• No results found

KMP Sample Work Program

In document GATEKEEPER COMPLIANCE AUDIT PROGRAM (Page 45-51)

No

Sample Work Program for Key Management

(Include but are not limited to the following)

Results of Testing Work Reference

1 Review the process described in the Security Profile for Key Generation and determine if they are implemented and operating as prescribed. The Authorised Auditor should consider the following:

sight evidence of “CA Key Signing Ceremony” witness statements that the CA Key generation and activation occurs within a secure cryptographic device, meeting the

DSD EPL required Standard or otherwise deemed fit for purpose by DSD and was conducted as required;

that Keys are generated as defined using (n out of m) multi-person control;

the Key Usage is as defined (The CA‟s signing Key is typically only used to sign Certificates and CRLs);

key usage purposes are correctly entered (as per X.500 version 3 usage field);

key life span for Keys issued is as defined;

determine that Key generation uses a prescribed random number generator (RNG) or pseudo random number generator (PRNG) on the DSD Evaluated Product List (DSD EPL) or otherwise deemed fit for purpose by DSD;

determine that Key generation uses (if required) prescribed prime number generator on the DSD EPL or otherwise deemed fit for purpose by DSD;

determine that Key generation uses a Key generation algorithm that adheres to the standards described in the Gatekeeper PKI Framework;

key generation results in Key sizes as disclosed in the required CP(s)/CPS; and

determine that the CA generates its own CA Key pair in the same cryptographic device in which it will be used or the Key pair is injected directly from the device where it was generated into the device in which it will be used. If the Private Key is to be transmitted to a device other than the generation device, an online transfer

non-electronic means, has been used.

2 Review the process described in the Security Profile for CA Public Key distribution and determine if they are implemented and operating as prescribed. The Authorised Auditor should consider in particular:

if the CA‟s Public Key is to be delivered to the user, an online transfer method such as the RFC4210 (PKI Certificate Management Protocol) using evaluated products, or equally secure non-electronic means, is used;

the CA provides a mechanism for detecting the modification of the CA‟s Public Key during the initial distribution process (for example, using a self-signed Certificate); and

if the CA‟s Public Key is intended to be re-issued, the process is disclosed in the KMP to deliver the Key to parties in a similar secure method.

3 Review the process described in the Security Profile for CA Key Storage, Backup and Recovery and determine if they are implemented and operating as prescribed. The Authorised Auditor should consider in particular:

determine that the CA‟s private signing Key is stored within a secure cryptographic device meeting the DSD EPL requirement or otherwise deemed fit for purpose by DSD;

if the CA Private Key is exported from a secure cryptographic module and is moved to secure storage (for purposes of offline processing or backup and recovery) determine that the Private Key is exported in an approved secure Key management scheme;

determine that the CA Private Key is backed up, stored and may be recovered by authorised personnel with dual (or greater) access authentication;

determine that if the CA Private Key is backed up, backup copies of the CA Private Keys are subject to the same or greater level of security controls as Keys currently in use;

determine that if the CA‟s private signing Key is backed up, recovery of the CA Private Key is conducted in the same secure schema used in the backup process,

using at a minimum dual control; and

review back-up recovery tests conducted by the CA for completeness.

4 Review the process described in the Security Profile for Key escrow (If service provided) and determine if they are implemented and operating as prescribed. The Authorised Auditor should consider in particular:

the KMP contains the security processes and control required to perform this task;

the form and agent by which Keys are escrowed;

if an external party provides CA Private Key escrow services, determine that a contract outlining the liabilities and remedies between the parties exists; and

if CA private signing Key is held in escrow, determine that escrowed copies of the CA private signing Keys is subject to the same or greater level of security controls as Keys currently in use.

