To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

Similar documents
To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

REPORT OF THE INDEPENDENT ACCOUNTANT

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

Report of Independent Accountants

Report of Independent Accountants

Management Assertion Logius 2013

Independent Accountant s Report

שרוני - שפלר ושות' רואי חשבון

Independent Accountant s Report

Report of Independent Accountants

Independent Accountant s Report

Independent Accountant s Report

Independent Certified Public Accountant s Report

Period from October 1, 2013 to September 30, 2014

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

EXPOSURE DRAFT. Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Apple Inc. Certification Authority Certification Practice Statement

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

SERVICE ORGANIZATION CONTROL 3 REPORT

Certificate Policy for the Chunghwa Telecom ecommerce Public Key Infrastructure. Version 1.5

Telia CA response to Public WebTrust Audit observations 2018

Apple Inc. Certification Authority Certification Practice Statement

CERTIFICATE POLICY CIGNA PKI Certificates

Dark Matter L.L.C. DarkMatter Certification Authority

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

CSF to Support SOC 2 Repor(ng

SOC 3 for Security and Availability

OISTE-WISeKey Global Trust Model

Information for entity management. April 2018

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

Volvo Group Certificate Practice Statement

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

IT Security Evaluation and Certification Scheme Document

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

thawte Certification Practice Statement Version 3.4

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

DECISION OF THE EUROPEAN CENTRAL BANK

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Audit Considerations Relating to an Entity Using a Service Organization

The Common Controls Framework BY ADOBE

dataedge CA Certificate Issuance Policy

IT Attestation in the Cloud Era

Symantec Trust Network (STN) Certificate Policy

OpenADR Alliance Certificate Policy. OpenADR-CP-I

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. November 2015 Version 4.0. Copyright , The Walt Disney Company

Operational Research Consultants, Inc. (ORC) Access Certificates For Electronic Services (ACES) Certificate Practice Statement Summary. Version 3.3.

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

Information Security Policy

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

TeliaSonera Gateway Certificate Policy and Certification Practice Statement

Unisys Corporation April 28, 2017

SECURITY & PRIVACY DOCUMENTATION

AlphaSSL Certification Practice Statement

National Identity Exchange Federation. Certificate Policy. Version 1.1

CA/Browser Forum Meeting

THE BUSINESS VALUE OF EXTENDED VALIDATION

SOC for cybersecurity

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Technical Trust Policy

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

ISACA Cincinnati Chapter March Meeting

GlobalSign Certificate Policy

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Meeting the Meaningful Use Security and Privacy Measure

Digi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

FPKIPA CPWG Antecedent, In-Person Task Group

Bugzilla ID: Bugzilla Summary:

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Juniper Vendor Security Requirements

R. Sabett Cooley Godward LLP C. Merrill McCarter & English, LLP S. Wu Infoliance, Inc. November 2003

Northrop Grumman Enterprise Public Key Infrastructure Certificate Policy

Certification Practice Statement of CERTUM s Certification Services Version 3.6 Date: 13 of September, 2013 Status: valid

Lockheed Martin Enterprise Public Key Infrastructure Certificate Policy (CP)

SOC Reporting / SSAE 18 Update July, 2017

_isms_27001_fnd_en_sample_set01_v2, Group A

Introduction of the Identity Assurance Framework. Defining the framework and its goals

Altius IT Policy Collection Compliance and Standards Matrix

Public-key Infrastructure Options and choices

X.509 Certificate Policy For The Virginia Polytechnic Institute and State University Certification Authorities

X.509 Certificate Policy for the New Zealand Government PKI RSA Individual - Software Certificates (Medium Assurance)

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Starfield Technologies, LLC. Certificate Policy and Certification Practice Statement (CP/CPS)

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Making trust evident Reporting on controls at Service Organizations

Digi-Sign Certification Services Limited Certification Practice Statement (OID: )

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Transcription:

Audit Tax Advisory Grant Thornton LLP 2001 Market Street, Suite 700 Philadelphia, PA 19103-7080 T 215.561.4200 F 215.561.1066 www.grantthornton.com Report of Independent Practitioner To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc. ( Trend Micro ): We have examined Entrust and Trend Micro management s assertions that for their Certification Authority (CA) operations at Santa Clara, California and Norcross, Georgia, USA, throughout the following periods: As to the Root CAs listed on Attachment A for the period April 1, 2016 to June 7, 2016, and As to the Issuing CAs listed on Attachment B and CA operations for the period April 1, 2016 to January 29, 2017, Entrust and Trend Micro have: disclosed their business, key lifecycle management, certificate lifecycle management, and CA environment control practices in Attachment C maintained effective controls to provide reasonable assurance that Entrust and Trend Micro provide their services in accordance with their Certification Practice Statement maintained effective controls to provide reasonable assurance that: o the integrity of keys and certificates they manage is established and protected throughout their lifecycles; o the integrity of subscriber keys and certificates they manage is established and protected throughout their lifecycles; o subscriber information is properly authenticated (for the registration activities performed by Entrust and Trend Micro); and o subordinate CA certificate requests are accurate, authenticated, and approved maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity

