G'day Yoshio et al, The dot point list was not meant as a list of "requirements" - it was merely a list of "considerations" when determining qualification requirements. The real requirements are in the text of the initial paragraph above i.e. essentially the auditor should be competent, independent, understand PKIs, understand auditing methods, and understand IGTF profiles. I.e. no getting the custodial staff, or medical staff, or HR staff etc to audit for you - that ain't gonna fly - unless they also have relevant qualifications from the subsequent list. Hope that clarifies things... Regards, -Scott Yoshio Tanaka wrote:
Hi Scott,
As you might see in the meeting minutes which was sent by Dave, we got a comment about Auditor Qualification.
---------------------------------------------------------------------- Auditor Qualification The audit/assessment/evaluation team and the individuals on that team, should be qualified to assess the policies and practices of a PKI. Auditors should be competent to evaluate the CA management processes and operational procedures, its related IT security components and its PKI-unique elements. A PKI audit team shall consist of individuals who together have the necessary skills and experience to assess the policies, procedures and practices of the PKI. Auditors should be individually and organizationally independent of the PKI that is being audited.
The following list comprises a set requirements for considering the expertise and qualifications of members of the assessment team carrying out a PKI audit: - Professional Certifications such as CISSP and CISA or equivalent; - Successful completion of training courses in assessment of IT security controls; - ... ----------------------------------------------------------------------
We got a comment that the list of requirements is very heavy, particularly the professional certification. Do you intend that auditors must satisfy all the requirements? Would you clarify your intention?
Thanks,
-- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/
-- caops-wg mailing list caops-wg@ogf.org http://www.ogf.org/mailman/listinfo/caops-wg
-- Scott Rea Director, HEBCA|USHER Operating Authority Dartmouth Senior PKI Architect Peter Kiewit Computing Services Dartmouth College HB 6238, #058 Sudikoff Hanover, NH 03755 Em: Scott.Rea@Dartmouth.edu Ph#(603) 646-0968 Ot#(603) 646-9181 Ce#(603) 252-7339