CA/Browser Forum Meeting

Similar documents
EXPOSURE DRAFT. Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Telia CA response to Public WebTrust Audit observations 2018

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

CSF to Support SOC 2 Repor(ng

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

SOC for cybersecurity

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Management Assertion Logius 2013

Transitioning from SAS 70 to SSAE 16

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

IT Attestation in the Cloud Era

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Evaluating SOC Reports and NEW Reporting Requirements

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

HITRUST CSF: One Framework

ISACA Cincinnati Chapter March Meeting

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

ETSI STF 412 AUDIT GUIDELINES FOR EVC (24 TH JAN 2012)

SSL/TSL EV Certificates

Bugzilla ID: Bugzilla Summary:

Auditing IT General Controls

REPORT OF THE INDEPENDENT ACCOUNTANT

AUDIT GUIDELINES FOR A GOV TSP TSP OF THE BASQUE ADMINISTRATION

Report of Independent Accountants

Report of Independent Accountants

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

Independent Accountant s Report

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

SOC Reporting / SSAE 18 Update July, 2017

Adopting SSAE 18 for SOC 1 reports

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Exploring Emerging Cyber Attest Requirements

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

The SOC 2 Compliance Handbook:

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Dark Matter L.L.C. DarkMatter Certification Authority

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Independent Accountant s Report

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

ETSI ESI and Signature Validation Services

Apple Inc. Certification Authority Certification Practice Statement

CGI Deliverables Approval and Maintenance Process

DRAFT REVISIONS BR DOMAIN VALIDATION

Credit Union Service Organization Compliance

ETSI TR V1.1.1 ( )

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Apple Inc. Certification Authority Certification Practice Statement

Independent Accountant s Report

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

QUALIFYING ATTESTATION LETTER

ERO Enterprise Strategic Planning Redesign

QUALIFYING ATTESTATION LETTER

Independent Assurance Statement

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Independent Accountant s Report

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

The Open Group Standards Process Part 1 - Overview. Copyright 2015 The Open Group

Symantec Trust Network (STN) Certificate Policy

Report of Independent Accountants

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

OISTE-WISeKey Global Trust Model

Certification Authority

DISCUSSION PAPER. Board of Certification Oral Examination Consistency

HSCIC Audit of Data Sharing Activities:

שרוני - שפלר ושות' רואי חשבון

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Unisys Corporation April 28, 2017

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Security and Stability Update!

Project Management Pre-Implementation Project status reporting Post Implementation Assessment Phase Solidify Project Scope

Cybersecurity & Privacy Enhancements

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Certificate Policy for the Chunghwa Telecom ecommerce Public Key Infrastructure. Version 1.5

Person determining CPS suitability for the policy CPS approval procedures 1.6. DEFINITIONS AND ACRONYMS

Understanding and Evaluating Service Organization Controls (SOC) Reports

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

Certification Standing Committee (CSC) Charter. Appendix A Certification Standing Committee (CSC) Charter

ISO/IEC overview

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

Reliability Coordinator Procedure PURPOSE... 1

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

CASA External Peer Review Program Guidelines. Table of Contents

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

DigiCert. Certificate Policy. DigiCert, Inc. Version 4.12 September 8, 2017

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

DigiCert. Certificate Policy

SMART GRID TESTING & CERTIFICATION COMMITTEE (SGTCC) STATUS AND OVERVIEW. May 2011

Transcription:

CA/Browser Forum Meeting WebTrust for CA Update June 21, 2017 Jeff Ward / Don Sheehy / Janet Treasure

Current Status WebTrust for CA 2.1 As you are aware, based on ISO 21188 WebTrust criteria based on frameworks publicly vetted that are generally available to the public The Task Force does not create technical criteria Have proposed changes for the CABF to consider, ballot, vet and vote

Current Status No updates for WebTrust EV WebTrust EV Code signing WebTrust Code signing WebTrust Baseline + NS At present WebTrust for RA Draft version needing CABF comments available soon CABF input will clarify our path to completion some of the critical issues are how much security is needed

Updates to W4CA Updated introduction section, Removed references to WebTrust v1 for Business Practices Disclosures. All CP and CPS documents must now be structured in accordance with RFC 3647 (recommended) or RFC 2527. Updated the following criteria: Criteria 1.1 and 1.2 removed WebTrust v1 references Criteria 2.1 and 2.2 swapped order to be consistent with 1.1 and 1.2 Criterion 3.6 Expanded scope to specifically address hypervisors and network devices

