dependencies? If Yes, please detail. |
|||
| NOTE |
Questions 3.5 to 3.13 only apply if you outsource your facilities, management or operations to an another Gatekeeper Accredited Service Provider. (i.e. if the answer to 3.1 or 3.2 is NO or 3.3 is Yes).
|
|||
| 3.5 |
What was the date of the other Service Provider's accreditation? |
(Please enter details) | ||
| 3.6 |
Did the scope of the other Service Provider's CATrust Audit cover your Gatekeeper Service? |
|||
| 3.7 |
When was their CATrust Audit signed off? |
(Please enter details) | ||
| 3.8 |
What is the URL / Website address where their Audit Report is viewable? |
(Please enter details) | ||
| 3.9 |
What was the overall time period of all the testing? |
(Please enter details) | ||
| 3.10 |
Who was the Auditor who conducted their CATrust Audit? |
(Please enter details) | ||
| 3.11 |
Is the Auditor who conducted the CATrust Audit also on the list of Gatekeeper Authorised Auditors? |
|||
| 3.12 |
Are the work papers used available for release to your eventual GCAP Auditor? |
|||
| 3.13 | Please specify any issues that were identified. |
(Please enter details) | ||
| 4 |
BUSINESS MODEL |
|||
| 4.1 |
Have there been any changes in your business model since the version set out in your Approved Concept of Operations? If Yes, please detail changes. |
|||
| 5 |
INTERNAL AUDIT COMPLIANCE |
|||
| 5.1 |
Are procedures in place to check that internal Audits are performed in accordance with the Operations Manual and the Protective Security Plan? |
|||
| 5.2 |
Has an internal compliance Audit been performed within the last 12 months? If Yes, please state when. |
|||
| 5.3 |
Did the findings of any internal Audit highlight any deficiencies? If Yes, please detail their status. |
|||
| 6 |
CA OBLIGATIONS |
CA / RAES ONLY |
||
| 6.1 |
Since your accreditation or last Audit, has your Gatekeeper CA established any subordinate CA / RAs? If so, please provide details including the date of its establishment and the date on which the organisation was accredited by NOIE. |
|||
| 6.2 |
Since your accreditation or last Audit, have there been instances of compromise, or suspected compromise of Keys and Certificates belonging to the CA/RAES or its operational staff or systems that may threaten the integrity of your PKI? If Yes, did the CA/RAES initiate the correct Certificate revocation or suspension (if service provided) following the compromise? |
|||
| 6.3 |
Since your accreditation or last Audit, have there been instances of compromise, or suspected compromise of end user Keys and Certificates issued by the CA/RAES? If Yes, did the CA/RAES initiate the correct Certificate revocation or suspension (if service provided) following the compromise? |
|||
| 7 |
RA OBLIGATIONS |
RA ONLY |
||
| 7.1 |
Are procedures in place to check that the RA's operations conform to the practices described in the CA(s) CPS? |
|||
| 7.2 |
Are procedures in place to check that the RA provides its customers with copies of relevant CPs (If required)? If No, does the RA advise customers how to obtain these documents? |
|||
| 7.3 |
Are procedures in place to check that the RA provides its customers with copies of other documentation required? (e.g. Subscriber Agreement) If No, does the RA advise customers how to obtain these documents? |
|||
| 8 |
CERTIFICATION PRACTICE STATEMENT MANAGEMENT |
CA ONLY |
||
| 8.1 |
Do you maintain a management group with the final authority and responsibility for the CA's CPS? (e.g. Policy Approval Authority or Policy Management Authority) If Yes, please detail members of the group. |
(Please enter details) | ||
| 8.2 |
Since your accreditation or last Audit, has the management group undertaken a review of business risks, security requirements and operational procedures? Did the outcome of the review warrant a change in your Practices / Procedures or your CPS? |
|||
| 8.3 |
Has your CPS been changed since your accreditation or last Audit? If Yes, have you submitted the amended CPS to NOIE for re-evaluation; and |
|||
| 9 |
DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN |
