(Include but are not limited to the following)
Results of Testing Work Reference
1.
SECURITY and DATA INTEGRITY
1.1 Obtain:
i) the latest copy of the its Security Profile and Operations Manual; and ii) the date and version number of the above documents from Finance.
• review these documents to check if the Version numbers and Issuing Dates are the same as
those provided by Finance.Control Questions
(Include but are not limited to the following)
Results of Testing Work Reference
1.2 Obtain evidence of the Facility Security Officer‟s declaration of compliance with the policies and procedures for:
i) Personnel security vetting to Level 1 – Negative Vetting for staff who have system access ii) Physical security compliance with PSPF Physical Security requirements to SR1 standard iii)Logical security compliance with ISM
iv)compliance with ANAO better Practice Guide on Business Continuity management;
as stated in the Self Assessment Questionnaire (F3 - 6.1)
1.3 If security policies and procedures have changed since Listing or the last Audit as stated by Self Assessment Questionnaire (F3 – 8.2), obtain evidence of:
•
Listed Organisation‟s submission to Finance for review; and•
Subsequent approval from Finance.1.4 If the amended policies and procedures have been submitted to Finance for review, but have not been reviewed, please note the date of submission and any reasons why it has not been approved.
1.5 Have the amended security policies and procedures been reviewed by an approved IT security assessor or by a Physical Security Evaluator? If yes, please note date of assessment and name of the assessor/evaluator.
1.6 If applicable, since Listing or the last Audit, have there been instances of compromise, or suspected compromise of data holdings (Self Assessment Questionnaire F3 - 6.3) that may threaten the integrity of the PKI.
1.7 Review evidence of the documentation and procedures taken to deal with data management following the compromise.
Control Questions
(Include but are not limited to the following)
Results of Testing Work Reference
1.8 Determine that all EOI information collected (both electronic and paper), if applicable, are stored in accordance with Gatekeeper EOI Policy.
1.9 Determine that the Validation Authority has processes in place to regularly document transactions of its customers.
1.10 Determine that the Validation Authority has been documenting transactions of its customers since last audit
2.
RISK MITIGATION
2.1 If the Validation Authority had conducted a TRA since Listing (Self Assessment Questionnaire F3 - 6.2), obtain evidence of when conducted and whether or not this has been communicated to Finance. If yes, date of communication.
2.2 Determine that any residual risk identified in the TRA has been accepted by the Validation Authority management.
2.3 Have all action items from the TRA review been implemented? Detail any that have not been actioned and the reasons for not actioning.
2.4 If any action does not appear to have been implemented and reasons are not given, are they addressed as residual risks?
Have they been approved and signed off by management?
2.5 Obtain evidence of the Validation Authority‟s risk mitigation strategies, if amended after Listing 2.6 Obtain evidence of the communication to Finance of the Validation Authority‟s amended risk
mitigation strategies as stated in Self Assessment Questionnaire (F3 – 8.4)
NOTE: Finance should be notified immediately if the Auditor determines that the Validation Authority is not complying with the documented risk mitigation strategies, especially with regard to the aggregation of EOI documentation.
3.
MEMORANDUM OF UNDERSTANDING/DEED OF AGREEMENT
3.1 If detailed in Self Assessment Questionnaire F3 - 7.1 that there has there been significant change in the ownership / management of the Listed Organisation, sight evidence of Notification to Finance of the situation.
3.2 Check if the Agreement is presently assigned to the correctly designated organisation.
4.
COMPLIANCE WITH PHYSICAL SECURITY FOR INTRUDER RESISTANT
4.1 Since Listing, if a review of the Physical Security was conducted, obtain evidence that this review was declared by the Validation Authority „s Facility Officer as complying with the Physical Security for at least Intruder Resistant. Please note the date of the review and when
communicated to Finance.
4.2 If there were any action items raised in the last Physical Security review, determine if they have all been actioned and completed.
Detail any actions that do not appear to be resolved.
4.3 If the Self Assessment Questionnaire 9.4 and 9.5 stated that there were instances of
compromise, or suspected compromise of Physical Security and/or confidential information, sight evidence:
•
that the consequent investigation process was carried out as required and the issue(s) have been resolved, along with any associated increase in security measures; and•
that Finance was informed of the compromise; and•
subsequent mitigation strategies are in place.4.4 Determine, if applicable, that for off-site back ups of confidential data:
•
data tapes are secured prior to transporting to the offsite location•
the process allows only authorised people to access and retrieve the offsite backups; and•
there is an agreement in place with the off-site party to provide required security controls over the data5.
VETTED EMPLOYMENT PROFILES TO BASE LINE VETTING
5.1 Obtain evidence that the registration process for vetting personnel who have access to data holdings and systems has been followed (Self Assessment Questionnaire F3 - 10.1)
5.2 Determine that vetting process and procedures exist and are followed by persons handling EOI material. Consider procedures for:
•
a police background check•
continuous training/awareness sessions for persons conducting EOI•
signed non-disclosure agreement between the Listed Organisation and its employees. 5.3 Review any security incidents which occurred during the year concerning vetted personnel anddetermine if the actions were taken as prescribed
5.5 Review lists of all staff with access to client data holdings. Determine if they are all cleared to ”Baseline Vetting”.
