Audit: Not just for the finance guys any more!

1. Audit: Not just for the finance guys any more! What to Prepare and What to Expect from your CA auditor

2. Agenda • Types of CA attestation • What to have ready before the auditor arrives • What will happen during the auditor’s visit • What happens when they leave • WIIFM (What’s In It For Me?) • Q & A

3. Purpose • CA attestations are important: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006

4. Kinds of CA Attestation • Two varieties: 1. Web Trust for CAs (WTCA) • http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc • Establishes about 200 criteria points against which to measure the CA • Industry-standard attestation • Widely recognized Web Trust Seal • To receive the WT Seal, Webtrust.org generally publicly publishes the CA’s CPS, management assertion letter, and auditor’s opinion letter

5. Kinds of CA Attestation • Two varieties: (cont.) 2. “Compliance review” • Use the CA CP as the criteria – 150+ criteria (e.g., Federal FBCA ~200 elements) • Individualized approach • Final opinion is sent to management for their internal use

6. Kinds of CA Attestation • Consequences: • More criteria often means more time on-site and more information requests • Trust fabric: • WTCA – Published documents fully support trust fabric • “Compliance Review” – unpublished documents do not fully support trust web • Qualified auditors: • WTCA provided by Big Four-plus; • “Compliance Review” may be provided by any CPA or CISA

7. What to Have Ready … • Know the criteria the auditor will be using • Key Generation ceremony documents • Logs, logs, logs – 6 to 12 months’ worth • OS, CA, and other automated logs • Visitor sign-in sheets (lobby, elevator, CA facility, et.al.) • Cameras, badging system, et.al. • Tape backup logs, off-site tracking, tests, test results, etc. • Physical review, including CA login, fire, water, RA, cert creation, incident review and resolution, and other activities • Staff interviews to support separation of duties, training, experience, compliance with established procedures, etc. • Review of the DR site, documents, and DR test(s) results • … and other areas per source criteria (see first bullet)

8. Usual events during a CA attestation • Kick off meeting • Prepared by Client (“PBC”) document/item list • Physical review • Interviews • Status meetings • Update PBC list, etc. • Draft Findings, Draft opinion letter, Draft Representation and Assertion letters • Final report/opinion

9. After We Go … • If opinion qualified: • Review NFRs (Notice/s of Finding and Recommendation) • Change/update documents and procedures • Perform and document updates • Budget and request second attest visit • If opinion unqualified: • For Web Trust: • Opinion letter delivered • CPS and management assertion letter requested and prepped for publication • Web Trust Seal requested, required documents provided • Seal approved and assigned to the client CA site • For “Compliance review”: • Opinion letter delivered

10. WIIFM Remember: “The trust [of the digital certificate] is in the audit.” - Judith Spencer, Federal Identification Credentialling Committee, August 2006 • Prove and increase trust in your certificates • Capture and address weaknesses in your policies, practices, and operational areas • For Web Trust Seal, use the annual engagement as an opportunity to improve processes and/or technology • Increase the Trust Fabric between certificate providers, certificate users, and relying parties within and across digital credential-using organizations

11. Thank You Q & A Nathan Faut KPMG LLP nfaut@kpmg.com