שרוני - שפלר ושות' רואי חשבון

Similar documents
REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Independent Accountant s Report

REPORT OF THE INDEPENDENT ACCOUNTANT

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

Management Assertion Logius 2013

To the management of Entrust Datacard Limited (formerly known as Entrust Limited, hereinafter Entrust ) and Trend Micro, Inc.

Independent Accountant s Report

Report of Independent Accountants

Report of Independent Accountants

Report of Independent Accountants

Independent Accountant s Report

Independent Accountant s Report

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Period from October 1, 2013 to September 30, 2014

Independent Certified Public Accountant s Report

Apple Inc. Certification Authority Certification Practice Statement

Apple Inc. Certification Authority Certification Practice Statement

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

Certificate Policy for the Chunghwa Telecom ecommerce Public Key Infrastructure. Version 1.5

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

SERVICE ORGANIZATION CONTROL 3 REPORT

CERTIFICATE POLICY CIGNA PKI Certificates

EXPOSURE DRAFT. Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

SSL Certificates Certificate Policy (CP)

OISTE-WISeKey Global Trust Model

TeliaSonera Gateway Certificate Policy and Certification Practice Statement

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Information for entity management. April 2018

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Dark Matter L.L.C. DarkMatter Certification Authority

Operational Research Consultants, Inc. (ORC) Access Certificates For Electronic Services (ACES) Certificate Practice Statement Summary. Version 3.3.

X.509 Certificate Policy for the New Zealand Government PKI RSA Individual - Software Certificates (Medium Assurance)

Volvo Group Certificate Practice Statement

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

OpenADR Alliance Certificate Policy. OpenADR-CP-I

Digi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.

DECISION OF THE EUROPEAN CENTRAL BANK

Technical Trust Policy

Raytheon Company Public Key Infrastructure (PKI) Certificate Policy

Bugzilla ID: Bugzilla Summary:

thawte Certification Practice Statement Version 3.4

VeriSign External Certification Authority Certification Practice Statement

Lockheed Martin Enterprise Public Key Infrastructure Certificate Policy (CP)

CSF to Support SOC 2 Repor(ng

SOC 3 for Security and Availability

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

United States Department of Defense External Certification Authority X.509 Certificate Policy

GlobalSign Certificate Policy

IT Attestation in the Cloud Era

The appendix to the certificate is part of the certificate and consists of 4 pages.

Public Key Infrastructures

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. November 2015 Version 4.0. Copyright , The Walt Disney Company

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Smart Meters Programme Schedule 2.1

GlobalSign Certificate Policy

CIS-331 Final Exam Spring 2015 Total of 115 Points. Version 1

Certificate. Certificate number: Certified by EY CertifyPoint since: July 10, 2018

Rules for the Certification of Business Continuity Management Systems

X.509 Certificate Policy For The Virginia Polytechnic Institute and State University Certification Authorities

Avira Certification Authority Policy

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Acquirer JCB EMV Test Card Set

LAWtrust AeSign CA Certification Practice Statement (LAWtrust AeSign CA CPS)

CERN. CERN Certification Authority Certificate Policy and Certificate Practice Statement DRAFT. Emmanuel Ormancey, Paolo Tedesco, Alexey Tselishchev

Certification Practices Statement

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Identity Documents Personalisation Centre. Conformity Assessment Report: Conformity Certificate and Summary. T-Systems

QUALIFYING ATTESTATION LETTER

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

Audit Considerations Relating to an Entity Using a Service Organization

Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS)

Northrop Grumman Enterprise Public Key Infrastructure Certificate Policy

Version July 21, Waples Mill Road. South Tower, Suite 210. Fairfax, VA Date:

GlobalSign Certificate Policy

WISeKey SA ADVANCED SERVICES ISSUING CERTIFICATION AUTHORITY CERTIFICATION PRACTICE STATEMENT

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Making trust evident Reporting on controls at Service Organizations

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

FPKIPA CPWG Antecedent, In-Person Task Group

CA/Browser Forum Meeting

Symantec Trust Network (STN) Certificate Policy

Validation Policy r tra is g e R ANF AC MALTA, LTD

Certification Practice Statement

National Identity Exchange Federation. Certificate Policy. Version 1.1

Unisys Corporation April 28, 2017

Acquirer JCB Dual Interface EMV Test Card Set

Certification Policy & Practice Statement

Starfield Technologies, LLC. Certificate Policy and Certification Practice Statement (CP/CPS)

e-authentication guidelines for esign- Online Electronic Signature Service

X.509 Certificate Policy. For The Federal Bridge Certification Authority (FBCA)