5 Review the process described in the Security Profile for Key Destruction and determine if they are implemented and operating as prescribed. The Authorised Auditor should consider in particular:

identification of the position responsible for destroying Private Keys;

the method for Destruction of Key (on any associated cryptographic device) is achieved, including: how they are cleared from memory (including all copies and fragments) and made irrecoverable on any storage media at the end of the Key pair life cycle;

review records of any previous CA Key destruction and sight evidence that process are correctly followed; and

if a CA cryptographic device case is intended to provide tamper-evident

characteristics and the device is being permanently removed from service, that the associated case is also destroyed.

6 Review the process described in the Security Profile for Key Archival and determine if they are implemented and operating as prescribed. The Authorised Auditor should consider in particular:

if Private Key archives are held, they are protected at a level at least equivalent to the primary key;

the processes and security controls required to perform archival;

the Identity of the archival agent and form in which Keys are archived;

that archived Keys are recovered for the shortest time period technically permissible; and

That archived Keys are periodically verified to check that they are properly destroyed at the end of the archive period.

7 Review the process described in the Security Profile for Subscriber Key Management Services (if service provided) and determine if they are implemented and operating as prescribed. The Authorised Auditor should:

determine that the Key Generation controls for end entities are applied as per above question (1);

determine that if the Private Key or public Key is to be transmitted to/from an end entity or Certificate Issuer, an online transfer method such as RFC 4210 (PKI Certificate Management Protocol), or equally secure non-electronic means, is used;

determine the KMP Method of activating the Private Key and details of position(s) responsible for activating or using Private Keys and is achieved;

determine Public Key archival, storage or destruction (If service offered) within the KMP and followed; and

consider usage periods for the public and private Keys are of the required length.

8 Review all other process described in the Security Profile and determine if they are implemented and operating as prescribed. The Authorised Auditor should consider in particular:

standards for cryptographic storage module is to be the DSD EPL or otherwise deemed fit for purpose by DSD (Reference ACSI 57 Use of Cryptographic Systems);

that the parameter quality checking process has been certified; and

activation data Generation, Installation and Protection. (Activation data refers to date values other than Keys that are required to operate cryptographic modules and that need to be protected. Protection of activation data potentially needs to be considered for the issuing CA, subject CAs, RAs and end entities.)

Appendix C – GCAP for Gatekeeper accredited

Registration Authorities

C.1 Overview

The Table below details the accreditation Criteria applicable to Gatekeeper Accredited RAs. For further details on the Criteria, refer to Registration Authority Accreditation Criteria available at gatekeeper.gov.au.

Documentation/Criteria

SEC1 Security Profile document will include the following: i) Protective Security Risk Review

ii) Security Policy

iii) Protective Security Plan OPS1 Operations Manual

Disaster Recovery and Business Continuity Plan PP1 ICT Multi User List

PHY1A Compliance with Physical Security to Intruder Resistant PER1A Vetted employment profiles to “

Baseline Vetting

C.2 Instructions to the Authorised Auditor

This GCAP RA work program is for use by appointed GCAP Authorised Auditors to facilitate their professional assessment of a Service Provider‟s compliance with the Gatekeeper Criteria,

Policies and Approved Documents.

The Program comprises both “Compliance” questions and fundamental “Audit” control questions based on Gatekeeper accreditation Criteria and Policies. It may also be comparable with some WebTrust Program Controls.

The GCAP work program should be used in conjunction with the Self Assessment Questionnaire and Approved Documents. Applicable Australian and Industry Standards may also be used as reference documents.

Each question specifies where the Authorised Auditor may consider prior work, provided that the conditions stipulated in Section 7.5 - GCAP Procedure for use of WebTrust audit work - are met and supporting procedures are followed. In answering the questions the Authorised Auditor is required to:

respond with results of checks, testing and any associated work;

reference where supporting work papers are contained;

if a control question receives an adverse response the Authorised Auditor is to detail their findings; and

if a situation occurs where documentation provided by the Service Provider has different date and version numbers supplied by Finance, the Authorised Auditor is to contact Finance before proceeding with the section control questions.

In document GATEKEEPER COMPLIANCE AUDIT PROGRAM (Page 45-51)
Download now "GATEKEEPER COMPLIANCE ..."

Outline

Related documents