1 / 8

PKI Audits and Assessments: A Comprehensive Overview

Gain valuable insights into PKI audit activities, comparison with other audits, and future trends. Understand CA audit criteria, certification requirements, and compliance assessments. Stay informed on the latest trends in PKI security.

janna-ryan
Download Presentation

PKI Audits and Assessments: A Comprehensive Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI Audits and Assessments: An insider’s view Nathan Faut, Senior Associate KPMG

  2. Agenda • Background • PKI “Audit” Activities • PKI and other “Audit” Activities • Short-term look into what’s ahead • Q&A

  3. Background • CISA, December 2005 • Completed Web Trust engagements for DEA, USPS • Previously helped establish HEPKI PA • Previously worked with Cybertrust, a PKI vendor

  4. PKI “Audit” Activities • Audit vs. attestation • ABA PKI Assessment Guidelines • CA Control Objectives • CA Audit criteria • AICPA/CICA Web Trust for CA • FBCA Compliance Assessments • “The trust is in the auditor’s opinion” – Judy Spencer

  5. Other “Audit” Criteria and Controls • Certification & Accreditation (C&A) per OMB A-130, NIST 800-37, 800-53, et.al. • Federal Information Security Management Act (FISMA) • Financial Audits

  6. CA “Audit” Expectations • Have all CA documents in final form and ready (tip: do a pre-audit CP-to-CPS map) • Plan to reproduce 6 to 12 months of data including physical access logs, server logs, incident logs and reports, etc. • Decide what documents or parts of documents to make public • Expect to educate and be educated

  7. What’s Next? • HSPD 12 credentials • Bridge-to-Bridge Cross Certifications, e.g. FBCA-Certipath • Federation Compliance • Registration Compliance • Commoditization

  8. Q&A Thank You Nathan Faut nfaut@kpmg.com 202-533-4471

More Related