[WG-IDAssurance] Point in Time vs. Period of Time Audit

Richard G. WILSHER @Zygma RGW at Zygma.biz
Wed Jan 18 17:09:04 EST 2012 

If you want a stake in the ground Ben, and based upon my initial
dissertational offering, I'll put my head on the block and offer two
(because I'd say at AL1 it's not worth sharpening the end of the stick to
make a stake for it!).

 

At AL2, Applicants for Full Approval shall be subject to a Period-of-Time
Audit after having been operational for a period of time which is the
greater of:

i)                    Two months;  or

ii)                   The minimum period required by the Applicant's own
policies or applicable contractual obligations, legislation or standards.

 

At AL3 & 4, Applicants for Full Approval shall be subject to a
Period-of-Time Audit after having been operational for a period of time
which is the greater of:

i)                    Four months;  or

ii)                   The minimum period required by the Applicant's own
policies or applicable contractual obligations, legislation, standards or
certifications.

 

Applicants may apply for Initial Approval by undergoing a Day-Zero Audit at
any time after the commncement of operations in accordance with the
specification of their system, up to the minimum period set-forth above.
Initial Approval shall require the Applicant to state an elapsed period,
determined according to the above minimum periods, within two further months
of which they shall submit their application for Full Approval supported by
a Kantara-Accredited Assessor's report with nonnon-conformities, in the
absence of which their Approval shall be revoked.

 

Maybe a little bit of word-smithing can be done, but that's what I'd offer
right now.  Of course, it has consequences:  Initial and Full Approval have
not hitherto been considered and there are procedural and $$ implications
therein.  That's why we have Joni  ;-)



Note - both WTCA and ISO 27001 have explicit requirements for ensuring that
the audit subjects have been in operation, have exercised their management
system, can show records etc. to demonstrate that they're doing what they
say they'll do.  Nothing in the above should be considered particualrly
onerous, save the additional complication of initial and formal approval
classifications.

R


Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

 <http://www.Zygma.biz> www.Zygma.biz



 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: 18 January 2012 21:12
To: 'Faut, Nathan E'; 'Rich Furr'; 'Richard G. WILSHER @Zygma';
'wg-idassurance'
Subject: RE: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

The horse hasn't really left the barn on the period of time audit if the
time period involved with Verizon data collection was greater than 24 hours,
which I assume it was.  Something less than what was considered in Verizon's
case would then be a de facto / accepted period, and we could move on, if
someone were willing to put a stake in the ground and say what they believe
is that minimal operational period.

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Faut,
Nathan E
Sent: Wednesday, January 18, 2012 1:50 PM
To: Rich Furr; Richard G. WILSHER @Zygma; wg-idassurance
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

We all assumed that the rest of the assessment would be performed, of
course!

 

The issue at hand was that the IAF and components do not provide any
guidance for a Day Zero/Day One assessment. A full-on Web Trust assessment
requires 3 months of data from an operation running for at least 6 months.
Day One/Day Zero reviews are considered preparatory, a test of operational
and audit readiness, but not providing a WTCA Seal. 

 

I would submit that, since the ARB received an assessment for Verizon at a
near-Day-One timeframe from Deloitte, the point is somewhat academic.  A
qualified assessor reviewed a CSP and provided appropriate information to
the ARB for its approval and for the KI BoT to issue a KI Seal.

 

Aren't we chasing horses that have left the barn? Deloitte did not
communicate at the time that they were in a bind with respect to testing
Verizon's CS - or did I miss something?

 

-Nathan

=-=-=-=-=-=-=-=-

Nathan Faut 
Senior Associate, IT Advisory, Information Protection, Federal 
KPMG LLP 

office: 703-286-6883

at PBGC: 202-326-4000 ext. 3845

mobile: 301-335-2656

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Rich Furr
Sent: Wednesday, January 18, 2012 3:41 PM
To: Richard G. WILSHER @Zygma; wg-idassurance
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

With hesitation I offer,  the foregoing is good for discussion and Richard's
point - "I don't think issuing / revoking credentials is sufficient proof of
a system's operational readiness." is well taken because it is true.  There
is significantly more involved which is why all policies, processes,
specifications, etc, need to be part of an assessment.  The technical aspect
of issuing and revoking credentials is, in my opinion, the tip of the
iceberg.

 

Rich Furr

Head, Global Regulatory Affairs, Policy & Compliance

SAFE-BioPharma Assn - The Biopharmaceutical & Healthcare Identity Management
Standard

Cell: 704-575-1680

Office:  980-236-7576

Description: Macintosh HD:Users:katechambers:Desktop:images.jpeg
SAFE-BioPharma

Description: Macintosh HD:Users:katechambers:Desktop:twitter-logo.png
SAFE-BioPharma

Description: Macintosh HD:Users:katechambers:Desktop:FaceBook_512x512.png
SAFE-BioPharma



 

 

 

 

 

 

From: Richard WILSHER <RGW at Zygma.biz>
Date: Wed, 18 Jan 2012 15:35:33 -0500
To: wg-idassurance <wg-idassurance at kantarainitiative.org>
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

Well in a sense, that's my point - one would expect this to be just two of
the basic system test & integration steps one would apply before one got to
the point of initiating an application to KI for Approval, so it doesn't
figure in the question about Point/Period audits.  The audit would look at
related policies, procedures and evidence of their application in an
operational context, but I had assumed (OK, my mistake) that the context of
the discussion was in an operational context, because that was the
audit-related focus of the basic question.  I don't think issuing / revoking
credentials is sufficient proof of a system's operational readiness.