|||
| 9.1 |
Has your Disaster Recovery and Business Continuity Plan (DRBCP) been reviewed in accordance with the timeframe set out in that document? |
|||
| 9.2 |
Were there any negative/deficient results from the test procedures? If Yes, please detail the outcomes of required actions. |
|||
| 9.3 |
Are agreements with external service providers in relation to the DRBCP current? |
|||
| 9.4 |
Have you trained all employees under the provisions in the DRBCP? |
|||
| 9.5 |
Is your insurance coverage current and sufficient? Please state the level and coverage. |
(Please enter details) | ||
| 9.6 |
Has your DRBCP been changed since your accreditation or last Audit? If Yes, have you submitted the amended DRBCP to NOIE for re-evaluation; and has it been Approved by NOIE and if so when? |
|||
| 10 |
CERTIFICATE LIFECYCLE MANAGEMENT REQUIREMENTS - EVIDENCE OF IDENTITY (EOI) & PRIVACY |
RA ONLY |
||
| 10.1 |
Has there been any change in the procedures that the RA uses for EOI? If Yes, please detail. |
|||
| 10.2 |
Are the minimum EOI requirements for end-entities still in accordance with the: Financial Transaction Reports (FTR) Act 1988 -Record for a Signatory to an Account. |
|
||
| 10.3 |
Do your procedures and processes for collection and safeguarding of personal information still comply with the requirements of the Privacy Act 1988 and the PSM? |
|||
| 11 |
CERTIFICATE POLICY MANAGEMENT |
CA & RAES ONLY |
||
| 11.1 |
What Types and Grades of Certificates do you provide? |
(Please enter details) | ||
| 11.2 |
Do you maintain a management group with the final authority and responsibility for your CP(s)? (e.g. Policy Approval Authority or Policy Management Authority)? If Yes, Please detail members of the group. |
|||
| 11.3 |
Since your accreditation or last Audit, has the management group undertaken a review of your business model to determine its currency? |
|||
| 11.4 |
Have any of your CP(s) changed since your accreditation or last Audit? If Yes, have you submitted the amended CP(s) to NOIE for re-evaluation; and have they been approved by NOIE and if so, when? |
|||
| 12 |
SUBSCRIBER AGREEMENT / RELYING PARTY AGREEMENT |
|||
| 12.1 |
Do the procedures you have put in place enable Subscribers and Relying Parties to have a good understanding of their responsibilities and obligations? (e.g. Providing accurate information; safeguarding their Private Keys; CRL checking) |
|||
| 12.2 |
Do you notify Agencies, Subscribers, or other parties as required in regard to liability arrangements? |
|||
| 12.3 |
If you have changed your CPS or CP(s) since your accreditation or last Audit, have you reviewed the Subscriber Agreement / Relying Party Agreement to ensure that any changes have been incorporated and if so, have these changes been approved by NOIE? |
CA / RAES Only |
||
| 12.4 |
Have any Subscribers or Relying Parties requested other methods of communication concerning the way in which changes to Subscriber or Relying Party Agreements are brought to their attention? |
|||
| 13 |
LEGAL REQUIREMENTS |
|||
| 13.1 |
Since your accreditation or last Audit, has there been any significant change in the ownership / management of your organisation that may impact your Gatekeeper accreditation status? If Yes, please state the details. |
|||
| 14 |
SECURITY POLICY, PROTECTIVE SECURITY RISK REVIEW (PSRR) / THREAT RISK ASSESSMENT (TRA), PROTECTIVE SECURITY PLAN (PSP) AND KEY MANAGEMENT PLAN (KMP) |
|||
| 14.1 |
How often is your Security Policy reviewed? When was this last done? |
(Please enter details) | ||
| 14.2 |
Have there been changes to your Security Policy since your accreditation or last Audit? If Yes, have you submitted the amended Security Policy to NOIE for re-evaluation; and has it been Approved by NOIE, and if so, when? |
|||
| 14.3 |
How often do you conduct a TRA / PSRR? When was this last done? |
(Please enter details) | ||
| 14.4 |
Have there been changes to your TRA / PSRR since your accreditation or last Audit? If Yes, have you submitted the amended TRA / PSRR to NOIE for re-evaluation; and have they been Approved by NOIE, and if so, when? |