Updates to W4CA Criterion 3.7 Expanded scope to specifically address system patching and change management activities Criterion 3.8 Clarified scope to include requirement for backups of CA information and data to be taken at regular intervals in accordance with the CA s disclosed practices. Criterion 4.5 Clarified scope to include destruction of any copies of CA keys for any purpose, and added illustrative controls addressing formal key destruction ceremonies. Criterion 4.9 New criterion added to address CA Key Transportation events Criterion 4.10 New criterion added to address CA Key Migration events Criterion 7.1 Cross certificate requests added

Audit reporting issues Consistency in reporting has been issue at times Types of audit opinions Unqualified/unmodified (clean) Qualified (except for) Adverse the point where there are too many qualifications Disclaimer work is performed but the report states no opinion is being made by the auditor these are rare

Audit reporting issues As part of reporting templates developed, will provide a sample report that discusses each section of the audit report to provide guidance to the browsers [what they should be looking for etc.] Will try to keep consistency in qualified reports both US and Canada have options that will try to be limited Possible transmittal letter being addressed Distribution of qualified reports being considered for alternatives

Current Status Practitioner Audit Reports US have received AICPA comments to release updated reporting under SSAE 18. Some changes will be for modified reports. Canada and international reports undergoing minor updates to approved versions under CSAE 3000 and CSAE 3001. Task also includes Management Assertions that are given in qualified report scenarios. Practitioner guidance for auditors under development covering public and private CAs. Draft expected later this year.

Report Content Additions Disclosure of Changes in Scope or Roots with no Activity During the year, various roots may be retired and may not be in use at the end of the reporting period. In addition, certain roots that are included in scope may not have issued any certificates. This information is important to users of the report and should be included. Reporting When Certain Criteria Not Applicable as Services Not Performed by CA There will be situations where certain WebTrust criteria are not applicable as the CA does not perform the relevant CA service. (e.g. certificate rekey activities). In these scenarios, it is recommended that the auditor note in the audit report that the criteria were not audited.

Report Content Additions List of Root and Subordinate CAs in Scope All reports issued must list all root and subordinate CAs that were subject to audit. For attestation engagements, this list should match the list provided in management s assertion. The names of the CAs should be presented in a manner consistent with how these names appear in applications that use the CA s certificate (for example, when viewing the certificate chain in a web browser). The most common method of identification would be the Common Name (CN) field in the Subject extension of each CA certificate. The list of CAs should be presented in a clear format. It is preferred to list the CAs in a referenced appendix.

Being discussed WebTrust for Delegated Third Party Providers (DTP) Would include Cloud, OCSP, etc Feedback from CABF on integration of WebTrust for RA Basic guidance developed in past issues will include extent of testing, report leverage, full SOC 2 vs specific testing Criteria for integrity for Certificate Transparency databases Integrity now only face that 2 might have same content that could both be wrong Criteria and audit needed for public/user confidence and potential audit reliance

Some new and old issues Issues in Network Security still leading to qualifications potential modification of the guidelines WebTrust for CA reports should a more detailed version be created similar to SOC 2 (limited distribution/no seal). Cost and usefulness Cloud questions continuing to surface as well as DTP involvement, creating confusion and inconsistency on audit scope The audit standards have changed in US and Canada

CPA Canada latest changes CPA Canada Gord Beal Kaylynn Pippo John Tabone Janet Treasure Lori Anastacio Bryan Walker Consultant to CPA Canada - Don Sheehy ( Vice chair) Task Force Members and Technical Support Volunteers Jeff Ward BDO Daniel Adam Deloitte (Chair) Chris Czajczyc Deloitte Tim Crawford BDO Reema Anand KPMG Zain Shabbir KPMG David Roque EY Donoghue Clarke EY

Reporting Structure/Roles Gord Beal WebTrust falls into Guidance and Support activities of CPA Canada Janet Treasure Seal system responsibility / product responsibility Bryan Walker Licensing advisor Don Sheehy - Task Force and CABF Jeff Ward - Chair of the WebTrust Task Force and primary contact All Task Force members provide WebTrust services to clients Volunteers are supported by additional technical associates and CPA Canada liaison but report to CPA Canada

Thank you. Questions??

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback