[WG-IDAssurance] Point in Time vs. Period of Time Audit
Richard G. WILSHER @Zygma
RGW at Zygma.biz
Wed Jan 18 14:39:04 EST 2012
I think this discussion so far overlooks an important point.
What is proposed is somewhat technical – one might even say operationally ‘mechanical’ - in nature: the required issuances could probably be accomplished in a pretty short space of time (although revocations are essentially beyond the control of the issuer … unless they screw-up the issuing process L ). However, there are broader considerations to do with the management of the service, and these are addressed by the CO-SAC, particularly at the higher ALs (in fact from AL2).
We require an information security management system to be in place, and that requires time for monitoring, management reviews, internal auditing etc. to be performed. Perhaps we might vary the extent of time according to AL, but that may also be determined by the system’s own policies (e.g. if it says that a management review shall be held every six months, guess how long they’d have to wait!). I’d be inclined to require a well-reasoned *minimum* period of time (to avoid a dodgy CSP doing an audit, management review, and fixing the broken sign in the lavatory all in one day ;-) plus a requirement that within that period there had been “at least one cycle of management review and internal audit, with records of monitoring and follow-up actions having been prosecuted, in accordance with published policies”. This approach seems to me to be at least as important as a count of credentials being pushed-out, although some oversight of operational practices being performed is also clearly required and needs an evidential basis.
There is of course a ‘chicken/egg’ conundrum here (although that’s a fake conundrum – the egg had to come first, based on simple genetics): can a CSP attract custom if they cannot get KI-Approved, and v-v? So, I suggest that we permit a Zero-day Audit as the basis for Approval, subject to a follow-up Period of Time Audit after the agreed period (KI’s minimum period or that determined by the CSP’s policies, whichever the greater), on the successful outcome of which will hang the continuation or revocation (you wanted some of these, right?) of the KI Approval.
This is not a SAC question – it’s a procedural one, so will have to go in another doc. AAS?
As to the text proposed as a target:
>>“Must have at least 30 issuances and 5 revocations …
That’s easy, it’s just a question of being able to count …
>> … or the ability for the revocations to be assessed against practices and procedures
So how many in this case? Is zero OK? Then how will that be assessed?
I don’t see this latter part as adding any more than our present criteria require (an assertion I make without reviewing them in any detail, and I forget easily these days). Let’s also not forget that the (original?) purpose of the IAF was to ensure that a CSP had in place and was applying policies, practices and procedures at a high level. Therefore, might delving into practices and procedures in this specific instance be going further than we originally intended?
A final point: IDP? KI uses the acronym CSP, and I would urge its continued use rather than IDP. The scope of the IAF is the management of credentials, i.e. credential services, rather than simple provision of id (credentials).
That’s all for now,
Richard G. WILSHER
CEO, Zygma LLC
O: +1 714 965 99 42
M: +1 714 797 99 42
From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Frazier-mcelveen, Myisha (US - Arlington)
Sent: 18 January 2012 17:06
To: IA WG (wg-idassurance at kantarainitiative.org)
Subject: [WG-IDAssurance] Point in Time vs. Period of Time Audit
As discussed on the IAWG call today, we acknowledge that there would be IDPs who would not have been in production for an extended period of time prior to the audit (e.g. new services). As a result, we need to identify parameters within the IAF that discusses what is required for the point in time audit. Given that, we agreed to the following principles:
1. The requirements of the Web Trust Audit are too stringent for our IAF purposes and that we would want to be more lenient.
2. We need to identify specific criteria / language that can be referenced for the purposes of the audit.
As a result we came to the following principles for the language:
1. An absolute minimum of 30 credential issuances
2. Ideally 5 revocations
3. In the event that the IDP did not have the 5 revocations, some language that would facilitate their ability to comply with the audit but prove necessary requirements on the revocation side.
Given these principles, how best should we structure the language regarding this. One alternative is:
“Must have at least 30 issuances and 5 revocations or the ability for the revocations to be assessed against practices and procedures”
Please provide comments / thoughts / suggested edits, etc.
Let the dart throwing begin!
Manager | Technology Risk
Deloitte and Touche LLP
1919 N. Lynn Street Arlington, VA 22209
Tel/Direct: +571 -814-6619 | Fax: +1 855-223-1611 | Mobile: +1 571-814-0911
mfraziermcelveen at deloitte.com | www.deloitte.com
Please consider the environment before printing.
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.
Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-IDAssurance