|||
| 14.5 |
Have there been changes to your PSP since your accreditation or last Audit? If Yes, have you submitted the amended PSP to NOIE for re-evaluation; and |
|||
| 14.6 |
Does the PSP address the issue of residual risk? If Yes, has residual risk been accepted and signed-off by management? |
|||
| 14.7 |
How often do you conduct a review of your KMP? When was this last done? |
(Please enter details) | ||
| 14.8 |
Have there been changes to your KMP since your accreditation or last Audit? If Yes, have you submitted the amended KMP to NOIE for re-evaluation; and has it been Approved by NOIE, and if so, when? |
|||
| 15 |
PHYSICAL SECURITY |
|||
| 15.1 |
Have there been any changes to physical security since your accreditation or last Audit? If Yes, have you submitted the changes to NOIE for re-evaluation; and have they been approved by NOIE, and if so, when? |
|||
| 15.2 |
When did ASIO T4 last conduct a security assessment of your facility? |
(Please enter details) | ||
| 15.3 |
Are there any contracts with an external Security Guard company? |
|||
| 15.4 |
Since your accreditation or last Audit, have there been instances of compromise, or suspected compromise of the Physical Security of your establishment? If Yes, please include details of the following:
|
|||
| 15.5 |
Since your accreditation or last Audit, have there been instances of compromise, or suspected compromise of confidential information? If Yes, please include details of the following:
|
|||
| 15.6 |
Since your accreditation or last Audit, have all alarm and physical security control systems been tested and reviewed for maintenance (as per Approved Documents and manufacturer's instructions)? If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings. |
|||
| 15.7 |
Since your accreditation or last Audit has the emergency response process been tested? If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings. |
|||
| 15.8 |
Since your accreditation or last Audit, have environmental and fire control systems been tested and reviewed for maintenance (as per manufacturer's instructions)? If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings. |
|||
| 15.9 |
Since your accreditation or last Audit, have the UPS and power generators been tested and reviewed for maintenance (as per manufacturer's instructions)? If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings. |
|||
| 15.10 |
Does your Protective Security Plan contain elements dealing with Site Security? If Yes, please provide details. |
(Please enter details) | ||
| 16 | PERSONNEL SECURITY |
|||
| 16.1 |
Have all relevant personnel obtained the level of Security Clearance required for performance of their duties? |
|||
| 16.2 |
When were access rights of personnel last reviewed? |
(Please enter details) | ||
| 16.3 |
What were the results of the most recent review of access listings? |
(Please enter details) | ||
| 16.4 |
Have there been any security incidents since your accreditation or last Audit concerning vetted personnel? |
|||
| 16.5 |
Have there been any security incidents since your accreditation or last Audit concerning any other personnel? |
|||
| 16.6 |
Are there any vetted employees whose clearance has been reviewed, or who have left your organisation since your accreditation or last Audit? (Personnel are required to have clearance reviewed at a minimum of every 5 years.) |
|||
| 16.7 |
Are there any vetted employees whose circumstances have changed since your accreditation or last Audit, which may have a bearing on their Security Clearance? |
|||
| 16.8 |
Is your Facility Security Officer (FSO) the same employee identified in your Approved Documents? If no, has the FSO function been passed to an employee who has been correctly vetted? If a new FSO has been assigned, has their Security Clearance been Approved? Is your FSO position outsourced? |
|||
| 17 | FINANCIAL OBLIGATIONS |
|||
| 17.1 |
Are you still on the Endorsed Supplier list? |
|||
| 17.2 |
Has your status as an Endorsed Supplier changed at any time since your accreditation or last Audit? |