Hi Scott, Yoshio, I agree that the new text makes it much clearer. Cheers Dave ------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
-----Original Message----- From: caops-wg-bounces@ogf.org [mailto:caops-wg-bounces@ogf.org] On Behalf Of Yoshio Tanaka Sent: 17 September 2008 22:14 To: caops-wg@ggf.org Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
Hi Scott,
I think the proposed revision is appropriate to avoid any confusion. I'll take this revision.
Thanks,
-- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/
From: Scott Rea <Scott.Rea@Dartmouth.EDU> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc. Date: Wed, 17 Sep 2008 08:59:40 -0400 Message-ID: <48D0FF3C.8050306@Dartmouth.EDU>
How about we amend the last sentence of the 1st paragraph and the entire 2nd paragraph to read as follows to avoid any confusion...
------------------ ...External auditors should be individually and organizationally independent of the PKI that is being audited, internal auditors should at least be individually independent of the PKI that is being audited.
The specific auditor qualification requirements are that they should be competent, independent, understand PKIs, understand auditing methods, and understand IGTF profiles. The following is a list of considerations to undertake when determining the expertise and qualifications of members of the assessment team carrying out a PKI audit (NOTE: These considerations are provided simply in an advisory capacity and not as hard requirements when determining auditor qualifications): .... -------------------
Thoughts?
Regards, _Scott
Kelsey, DP (David) wrote:
Hi Yoshio, Scott,
I think it would be better if the text is modified to make it clearer.
Cheers Dave
------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK
e-mail: D.P.Kelsey@rl.ac.uk Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------
-----Original Message----- From: caops-wg-bounces@ogf.org [mailto:caops-wg-bounces@ogf.org] On Behalf Of Yoshio Tanaka Sent: 17 September 2008 04:15 To: caops-wg@ggf.org Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
Hi Scott,
Thanks for the prompt reply. I understand. Do you think the draft should be revised to avoid misunderstanding? Or, do you think the current draft should be ok?
Regards,
-- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/
From: Scott Rea <Scott.Rea@Dartmouth.EDU> Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc. Date: Tue, 16 Sep 2008 21:43:26 -0400 Message-ID: <48D060BE.50809@Dartmouth.edu>
G'day Yoshio et al,
The dot point list was not meant as a list of "requirements" - it
was
merely a list of "considerations" when determining qualification requirements. The real requirements are in the text of the initial paragraph above i.e. essentially the auditor should be competent, independent, understand PKIs, understand auditing methods, and understand IGTF
profiles.
I.e. no getting the custodial staff, or medical staff, or HR staff
etc
to audit for you - that ain't gonna fly - unless they also have relevant qualifications from the subsequent list. Hope that
clarifies things...
Regards, -Scott
Yoshio Tanaka wrote:
Hi Scott,
As you might see in the meeting minutes which was sent by Dave, we got a comment about Auditor Qualification.
-
-- Auditor Qualification The audit/assessment/evaluation team and the individuals on
that
team, should be qualified to assess the policies and practices of
a
PKI.
Auditors should be competent to evaluate the CA management
processes
and operational procedures, its related IT security components and its PKI-unique elements. A PKI audit team shall consist of individuals who together have the necessary skills and experience
to
assess the policies, procedures and practices of the PKI. Auditors should be individually and organizationally independent of the PKI that is being audited.
The following list comprises a set requirements for considering
the
expertise and qualifications of members of the assessment team carrying out a PKI audit: - Professional Certifications such as CISSP and CISA or
equivalent;
- Successful completion of training courses in assessment of IT security controls; - ...
-
--
We got a comment that the list of requirements is very heavy, particularly the professional certification. Do you intend that auditors must satisfy all the requirements? Would you clarify your intention?
Thanks,
-- Yoshio Tanaka (yoshio.tanaka@aist.go.jp)
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg
-- Scott Rea Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI Architect Peter Kiewit Computing Services Dartmouth College HB 6238, #058 Sudikoff Hanover, NH 03755
Em: Scott.Rea@Dartmouth.edu Ph#(603) 646-0968 Ot#(603) 646-9181 Ce#(603) 252-7339
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg
-- Scott Rea Director, HEBCA Operating Authority Dartmouth College Sr PKI Architect Peter Kiewit Computing Services Dartmouth College HB 6238, #058 Sudikoff Hanover, NH 03755
Em: Scott.Rea@Dartmouth.edu Ph#(603) 646-0968 Ot#(603) 646-9181 Ce#(603) 252-7339
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg