[WG-IDAssurance] Point in Time vs. Period of Time Audit

Richard G. WILSHER @Zygma RGW at Zygma.biz
Thu Jan 19 12:20:45 EST 2012 

As promised / threatened [delete as you see fit], here is my considered
response to Ben's contribution.

 

I like the way my two-steps were redacted into 1 (point something).  This
simplifies the Kantara process side of things which is always good news.  If
I understand you correctly Ben, your suggestion is that, from the outside,
the world wouldn't see any difference in a CSP Approved on day 1 as opposed
to one Approved on day 99, it would be a question of KI keeping track of the
need, in the first instance, of receiving downstream a Period-of-Time audit,
right?

 

My further responses in-line.
R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

 <http://www.Zygma.biz> www.Zygma.biz



 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: 18 January 2012 23:32
To: 'Richard G. WILSHER @Zygma'; 'wg-idassurance'
Subject: RE: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

Today I heard a great deal of hesitancy concerning a two-step process, but
as Richard worded it below, I still see it really as a one-step process with
an opportunity for some to begin on Day Zero as "Kantara approved."  

 

Full Approval for Levels 2, 3 and 4 might just require 60 days of operation
(leaving silent whether the period is extended based on other legally
applicable minimum periods).

[RGW>>] I'm unsure what you mean by 'leaving silent'.  If in the one case
you are simply refraining from offering an opinion, fine, but if you are
suggesting that no such requirement should be stated, I'm very much opposed
to this, for the reason I gave yesterday (to do with explicit requirements
of other assessment / certification schemes, such as WTCA/EV, IS27001, .).
This ties-in with a comment offered by someone else y'day - John Bradley? -
that we don't want Kantara Approval to be a burden.  Quite so, and a
long-established goal of a scheme such as the IAF and many other assurance
frameworks in which I've been involved is that the required assessment could
be undertaken at the same time as an assessment for recognition under one of
those other schemes.  To that extent, the requirement for a due period of
operations and accumulation of sufficient record of activities to comfort
the assessor which I am suggesting is entirely in keeping with those schemes
and in fact, where the Applicant chooses to seek only Kantara Approval,
ensures that all applicants are ultimately held to the same standards, which
emphatically IS a part of the objectives of the IAF.

 

Others in this group might want even less time.

[RGW>>] From my argument above, I think that should be very carefully
considered - it potentially weakens the strength of the Mark.

 

One option would be -- "An Applicant may be Approved following submission of
a Day-Zero Audit [RGW>>] performed by a Kantara-Accredited Assessor at any
time after the commencement of operations and prior to completing <number to
be decided, per AL> days of operation, provided that the Assessor [RGW>>]
attests to (a) the date on which operations commenced, (b) that operations
were in accordance with Kantara requirements and the specifications for the
Applicant's system, and (c) that the Assessor has been engaged by the
Applicant to provide a full Kantara Assessment Report following at least
<number to be decided, per AL> days of operation.  If a satisfactory
Assessment Report is not received by Kantara within <number to be decided,
per AL + 30> days of Approval, the Approval shall be revoked."

[RGW>>] That's good, subject to my highlighted proposed revisions

 

If the Applicant and its Assessor are able to submit the Assessment Report
before 90 days, then great - it's out of the way (and the Applicant moves
forward without waiting for further need of initial Kantara approval).  I
suppose some Day-Zero Audit guidance might be needed if this idea goes
forward, but at least new service providers that are ready (but unwilling to
wait for all of the official work to be done) will have an opportunity to
represent that they are Kantara approved.

 

Conversely, if an Applicant doesn't want to pay for a Day-Zero Audit, then
it just has to engage the Assessor and collect data for <number to be
decided, per AL> days of operation until a full assessment can be prepared
and delivered to Kantara.

 

The disadvantage of this latter approach is that after submitting the
Assessment Report the Applicant won't know exactly when it will receive
formal indication of approval (because the Assessment Report would need to
be reviewed).  

[RGW>>] But this 'disadvantage' is exactly what happens right now when an
Application is made - that's necessary due diligence on KI's part, and a
competent CSP out to be pretty sure of whether they've got ticks in all the
right boxes if they started from the position of getting approval in the
first place.  They just have to have been doing what they said they'd do.
QED.  Further, it should be regarded as a delta on the original audit and
hence be reviewed and (hopefully) granted fairly quickly.

 

I think we're getting there, and I'd take the chance to suggest that the
idea of issuances and revocations has bitten the dust, right?

 
Best,
R
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120119/53702828/attachment.html

More information about the WG-IDAssurance mailing list