[WG-IDAssurance] Point in Time vs. Period of Time Audit

Richard G. WILSHER @Zygma RGW at Zygma.biz
Thu Jan 19 14:35:26 EST 2012 

I'm at the point where I think a conversation would be more efficient than
e-mail ping-pong  ;-)  BUT, since you put the ball in my court, let me see
if I can re-state my point:

 

>>"The minimum period required by the Applicant's own policies or applicable
contractual obligations, legislation or standards" seems to me more like an
externally imposed standard as compared with a Kantara standard.  So were
you saying that an Applicant might present the results of another assessment
/ certification scheme (WTCA/EV, IS27001), and therefore  such report
couldn't be legitimately provided unless the operational period was long
enough to meet the requirements of the scheme that the Applicant would be
presenting? 
<<

 

In a sense, yes, but with a slightly different rationale.  Can we now take
as a given that we (the IAWG) will agreed to some minimum period for each
AL, either common or discrete, whereby if an Applicant shows up with a D-Z
Assessor's Report they must then present a P-o-T Assessor's Report within
the applicable period or face revocation 30 days thereafter.  I'm feeling
we're OK on that, but for the determination of the actual period(s) of time.
So then .

 

1)      From the beginning we had the objective of an IAF assessment being
part and parcel of some other assessment that was necessarily being
undertaken, so as to minimise the load (time & cost) on the CSP;

2)      Such examples which have specific criteria are WTCA which requires
an explicit period of operations so as to allow the subject to accumulate
records proving that they are properly managing their system and operating
controls.  Similarly, IS27001 Certification cannot be granted unless the
subject has operated their ISMS through a complete cycle ( operate the ISMS
- monitor controls within the ISMS - 1st-party audit - management review -
corrective actions);

3)      In the cases above, and also where "the Applicant's own policies or
applicable contractual obligations, legislation or standards" might have a
similar requirement AND where the period of time required to fulfil those
obligations is greater than the values the IAWG permits, it would be
burdensome of KI to demand an audit sooner than the Applicant was able to
undergo one for those other reasons (back to JohnB's remark, yesterday) and
therefore KI show be prepared to wait that extended period of time (possibly
within reason - 12 mnths would probably be unacceptable);

4)      Not to apply the above process could place a substantial cost burden
upon the Applicant over and above their auditing costs outside of KI.  By KI
gracefully waiting, we impose a minimal additional cost to that of the
planned audit (point 1 above).

 

Examples (all under the assumptions that all assessors are K-Accredited):

a)      An Applicant with no other audit obligations applies a week after
they start operations at AL2 with a D-Z report and have a (say) a 60-day
period* before they can undergo a P-o-T audit and submit that report.  They
have arguable basis for going beyond that 60 days and so long as they do get
their P-o-T report in within 90 days they're completely kosher.

b)      An Applicant turns-up with their D-Z report and advises that they
have a contractual obligation to be subjected to a 2nd-party audit at a
point 75 days out.  They've agreed with the auditor assigned to perform the
KI assessment and will have a report ready within another 30 days.  KI  must
accept that 105 day period to avoid imposing a burden on the Applicant.
There may be some risk in this, but it's only over an additional two weeks
and we at least know that there is a client keeping track of their supplier!

c)       An Applicant submits a D-Z report for a system at AL4 - and let's
say we'd normally go for a 60-day operational period for that,  The
Applicant also advises at the time of submitting their D-Z report "We've
implemented an ISMS in conformity with IS27001;  we have an auditor assigned
but in keeping with our own policies we will not complete our first
management review cycle for 90 days and will then need 30 days for the
formal Certification audit to be completed, which will also embrace all of
the AL4 SAC requirements, so we'll be back in 120 days with our P-o-T
report".  KI *must* accept that 120 day period to avoid imposing a burden on
the Applicant.  But isn't that risky? - after all, now we're letting a CSP
at AL4 get away with twice as long as we were prepared to let a 'mere' AL2
service go, before they have to prove they really are doing their stuff.
All hell could break loose!  But will it?  The mere fact that they got a D-Z
sign-off at AL4 and are already claiming conformity to IS27001, which by the
way is an IAF requirement at AL4, seems to me (gut-gauge needle is in the
green) to be substantial mitigation of the potential risks. 

 

*  This period, it must be clear, is the period BEFORE their P-o-T audit may
commence.  It is the minimum period of operations prior to the audit being
initiated.

 

Did I clear the net?
R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

 <http://www.Zygma.biz> www.Zygma.biz



 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: 19 January 2012 18:00
To: 'Joni Brennan'; 'Richard G. WILSHER @Zygma'
Cc: 'wg-idassurance'
Subject: RE: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

It's hard to keep up on this thread, but here is what I think in response to
Richard's earlier email

-

 

On the question below about "leaving silent" - I agree that the rule should
require __ days of auditable operation at each respective level.  I was just
thinking that Subsection (2) made the section unnecessarily long when "The
minimum period required by the Applicant's own policies or applicable
contractual obligations, legislation or standards" seems to me more like an
externally imposed standard as compared with a Kantara standard.  So were
you saying that an Applicant might present the results of another assessment
/ certification scheme (WTCA/EV, IS27001), and therefore  such report
couldn't be legitimately provided unless the operational period was long
enough to meet the requirements of the scheme that the Applicant would be
presenting?  