5.6 Obtain evidence that the logical access rights of personnel have been reviewed
5.7 Determine if the formal change control process that exists is followed for employees who have had a change in circumstances that may affect their security clearance.
Note: where a VA holds personal information pertaining to Certificate Holders, it must submit a Privacy Management Strategy to Finance.
6.
FACILITY SECURITY OFFICER (FSO)
6.1 Determine which person is nominated as FSO. 6.2 Determine if his/her security vetting is still valid.
6.3 Determine if he/she has had a change in circumstances since his/her vetting that may affect his/her security clearance.
6.5 If there has been a change in FSO since Listing or the last Audit, determine:
a) if the new FSO has been properly informed of his/her duties and responsibilities; and
b)
that the new FSO’s security clearance is valid
(Reference Self Assessment Questionnaire F3 - 10.4).
6.6 If the Information Technology Security Manager (ITSM) is also conducting the role as the FSO determine whether the ITSM has been fully informed of the additional FSO duties and
responsibilities; and That the ITSM‟s security.
7. DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN
7.1 Sight the Validation Authority‟s disaster recovery and business continuity plan.
7.2 Obtain evidence that the DRBCP has been tested in accordance with the required timeframe and procedures (Self Assessment Questionnaire F3 - 12.1)
7.3 Sight documentation to determine that tests are conducted and documented and issues identified have been resolved. Detail any that have not and reasons why
7.4 Does the Listed Organisation maintain an updated list of personnel responsible for operational and business continuity?
If yes, when was the list last updated
8.
PRIVACY CONSIDERATIONS
8.1 Determine if the Validation Authority (through its Privacy Management Strategy) adheres to the
Privacy Act 1988 and has documented and described its process and procedures relating to, as applicable:
•
collection of identification information;•
how this information will be protected;•
types of information that are not considered confidential;•
policy on release of information to law enforcement officials;•
information that can be revealed as part of civil discovery;•
conditions under which the Listed Organisation may disclose upon owner's request;•
who is entitled to be informed; and•
any other circumstances under which confidential information may be disclosed. 8.2 Note the procedures established by the Validation Authority to notify users have beenimplemented and operating as prescribed, in particular:
•
IPPs or National Privacy Principles (NPPs) apply to protect personal information collected; andAppendix G - References
1. ACSI 37 Australian Government Standards for the Protection of Technology Systems Processing Non-National Security Information at the Highly
Protected Classification
2. ACSI-37 Certification Test Procedures for Information Systems Processing Highly Protected Data
3. ACSI 57 Use of Cryptographic Systems 4. AS 2201:Intruder Alarm Systems
5. AS 4539.2.1-2000 - Information technology - Public Key Authentication Framework (PKAF) - Assurance framework - Certification Authorities 6. AS 4860-2007 Knowledge-based identity authentication – Recognizing
known customers, July 2007
7. AS/NZS ISO/IEC 27001:2006 – Information Technology – Security
Techniques – Information Security Management Systems – Requirements 8. Australia Auditing Standard AUS 904 - Engagements to Perform Agreed -
Upon Procedures
9. Australia Auditing Standard AGS 1008 - Audit Implications of Prudential Reporting Requirements for Authorised Deposit-Taking Institutions 10. Australian Government Information Security Manual – August 2011
Australian Government Protective Security Policy Framework – June 2010 11. Certification Authority Accreditation Criteria – February 2009
12. Certification Authority Operations Manual Review Criteria – February 2009 13. Commonwealth Protective Security Policy Framework Manual 2010 14. Defence Signals Directorate - Evaluated Products List
15. Financial Transaction Reports (FTR) Act1988 – Identification Record for a Signatory to an Account.
16. Gatekeeper - A strategy for public key technology 1998 & Changes to Gatekeeper - the Commonwealth‟s Strategy March 2001
17. Gatekeeper Accreditation Head Agreement Template – September 2006 18. Gatekeeper Core Obligations Policy – February 2009
19. Gatekeeper Evidence of Identity Policy – February 2009
20. Gatekeeper Public Key Infrastructure Framework, February 2009 21. Gatekeeper Security Guide Book, February 2009
22. Gatekeeper X.509 Certificate and Certificate Revocation List (CRL) Profiles – September 2006
23. ISO31000 – Risk management – Principles and Guidelines
24. Known Customer Organisation Listing Requirements – February 2009
25. Privacy Act 1998 (Cth)
26. Registration Authority Accreditation Criteria – February 2009Registration Authority Operations Manual Review Criteria – February 2009
27. rfc 3647 Public Key Infrastructure Certificate Policy and Certification Practices Framework
28. rfc 4210 Public Key Infrastructure Certificate Management Protocol
29. Telecommunications Act 1997 (Cth)
30. The American Institute of Certified Public Accountants / Canadian Institute of Charted Accountants (AICPA/CICA) WebTrust for CAs program
31. Threat/Risk Organisation Listing Requirements – February 2009. 32. Validation Authority Listing Requirements – December 2010