Page tree

 

 

 

Kantara Annual Conformity Review Discussion Paper

 

Version:   2.0

Date: 2013-03-20

Editor:    Andrew Hughes

Contributors:

The full list of contributors can be referenced here: http://kantarainitiative.org/confluence/display/arb/Home

 

Status: This document is has been endorsed by the Kantara Initiative Accreditation Review Board

Abstract:

TBD
 

Filename: Kantara Annual Conformity Review Discussion Paper v2.docx

 

IPR : [Note specific IPR followed, based on http://kantarainitiative.org/confluence/x/DYBQAQ ]

 

Notice:

TBD based upon WG/DG IPR Policy


Contents

Version: ...........................................................................................................     2.0              

Contributors: ..............................................................................................................

Abstract: .......................................................................................................................

Contents .......................................................................................................................

Introduction ................................................................................................................

1.1 Item 1: The specific format and content of the ACR document ..........

1.1.1 Resolution: ..................................................................................................

1.1.2 Action Item: ................................................................................................

1.2 Item 2: Annual Conformity Review requirements ...................................

1.2.1 Resolution: ..................................................................................................

1.2.2 Rationale ......................................................................................................


Introduction

The exact steps, participants and documents required for the Annual Conformity Review (ACR) are vague as described in the Assurance Assessment Scheme (AAS) documentation. This document reflects Kantara’s position on the ACR requirements and process. Discussions occurred with the Assurance Review Board and other stakeholders to determine the intent and nature of the ACR.

In this document, “Applicant” refers to the Approved Service or Accredited Assessor seeking extension of the license agreement for an additional year.

1.1         Item 1: The specific format and content of the ACR document

The AAS indicates that there is an ACR Pro Forma document that should be sent by the Secretariat to the Applicant. No format was provided.

1.1.1 Resolution:

The ACR Pro Forma will contain:

  • Date of issue of the ACR document
  • Applicant name and other contact information on record with Kantara
  • Type of current Grant
  • Any restrictions
  • Dates of: initial Grant Effective Date; Grant Expiry date (initial Effective Date + 3 years); TMLA expiration date (1 year, 2 years or 3 years after initial Effective Date); Start of window for ACR (60 days prior to current license agreement expiration date).
  • Status of Subscriber and Membership, plus renewal dates
  • Instructions similar to: As a Kantara <Approved Credential Service Provider OR Accredited Assessor>, you are required to conduct an Annual Conformity Review and to submit the review information to secretary@kantarainitiative.org for review by the Kantara Assurance Review Board. This ACR contains the information currently held on file related to your Grant of License of the Kantara Trust Mark. Please review this information and inform secretary@kantarainitiative.org if corrections are required. Kantara requires the material and activities indicated in the table below for review to determine if extension of the License Agreement for an additional year is warranted. ((table is later in this doc))

1.1.2 Action Item:

Andrew to draft ACR Pro Forma document for review by ARB

 

1.2         Item 2: Annual Conformity Review requirements

The expectations of the ARB with respect to what constitutes an Annual Conformity Review are not specified in the AAS. The most significant items are: under what conditions must an Applicant engage with an Accredited Assessor for any work related to the ACR; what must be assessed for the ACR; is self-attestation permitted under any conditions?

 

1.2.1 Resolution:

The LOA determines the degree of annual conformity assessment rigour. Each service should be assessed according to its LOA. Where services at different LOA share assessed items, it is possible to  use the same evidence in support of each.

 

In the table, the term “Core” refers to a set of items from the SAC which are determined by Kantara to be essential to the trusted operation of the CSP. These are likely to be in the areas of Credential Issuance, Credential Revocation and Separation of Duties.

 

LOA

ACR frequency

Basis of Review

Accredited Assessor participation

LOA 4

Annual

  • Full IAF SAC (current version)
  • Includes items observed in prior Assessments and service changes noted by the CSP

Full assessment – same as for initial Application Process

LOA 3

Annual

On first anniversary:

  • Any items observed in prior Assessments
  • PLUS “Core” IAF SAC (current version)
  • PLUS 50% of the “non-core” IAF SAC items
  • PLUS service changes noted by the CSP

On second anniversary:

  • Any items observed in prior Assessments
  • PLUS “Core” IAF SAC (current version)
  • PLUS the IAF SAC items not reviewed in the first anniversary review
  • PLUS service changes noted by the CSP

Work with Applicant to determine which 50% of IAF SAC items to evaluate in the first and second anniversary ACRs.

Assess the in-scope items.

LOA 2

Annual

  • Any items observed in prior Assessments
  • PLUS “Core” IAF SAC (current version)
  • PLUS service changes noted by the CSP

Assess the in-scope items.

LOA 1

Annual

  • Triennial review of full IAF SAC

On first and second anniversary:

  • Self-assertion of conformity by CSP

 

No Accredited Assessor participation except if CSP reports changes in “Core” items, then an Accredited Assessor will be required to assess the changed items.

Notes:

  • In 2012/2013, on a case by case basis, ARB may permit a CSP to determine the specific criteria that make up the “core” items, pending specification of the core items by Kantara
  • The License Grants are valid for a maximum of 3 years. In order to receive a new Trust Mark License Grant, the Applicant must have a full assessment performed by an Accredited Assessor

 

1.2.2 Rationale

The discussion about what is required at each LOA-centered on the degree that relying parties and federation participants are dependent on the trustworthiness and security of the CSP.

In addition, it was noted that the UK government, WebTrust (now referenced as SSAE 16 SOC 3) and HIPAA require annual audits.

The “Core plus 50%” scheme is patterned on the Federal PKI assessment scheme (Nathan Faut to find and forward documentation on what is currently required by FPKI)

The main debate concerned LOA3. It was felt that the LOA3 will be used for significant commercial and healthcare sector credential needs. LOA3 may become the most commonly used high assurance level: current RP requirements support this observation.

 

 

Document prepared by Andrew Hughes

4 March 2013

 

 


Revision History