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

dataedge CA Certificate Issuance Policy

ZETES TSP QUALIFIED CA

Morningstar ByAllAccounts Service Security & Privacy Overview

Transcription:

SHARONY SHEFLER & CO. C.P.A. שרוני - שפלר ושות' רואי חשבון SHARONY ARIE SHEFLER ELI SHEFLER EREZ ESHEL BARUCH DARVISH TZION PRIESS HANA BERMAN GIL LEIBOVITCH SHLOMO SHAYZAF JACOB, Adv. Eng., M.Sc שרוני אריה שפלר אלי שפלר ארז אשל ברוך דרויש ציון פרייס חנה ברמן גיל לייבוביץ שלמה שיזף יעקב, עורך דין מהנדס, תעשיה וניהול REPORT OF THE INDEPENDENT ACCOUNTANT To the management of Comsign Ltd. ( Comsign ): We have examined Comsign management s assertion that for its Certification Authority (CA) operations at the Atidim Teach Park, building #4 Tel-Aviv, Israel, throughout the period from April 27, 2017 through, for its self-signed Root Keys CAs as enumerated in "Attachment A" Comsign has: disclosed its business, key lifecycle management, certificate lifecycle management, and CA environment control practices in its: o Comsign's Certification Practice Statement (CPS) Version 4.2 (English Version) o Comsign's Certification Practice Statement (CPS) Version 3.1.1 (Hebrew Version) maintained effective controls to provide reasonable assurance that: o Comsign provides its services in accordance with its Certification Practice Statement. maintained effective controls to provide reasonable assurance that: o the integrity of keys and certificates it manages is established and protected throughout their lifecycles; o the integrity of subscriber keys and certificates it manages is established and protected throughout their lifecycles; o subscriber information is properly authenticated (for the registration activities performed by Comsign; and o subordinate CA certificate requests are accurate, authenticated, and approved maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity Based on the WebTrust Principles and Criteria for Certification Authorities v2.1. Comsign s management is responsible for its assertion. Our responsibility is to express an opinion on management s assertion based on our examination. בית אמות ביטוח, דרך מנחם בגין 48, תל אביב 6618001, טל. 03-6134646 פקס. 03-6134747 Amot Bituach House, Derech Menachem Begin 48, Tel Aviv-Yafo 6618001, ISRAEL, Tel. 972-3-6134646 Fax. 972-3-6134747 email: info@srsfcpa.co.il

2 The relative effectiveness and significance of specific controls at Comsign and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. Our examination did not extend to controls at individual subscriber and relying party locations and we have not evaluated the effectiveness of such controls. Comsign makes use of external registration authorities for specific subscriber registration activities as disclosed in Comsign s business practices. Our examination did not extend to the controls exercised by these external registration authorities. Comsign does not escrow its CA keys, does not transport its CA keys, does not provide certificate rekey services, and does not provide Subscriber key escrow services, does not provide subscriber key management services, does not provide OCSP services and does not provide subscriber key storage and recovery services. Accordingly, our examination did not extend to controls that would address those criteria. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether management s assertion is fairly stated, in all material respects. An examination involves performing procedures to obtain evidence about management s assertion. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of material misstatement of management s assertion, whether due to fraud or error. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, Comsign s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion management s assertion, as referred to above, is fairly stated, in all material respects. This report does not include any representation as to the quality of Comsign s services than its CA operations at Atidim Teach Park, building #4 Tel-Aviv, Israel, nor the suitability of any of Comsign s services for any customer's intended purpose. Erez Shefler, CPA, CISA, CRISC, CIA, CRMA Sharony - Shefler & Co. Certified Public Accountants (Isr.) SHARONY - SHEFLER & CO. C.P.A. שרוני - שפלר ושות' רואי חשבון