based on the WebTrust Principles and Criteria for Certification Authorities v2.0. Entrust s and Trend Micro s management is responsible for its assertions. Our responsibility is to express an opinion on management s assertions based on our examination. We conducted our examination in accordance with standards for attestation engagements established by the American Institute of Certified Public Accountants and, accordingly, included: (1) obtaining an understanding of Entrust s and Trend Micro s key and certificate lifecycle management business practices and their controls over key and certificate integrity, over the authenticity and confidentiality of subscriber and relying party information, over the continuity of key and certificate lifecycle management operations and over development, maintenance and operation of systems integrity; (2) selectively testing transactions executed in accordance with disclosed key and certificate lifecycle management business practices; (3) testing and evaluating the operating effectiveness of the controls; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. The relative effectiveness and significance of specific controls at Entrust and Trend Micro and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of the nature and inherent limitations of controls, Entrust s and Trend Micro s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, throughout the period April 1, 2016 to January 29, 2017, Entrust and Trend Micro management s assertions, as referred to above, are fairly stated, in all material respects, based on the WebTrust Principles and Criteria for Certification Authorities v2.0.

This report does not include any representation as to the quality of Entrust s or Trend Micro s services beyond those covered by the WebTrust Principles and Criteria for Certification Authorities v2.0, nor the suitability of any of Entrust s or Trend Micro s services for any customer's intended purpose. Grant Thornton LLP Philadelphia, Pennsylvania June 30, 2017

ATTACHMENT A LIST OF IN SCOPE ROOT CAs Root CAs AffirmTrust Commercial Serial no: 77:77:06:27:26:A9:B1:7C SHA-1 Thumbprint: F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 AffirmTrust Networking Serial no: 7C:4F:04:39:1C:D4:99:2D SHA-1 Thumbprint: 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F AffirmTrust Premium Valid until: December 31, 2040 Serial no: 6D:8C:14:46:B1:A6:0A:EE SHA-1 Thumbprint: D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 AffirmTrust Premium ECC Valid until: December 31, 2040 Serial no: 74:97:25:8A:C7:3F:7A:54 SHA-1 Thumbprint: B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB ATTACHMENT B LIST OF IN SCOPE ISSUING CAs Issuing CAs [Certificate Type] Trend Micro CA [OV and EV] Serial no: 3D:84:7C:1B:4A:BB:32:02 SHA-1 Thumbprint: 2C:DD:A6:CE:33:E1:FE:7C:1B:05:41:1F:17:A6:66:A7:83:D7:F5:6A Trend Micro S2 CA [OV and EV] Serial no: 5B:46:99:90:EC:75:9D:34 SHA-1 Thumbprint: E2:7C:71:03:AD:E2:D6:F3:40:7E:05:AD:05:28:EE:89:C3:63:6E:85 AffirmTrust Commercial Extended Validation CA [EV] Serial no: 63:1B:F9:0C:8A:B0:2C:81 SHA-1 Thumbprint: 81:2F:ED:60:49:9B:92:C5:A8:06:AD:F7:6B:6C:34:C2:3B:2D:08:57 AffirmTrust Networking Extended Validation CA [EV]

Serial no: 23:90:15:C7:F6:78:80:46 SHA-1 Thumbprint: 29:81:D1:9F:DB:BE:47:39:91:3C:CE:EF:5A:B0:52:E2:D7:77:14:E9 AffirmTrust Premium Extended Validation CA [EV] Valid until: December 31, 2040 Serial no: 0B:CF:CF:37:59:C2:F5:86 SHA-1 Thumbprint: 5B:A0:2E:26:95:0A:40:B3:59:3D:C9:E3:DE:A8:C7:C5:A3:AF:42:C6 AffirmTrust Premium ECC Extended Validation CA [EV] Valid until: December 31, 2040 Serial no: 10:7C:AA:12:EC:D6:8C:54 SHA-1 Thumbprint: 7F:B9:17:9F:3F:78:03:B3:C9:96:45:FE:C8:2F:28:79:26:B9:90:55 Trend Micro Gold CA [OV and EV] Valid until: November 2, 2019 Serial no: 00:84:3C:74:B1:AA:34:86:B1:C4:C7:A0:DF:55:B5:E9 SHA-1 Thumbprint: D3:0A:E0:1F:70:BB:BF:F3:6B:2C:EA:DE:0A:A0:F8:C7:AA:82:21:1C Trend Micro Silver CA [OV and EV] Valid until: November 2, 2019 Serial no: 00:83:55:1B:D2:38:4F:68:E0:42:05:B8:37:D4:8D:87 SHA-1 Thumbprint: 8B:78:C4:59:FB:11:83:BE:10:27:6B:9C:6B:62:30:81:C8:49:36:57 ATTACHMENT C LIST OF AFFIRMTRUST CERTIFICATION PRACTICE STATEMENTS CPS Name Version Date Trend Micro SSL Certification Practice Statement 2.2 18 November 2015 Entrust Trend Micro SSL Certification Practice Statement 2.3 29 April 2016 AffirmTrust Certification Practice Statement 3.0 3 December 2016

