[WG-IDAssurance] Point in Time vs. Period of Time Audit

[Joni Brennan]

FWIW +1 to RWs comments regarding out-side world view and provisions which
guide for day-zero AND over-time.

thx,

=Joni




On Thu, Jan 19, 2012 at 9:20 AM, Richard G. WILSHER @Zygma <RGW at zygma.biz>wrote:

> As promised / threatened [delete as you see fit], here is my considered
> response to Ben’s contribution.****
>
> ** **
>
> I like the way my two-steps were redacted into 1 (point something).  This
> simplifies the Kantara process side of things which is always good news.
> If I understand you correctly Ben, your suggestion is that, from the
> outside, the world wouldn’t see any difference in a CSP Approved on day 1
> as opposed to one Approved on day 99, it would be a question of KI keeping
> track of the need, in the first instance, of receiving downstream a
> Period-of-Time audit, right?****
>
> ** **
>
> My further responses in-line.
> R
>
>
> *Richard G. WILSHER
> CEO, Zygma LLC
> O:  +1 714 965 99 42
> M: +1 714 797 99 42*
>
> *www.Zygma.biz
>
> ***
>
> ** **
>
> *From:* Ben Wilson [mailto:ben at digicert.com]
> *Sent:* 18 January 2012 23:32
>
> *To:* 'Richard G. WILSHER @Zygma'; 'wg-idassurance'
> *Subject:* RE: [WG-IDAssurance] Point in Time vs. Period of Time Audit****
>
> ** **
>
> Today I heard a great deal of hesitancy concerning a two-step process, but
> as Richard worded it below, I still see it really as a one-step process
> with an opportunity for some to begin on Day Zero as “Kantara approved.”
> ****
>
> ** **
>
> Full Approval for Levels 2, 3 and 4 might just require 60 days of
> operation (leaving silent whether the period is extended based on other
> legally applicable minimum periods).****
>
> *[RGW>>] I’m unsure what you mean by ‘leaving silent’.  If in the one
> case you are simply refraining from offering an opinion, fine, but if you
> are suggesting that no such requirement should be stated, I’m very much
> opposed to this, for the reason I gave yesterday (to do with explicit
> requirements of other assessment / certification schemes, such as WTCA/EV,
> IS27001, …).  This ties-in with a comment offered by someone else y’day –
> John Bradley? – that we don’t want Kantara Approval to be a burden.  Quite
> so, and a long-established goal of a scheme such as the IAF and many other
> assurance frameworks in which I’ve been involved is that the required
> assessment could be undertaken at the same time as an assessment for
> recognition under one of those other schemes.  To that extent, the
> requirement for a due period of operations and accumulation of sufficient
> record of activities to comfort the assessor which I am suggesting is
> entirely in keeping with those schemes and in fact, where the Applicant
> chooses to seek only Kantara Approval, ensures that all applicants are
> ultimately held to the same standards, which emphatically IS a part of the
> objectives of the IAF.*
>
> * *
>
> Others in this group might want even less time.****
>
> *[RGW>>] From my argument above, I think that should be very carefully
> considered – it potentially weakens the strength of the Mark.*****
>
> ** **
>
> One option would be -- “An Applicant may be Approved following submission
> of a Day-Zero Audit *[RGW>>] *performed by a Kantara-Accredited Assessor
> at any time after the commencement of operations and prior to completing «number
> to be decided, per AL» days of operation, provided that the Assessor *[RGW>>]
> *attests to (a) the date on which operations commenced, (b) that
> operations were in accordance with Kantara requirements and the
> specifications for the Applicant’s system, and (c) that the Assessor has
> been engaged by the Applicant to provide a full Kantara Assessment Report
> following at least «number to be decided, per AL» days of operation.  If
> a satisfactory Assessment Report is not received by Kantara within «number
> to be decided, per AL + 30» days of Approval, the Approval shall be
> revoked.”****
>
> *[RGW>>] That’s good, subject to my highlighted proposed revisions*****
>
> ** **
>
> If the Applicant and its Assessor are able to submit the Assessment Report
> before 90 days, then great – it’s out of the way (and the Applicant moves
> forward without waiting for further need of initial Kantara approval).  I
> suppose some Day-Zero Audit guidance might be needed if this idea goes
> forward, but at least new service providers that are ready (but unwilling
> to wait for all of the official work to be done) will have an opportunity
> to represent that they are Kantara approved.****
>
> ** **
>
> Conversely, if an Applicant doesn’t want to pay for a Day-Zero Audit, then
> it just has to engage the Assessor and collect data for «number to be
> decided, per AL» days of operation until a full assessment can be
> prepared and delivered to Kantara.****
>
> * *
>
> The disadvantage of this latter approach is that after submitting the
> Assessment Report the Applicant won’t know exactly when it will receive
> formal indication of approval (because the Assessment Report would need to
> be reviewed).  ****
>
> *[RGW>>] But this ‘disadvantage’ is exactly what happens right now when
> an Application is made – that’s necessary due diligence on KI’s part, and a
> competent CSP out to be pretty sure of whether they’ve got ticks in all the
> right boxes if they started from the position of getting approval in the
> first place.  They just have to have been doing what they said they’d do.
> QED.  Further, it should be regarded as a delta on the original audit and
> hence be reviewed and (hopefully) granted fairly quickly.*
>
> * *
>
> *I think we’re getting there, and I’d take the chance to suggest that the
> idea of issuances and revocations has bitten the dust, right?*****
>
> ** **
>
> *Best,
> R*****
>
>
> _______________________________________________
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-idassurance
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120119/23c67ffd/attachment.html