 

In that case, I think the following language would be better:

An Applicant may be Approved following submission of a Day-Zero Audit
performed by a Kantara-Accredited Assessor at any time after the
commencement of operations and prior to completing <number to be decided,
per AL or allowed assessment scheme> days of operation, provided that the
Assessor attests to (a) the date on which operations commenced, (b) that
operations were in accordance with Kantara requirements and the
specifications for the Applicant's system, and (c) that the Assessor has
been engaged by the Applicant to provide a full Kantara Assessment Report in
accordance with the <<allowed assessment scheme>> following at least <number
to be decided, per AL or allowed assessment scheme> days of operation.  If a
satisfactory Assessment Report is not received by Kantara within <number to
be decided, per AL/assessment scheme + 30> days of Approval, the Approval
shall be revoked."

 

Thanks,

Ben

 

 

From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of Joni
Brennan
Sent: Thursday, January 19, 2012 10:53 AM
To: Richard G. WILSHER @Zygma
Cc: wg-idassurance
Subject: Re: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

FWIW +1 to RWs comments regarding out-side world view and provisions which
guide for day-zero AND over-time. 

thx,

=Joni

 

On Thu, Jan 19, 2012 at 9:20 AM, Richard G. WILSHER @Zygma <RGW at zygma.biz>
wrote:

As promised / threatened [delete as you see fit], here is my considered
response to Ben's contribution.

 

I like the way my two-steps were redacted into 1 (point something).  This
simplifies the Kantara process side of things which is always good news.  If
I understand you correctly Ben, your suggestion is that, from the outside,
the world wouldn't see any difference in a CSP Approved on day 1 as opposed
to one Approved on day 99, it would be a question of KI keeping track of the
need, in the first instance, of receiving downstream a Period-of-Time audit,
right?

 

My further responses in-line.
R



Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42 <tel:%2B1%20714%20965%2099%2042> 
M: +1 714 797 99 42 <tel:%2B1%20714%20797%2099%2042> 

www.Zygma.biz

 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: 18 January 2012 23:32


To: 'Richard G. WILSHER @Zygma'; 'wg-idassurance'

Subject: RE: [WG-IDAssurance] Point in Time vs. Period of Time Audit

 

Today I heard a great deal of hesitancy concerning a two-step process, but
as Richard worded it below, I still see it really as a one-step process with
an opportunity for some to begin on Day Zero as "Kantara approved."  

 

Full Approval for Levels 2, 3 and 4 might just require 60 days of operation
(leaving silent whether the period is extended based on other legally
applicable minimum periods).

[RGW>>] I'm unsure what you mean by 'leaving silent'.  If in the one case
you are simply refraining from offering an opinion, fine, but if you are
suggesting that no such requirement should be stated, I'm very much opposed
to this, for the reason I gave yesterday (to do with explicit requirements
of other assessment / certification schemes, such as WTCA/EV, IS27001, .).
This ties-in with a comment offered by someone else y'day - John Bradley? -
that we don't want Kantara Approval to be a burden.  Quite so, and a
long-established goal of a scheme such as the IAF and many other assurance
frameworks in which I've been involved is that the required assessment could
be undertaken at the same time as an assessment for recognition under one of
those other schemes.  To that extent, the requirement for a due period of
operations and accumulation of sufficient record of activities to comfort
the assessor which I am suggesting is entirely in keeping with those schemes
and in fact, where the Applicant chooses to seek only Kantara Approval,
ensures that all applicants are ultimately held to the same standards, which
emphatically IS a part of the objectives of the IAF.

 

Others in this group might want even less time.

[RGW>>] From my argument above, I think that should be very carefully
considered - it potentially weakens the strength of the Mark.

 

One option would be -- "An Applicant may be Approved following submission of
a Day-Zero Audit [RGW>>] performed by a Kantara-Accredited Assessor at any
time after the commencement of operations and prior to completing <number to
be decided, per AL> days of operation, provided that the Assessor [RGW>>]
attests to (a) the date on which operations commenced, (b) that operations
were in accordance with Kantara requirements and the specifications for the
Applicant's system, and (c) that the Assessor has been engaged by the
Applicant to provide a full Kantara Assessment Report following at least
<number to be decided, per AL> days of operation.  If a satisfactory
Assessment Report is not received by Kantara within <number to be decided,
per AL + 30> days of Approval, the Approval shall be revoked."

[RGW>>] That's good, subject to my highlighted proposed revisions

 

If the Applicant and its Assessor are able to submit the Assessment Report
before 90 days, then great - it's out of the way (and the Applicant moves
forward without waiting for further need of initial Kantara approval).  I
suppose some Day-Zero Audit guidance might be needed if this idea goes
forward, but at least new service providers that are ready (but unwilling to
wait for all of the official work to be done) will have an opportunity to
represent that they are Kantara approved.

 

Conversely, if an Applicant doesn't want to pay for a Day-Zero Audit, then
it just has to engage the Assessor and collect data for <number to be
decided, per AL> days of operation until a full assessment can be prepared
and delivered to Kantara.

 

The disadvantage of this latter approach is that after submitting the
Assessment Report the Applicant won't know exactly when it will receive
formal indication of approval (because the Assessment Report would need to
be reviewed).  

[RGW>>] But this 'disadvantage' is exactly what happens right now when an
Application is made - that's necessary due diligence on KI's part, and a
competent CSP out to be pretty sure of whether they've got ticks in all the
right boxes if they started from the position of getting approval in the
first place.  They just have to have been doing what they said they'd do.
QED.  Further, it should be regarded as a delta on the original audit and
hence be reviewed and (hopefully) granted fairly quickly.

 

I think we're getting there, and I'd take the chance to suggest that the
idea of issuances and revocations has bitten the dust, right?

 
Best,
R


_______________________________________________
WG-IDAssurance mailing list
WG-IDAssurance at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-idassurance

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120119/80a398f0/attachment-0001.html

More information about the WG-IDAssurance mailing list