Entrust Datacard Corporate Headquarters 1187 Park Place Shakopee, MN 55379 USA ENTRUST MANAGEMENT S ASSERTION Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) operates the Certification Authority (CA) services as enumerated in Attachment A, and provides the following CA services: Subscriber registration Certificate renewal Certificate rekey Certificate issuance Certificate distribution Certificate revocation Certificate validation Subordinate CA certification The management of Entrust is responsible for establishing and maintaining effective controls over its CA operations, including its CA business practices disclosure on its website, CA business practices management, CA environmental controls, CA key lifecycle management controls, subscriber key lifecycle management controls, certificate lifecycle management controls, and subordinate CA certificate lifecycle management controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified. There are inherent limitations in any controls, including the possibility of human error, and the circumvention or overriding of controls. Accordingly, even effective controls can only provide reasonable assurance with respect to Entrust s Certification Authority operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time. Entrust management has assessed its disclosures of its certificate practices and controls over its CA services. Based on that assessment, in Entrust management s opinion, in providing its Certification Authority (CA) services at Santa Clara, California and Norcross, Georgia USA, throughout the period April 29, 2016 to January 29, 2017, Entrust has: disclosed its business, key lifecycle management, certificate lifecycle management, and CA environment control practices in its Certification Practice Statements as enumerated in Attachment B maintained effective controls to provide reasonable assurance that Entrust provides its services in accordance with its Certification Practices Statements

maintained effective controls to provide reasonable assurance that: o the integrity of keys and certificates it manages is established and protected throughout their lifecycles; o the integrity of subscriber keys and certificates it manages is established and protected throughout their lifecycles; o subscriber information is properly authenticated (for the registration activities performed by Entrust); and o subordinate CA certificate requests are accurate, authenticated, and approved maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity based on the WebTrust Principles and Criteria for Certification Authorities v2.0, including the following: CA Business Practices Disclosure Certification Practice Statement (CPS) CA Business Practices Management Certification Practice Statement Management CA Environmental Controls Security Management Asset Classification and Management Personnel Security Physical & Environmental Security Operations Management System Access Management System Development and Maintenance Business Continuity Management Monitoring and Compliance Audit Logging

CA Key Lifecycle Management Controls CA Key Generation CA Key Storage, Backup, and Recovery CA Public Key Distribution CA Key Usage CA Key Archival and Destruction CA Key Compromise CA Cryptographic Hardware Lifecycle Management Certificate Lifecycle Management Controls Subscriber Registration Certificate Renewal Certificate Rekey Certificate Issuance Certificate Distribution Certificate Revocation Certificate Validation Subordinate CA Certificate Lifecycle Management Controls Subordinate CA Certificate Lifecycle Management Very truly yours, Kirk R. Hall Director Policy and Compliance SSL June 30, 2017

ATTACHMENT A LIST OF IN SCOPE ROOT CAs Root CAs AffirmTrust Commercial Serial no: 77:77:06:27:26:A9:B1:7C SHA-1 Thumbprint: F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 AffirmTrust Networking Serial no: 7C:4F:04:39:1C:D4:99:2D SHA-1 Thumbprint: 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F AffirmTrust Premium Valid until: December 31, 2040 Serial no: 6D:8C:14:46:B1:A6:0A:EE SHA-1 Thumbprint: D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 AffirmTrust Premium ECC Valid until: December 31, 2040 Serial no: 74:97:25:8A:C7:3F:7A:54 SHA-1 Thumbprint: B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB ATTACHMENT B LIST OF AFFIRMTRUST CERTIFICATION PRACTICE STATEMENTS CPS Name Version Date Entrust Trend Micro SSL Certification Practice Statement 2.3 29 April 2016 AffirmTrust Certification Practice Statement 3.0 3 December 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback