[WG-IDAssurance] Point in Time vs. Period of Time Audit

Rich Furr rfurr at safe-biopharma.org
Wed Jan 18 15:41:01 EST 2012 

With hesitation I offer,  the foregoing is good for discussion and Richard's point - "I don’t think issuing / revoking credentials is sufficient proof of a system’s operational readiness." is well taken because it is true.  There is significantly more involved which is why all policies, processes, specifications, etc, need to be part of an assessment.  The technical aspect of issuing and revoking credentials is, in my opinion, the tip of the iceberg.

Rich Furr
Head, Global Regulatory Affairs, Policy & Compliance
SAFE-BioPharma Assn - The Biopharmaceutical & Healthcare Identity Management Standard
Cell: 704-575-1680
Office:  980-236-7576
[cid:B5DB4A92-F528-4BDF-9A0E-4B0AB71D2EFF]  SAFE-BioPharma
[cid:5DF25EFC-F197-405A-9787-F42539DBA8AE]  SAFE-BioPharma
[cid:1C18CE73-A1AF-4880-9B94-C948E410681F]  SAFE-BioPharma
[cid:E69E329B-3C2C-4B8A-9026-E7C2B8F19A5D]






From: Richard WILSHER <RGW at Zygma.biz<mailto:RGW at Zygma.biz>>
Date: Wed, 18 Jan 2012 15:35:33 -0500
To: wg-idassurance <wg-idassurance at kantarainitiative.org<mailto:wg-idassurance at kantarainitiative.org>>
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

Well in a sense, that’s my point – one would expect this to be just two of the basic system test & integration steps one would apply before one got to the point of initiating an application to KI for Approval, so it doesn’t figure in the question about Point/Period audits.  The audit would look at related policies, procedures and evidence of their application in an operational context, but I had assumed (OK, my mistake) that the context of the discussion was in an operational context, because that was the audit-related focus of the basic question.  I don’t think issuing / revoking credentials is sufficient proof of a system’s operational readiness.

R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42
www.Zygma.biz<http://www.Zygma.biz>


From: Ben Wilson [mailto:ben at digicert.com]
Sent: 18 January 2012 20:20
To: 'Richard G. WILSHER @Zygma'; 'Stuntz, Joseph (US - Arlington)'; 'IA WG'
Subject: RE: [WG-IDAssurance] Point in Time vs. Period of Time Audit

So far, I don’t see anyone expressing an appreciation of how easily this works.  You issue five credentials and then you disable them so that when someone tries to validate them they indicate that they are invalid.  How hard is that?  I’ve certainly gone through testing where you provide a sample for each potential credential status.   Anyone who can’t issue 30 credentials and revoke 5 doesn’t belong in Kantara.

From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org]<mailto:[mailto:wg-idassurance-bounces at kantarainitiative.org]> On Behalf Of Richard G. WILSHER @Zygma
Sent: Wednesday, January 18, 2012 12:49 PM
To: 'Stuntz, Joseph (US - Arlington)'; 'IA WG'
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

*IF* we were to go down this path (which as I’ve indicated, I think is a bit too rocky), I would rely upon the additional strength of criteria at the escalating ALs to accommodate your concern Joseph.  However, it would of course have to be proven at all LoAs claimed, if only by inference (e.g. the same higher-level practices were applied at all levels).

R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42
www.Zygma.biz<http://www.Zygma.biz>

From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org]<mailto:[mailto:wg-idassurance-bounces at kantarainitiative.org]> On Behalf Of Stuntz, Joseph (US - Arlington)
Sent: 18 January 2012 18:42
To: IA WG (wg-idassurance at kantarainitiative.org<mailto:wg-idassurance at kantarainitiative.org>)
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

One other comment I would add for the group to consider is the LOA of the required minimums.  Would 30 LOA 1 credentials be enough if a service wanted to be certified at LOA 1-3?   The criteria could be general and say examples need to be from all LOAs that the service is looking to be certified for, or the criteria could set specific numbers of each LOA?

Thanks,
Joe

Joseph G. Stuntz
ERS Consultant | Technology Risk | Identity Management
Deloitte & Touche LLP
1919 N. Lynn Street, Arlington, VA 22209-1742
Tel: +1 571-882-5435
JSTUNTZ at Deloitte.com<mailto:JSTUNTZ at Deloitte.com> | www.Deloitte.com<http://www.deloitte.com/>




From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org]<mailto:[mailto:wg-idassurance-bounces at kantarainitiative.org]> On Behalf Of Frazier-mcelveen, Myisha (US - Arlington)
Sent: Wednesday, January 18, 2012 12:06 PM
To: IA WG (wg-idassurance at kantarainitiative.org<mailto:wg-idassurance at kantarainitiative.org>)
Subject: [WG-IDAssurance] Point in Time vs. Period of Time Audit

All,

As discussed on the IAWG call today, we acknowledge that there would be IDPs who would not have been in production for an extended period of time prior to the audit (e.g. new services).  As a result, we need to identify parameters within the IAF that discusses what is required for the point in time audit.   Given that, we agreed to the following principles:


1.       The requirements of the Web Trust Audit are too stringent for our IAF purposes and that we would want to be more lenient.

2.       We need to identify specific criteria / language that can be referenced for the purposes of the audit.

As a result we came to the following principles for the language:


1.       An absolute minimum of 30 credential issuances

2.       Ideally 5 revocations

3.       In the event that the IDP did not have the 5 revocations, some language that would facilitate their ability to comply with the audit but prove necessary requirements on the revocation side.

Given these principles, how best should we structure the language regarding this.  One alternative is:

“Must have at least 30 issuances and 5 revocations or the ability for the revocations to be assessed against practices and procedures”

Please provide comments / thoughts / suggested edits, etc.

Let the dart throwing begin!


Sincerely,
Myisha

Myisha Frazier-McElveen
Manager | Technology Risk
Deloitte and Touche LLP
1919 N. Lynn Street Arlington, VA 22209
Tel/Direct: +571 -814-6619 | Fax: +1 855-223-1611 | Mobile: +1 571-814-0911
mfraziermcelveen at deloitte.com<mailto:mfraziermcelveen at deloitte.com>  | www.deloitte.com<http://www.deloitte.com>

Please consider the environment before printing.




This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.

Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

v.E.1







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/18d10acb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EDA4F90F-B715-4252-8BA5-8C4BEE0D7E94[97].png
Type: image/png
Size: 1547 bytes
Desc: EDA4F90F-B715-4252-8BA5-8C4BEE0D7E94[97].png
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/18d10acb/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FC0DE1D7-EF57-4B79-8E42-098D01ABB210[97].png
Type: image/png
Size: 1637 bytes
Desc: FC0DE1D7-EF57-4B79-8E42-098D01ABB210[97].png
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/18d10acb/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 26EE031C-35F9-4ADA-B1DF-C1C636E59B46[24].png
Type: image/png
Size: 1621 bytes
Desc: 26EE031C-35F9-4ADA-B1DF-C1C636E59B46[24].png
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/18d10acb/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 45EB218C-0EF3-4CAE-AC8B-A5F44A3133D9[24].png
Type: image/png
Size: 14677 bytes
Desc: 45EB218C-0EF3-4CAE-AC8B-A5F44A3133D9[24].png
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/18d10acb/attachment-0007.png

More information about the WG-IDAssurance mailing list