R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

www.Zygma.biz

 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: 18 January 2012 20:20
To: 'Richard G. WILSHER @Zygma'; 'Stuntz, Joseph (US - Arlington)'; 'IA WG'
Subject: RE: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

So far, I don't see anyone expressing an appreciation of how easily this
works.  You issue five credentials and then you disable them so that when
someone tries to validate them they indicate that they are invalid.  How
hard is that?  I've certainly gone through testing where you provide a
sample for each potential credential status.   Anyone who can't issue 30
credentials and revoke 5 doesn't belong in Kantara.

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Richard
G. WILSHER @Zygma
Sent: Wednesday, January 18, 2012 12:49 PM
To: 'Stuntz, Joseph (US - Arlington)'; 'IA WG'
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

*IF* we were to go down this path (which as I've indicated, I think is a bit
too rocky), I would rely upon the additional strength of criteria at the
escalating ALs to accommodate your concern Joseph.  However, it would of
course have to be proven at all LoAs claimed, if only by inference (e.g. the
same higher-level practices were applied at all levels).

R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

www.Zygma.biz

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Stuntz,
Joseph (US - Arlington)
Sent: 18 January 2012 18:42
To: IA WG (wg-idassurance at kantarainitiative.org)
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

One other comment I would add for the group to consider is the LOA of the
required minimums.  Would 30 LOA 1 credentials be enough if a service wanted
to be certified at LOA 1-3?   The criteria could be general and say examples
need to be from all LOAs that the service is looking to be certified for, or
the criteria could set specific numbers of each LOA?  

 

Thanks,

Joe

 

Joseph G. Stuntz

ERS Consultant | Technology Risk | Identity Management

Deloitte & Touche LLP

1919 N. Lynn Street, Arlington, VA 22209-1742

Tel: +1 571-882-5435 

JSTUNTZ at Deloitte.com | www.Deloitte.com <http://www.deloitte.com/> 

 

 

 

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of
Frazier-mcelveen, Myisha (US - Arlington)
Sent: Wednesday, January 18, 2012 12:06 PM
To: IA WG (wg-idassurance at kantarainitiative.org)
Subject: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

All,

 

As discussed on the IAWG call today, we acknowledge that there would be IDPs
who would not have been in production for an extended period of time prior
to the audit (e.g. new services).  As a result, we need to identify
parameters within the IAF that discusses what is required for the point in
time audit.   Given that, we agreed to the following principles:

 

1.       The requirements of the Web Trust Audit are too stringent for our
IAF purposes and that we would want to be more lenient.  

2.       We need to identify specific criteria / language that can be
referenced for the purposes of the audit.

 

As a result we came to the following principles for the language:

 

1.       An absolute minimum of 30 credential issuances 

2.       Ideally 5 revocations

3.       In the event that the IDP did not have the 5 revocations, some
language that would facilitate their ability to comply with the audit but
prove necessary requirements on the revocation side.  

 

Given these principles, how best should we structure the language regarding
this.  One alternative is:

 

"Must have at least 30 issuances and 5 revocations or the ability for the
revocations to be assessed against practices and procedures"

 

Please provide comments / thoughts / suggested edits, etc.

 

Let the dart throwing begin!

 

 

Sincerely,

Myisha

 

Myisha Frazier-McElveen

Manager | Technology Risk

Deloitte and Touche LLP

1919 N. Lynn Street Arlington, VA 22209

Tel/Direct: +571 -814-6619 | Fax: +1 855-223-1611 | Mobile: +1 571-814-0911

mfraziermcelveen at deloitte.com  | www.deloitte.com  

 

Please consider the environment before printing. 

 

 


This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message.


Any disclosure, copying, or distribution of this message, or the taking of
any action based on it, is strictly prohibited. 

v.E.1

 

 

 

 

 
 

***********************************************************************

 

The information in this email is confidential and may be legally privileged.

It is intended solely for the addressee. Access to this email by anyone else
is

unauthorized. If you are not the intended recipient, any disclosure,
copying,

distribution or any action taken or omitted to be taken in reliance on it,
is

prohibited and may be unlawful. When addressed to our clients any opinions
or

advice contained in this email are subject to the terms and conditions

expressed in the governing KPMG client engagement letter.

 

***********************************************************************

 
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/05857228/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1547 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/05857228/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1637 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/05857228/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1621 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/05857228/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 14677 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120118/05857228/attachment-0007.png

More information about the WG-IDAssurance mailing list