3 Attachment A Signature hash algorithm Issuer Thumbprint Comsign Global Root CA SHA256 ae 3b 31 bf 8f d8 91 07 9c f1 df 34 cb ce 6e 70 d3 7f b5 b0 ComSign International Root CA SHA256 CN = ComSign International Root CA f6 96 55 b5 e7 4b 5d ee 56 7f dd ba eb 31 6f 6c 73 fd 53 d3 Signature hash algorithm Issuer ComSign ISA Global CA ComSign Corporations CA ComSign Professionals CA SHA256 SHA256 SHA256 Thumbprint 89 b6 83 25 d6 c6 bd 4a 46 03 8e 10 20 29 5e 4a 11 09 63 57 08 d4 48 db 12 a0 ca 75 2c a5 46 7d 1f 07 d3 70 1a 15 d5 9c cf 9e 32 5f e3 fd 2d d6 af 08 8d e4 87 07 fa 10 83 93 41 00 SHARONY - SHEFLER & CO. C.P.A. שרוני - שפלר ושות' רואי חשבון

1 Assertion of Management as to its Disclosure of its Business Practices and its Controls Over its Certification Authority Operations during the period from April 27, 2017 through Comsign operates as a Certification Authority ("CA") for the Root Keys: "Comsign Global Root CA", "Comsign Secured CA" and "Comsign CA" (Root key"). Comsign's CA Ltd. services provide the following certification authority activities : Comsign Ltd. ( Comsign ) operates the Certification Authority (CA) services known as (see attachment A included in audit report), and provides the following CA services: Subscriber Registration Certificate Renewal Certificate Issuance Certificate Revocation Certificate suspension Certificate Validation Certificate Status Information Processing, and Subscriber key generation. The management of Comsign is responsible for establishing and maintaining effective controls over its CA operations, including its CA business practices disclosure on its website, CA business practice management, CA environmental controls, CA life cycle management controls, certificate lifecycle management controls, and subordinate CA certificate lifecycle management controls. These controls contain monitoring mechanisms and actions taken to correct deficiencies identified. There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls can provide only reasonable assurance with respect to Comsign's CA operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time. Comsign management has assessed its disclosure of its certificate practices and controls over its CA services. Based on that assessment, in Comsign Management's opinion, in providing its Certification Authority (CA) services at the Atidim Teach Park, building #4 Tel-Aviv, Israel location throughout the period from April 27, 2017 through, Comsign has :

2 disclosed its business, key life cycle management, certificate life cycle management and CA environmental control practices in its: o Comsign's Certification Practice Statement (CPS) Version 4.2 (English Version). o Comsign's Certification Practice Statement (CPS) Version 3.1.1 (Hebrew Version). maintained effective controls to provide reasonable assurance that: o Comsign provides its services in accordance with its Certification Practice Statement. maintained effective controls to provide reasonable assurance that: o the integrity of the keys and certificates it manages is established and protected throughout their life cycles; o the integrity of subscriber keys and certificates it manages is established and protected throughout their life cycles; and o Subscriber information is properly authenticated (for the registration activities performed by Comsign). maintained effective controls to provide reasonable assurance that: o logical and physical access to CA systems and data is restricted to authorized individuals; o the continuity of key and certificate management operations is maintained; and o CA systems development, maintenance and operations are properly authorized and performed to maintain CA systems integrity. based on the AICPA/CICA WebTrust - Trust Services Criteria for Certification Authorities v2.1, including the following : CA Business Practices Disclosure Certificate Practice Statement (CPS) CA Business Practices Management Certificate Policy Management Certification Practice Statement Management CA Environmental Controls Security Management Asset Classification and Management Personnel Security Physical & Environmental Security Operations Management System Access Management

3 Systems Development and Maintenance Business Continuity Management Monitoring and Compliance Audit Logging CA Key Lifecycle Management Controls CA Key Generation CA Key Storage, Backup, and Recovery CA Public Key Distribution CA Key Usage CA Key Archival and Destruction CA Key Compromise CA Cryptographic Hardware Lifecycle Management Subscriber Key Lifecycle Management Controls CA-Provided Subscriber Key Generation Services Integrated Circuit Card (ICC) Lifecycle Management Requirements for Subscriber Key Management Certificate Life Cycle Management Controls Subscriber Registration Certificate Renewal Certificate Issuance Certificate Distribution Certificate Revocation Certificate Suspension Certificate Validation Subordinate CA Certificate Lifecycle Management Controls Subordinate CA Certificate Lifecycle Management Zeev Shetach, CEO Comsign Ltd.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback