[WG-IDAssurance] Point in Time vs. Period of Time Audit
Frazier-mcelveen, Myisha (US - Arlington)
mfraziermcelveen at deloitte.com
Wed Jan 18 12:06:28 EST 2012
As discussed on the IAWG call today, we acknowledge that there would be IDPs who would not have been in production for an extended period of time prior to the audit (e.g. new services). As a result, we need to identify parameters within the IAF that discusses what is required for the point in time audit. Given that, we agreed to the following principles:
1. The requirements of the Web Trust Audit are too stringent for our IAF purposes and that we would want to be more lenient.
2. We need to identify specific criteria / language that can be referenced for the purposes of the audit.
As a result we came to the following principles for the language:
1. An absolute minimum of 30 credential issuances
2. Ideally 5 revocations
3. In the event that the IDP did not have the 5 revocations, some language that would facilitate their ability to comply with the audit but prove necessary requirements on the revocation side.
Given these principles, how best should we structure the language regarding this. One alternative is:
“Must have at least 30 issuances and 5 revocations or the ability for the revocations to be assessed against practices and procedures”
Please provide comments / thoughts / suggested edits, etc.
Let the dart throwing begin!
Manager | Technology Risk
Deloitte and Touche LLP
1919 N. Lynn Street Arlington, VA 22209
Tel/Direct: +571 -814-6619 | Fax: +1 855-223-1611 | Mobile: +1 571-814-0911
mfraziermcelveen at deloitte.com<mailto:mfraziermcelveen at deloitte.com> | www.deloitte.com<http://www.deloitte.com>
Please consider the environment before printing.
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.
Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-IDAssurance