GATEKEEPER COMPLIANCE AUDIT PROGRAM

(1)

GATEKEEPER COMPLIANCE AUDIT PROGRAM

(2)

All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia (http://creativecommons.org/licenses/by/3.0/au/deed.en) licence.

For the avoidance of doubt, this means this licence only applies to material as set out in this document.

Licence: This document is licensed under a Creative Commons Attribution Non-Commercial No Derivs 3.0 licence.

The details of the relevant licence conditions are available on the Creative

Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence (http://creativecommons.org/licenses/by/3.0/legalcode ). Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It's an Honour (http://www.itsanhonour.gov.au/coat-arms/index.cfm) website.

Contact:

Assistant Secretary

Cyber Security and ICT Skills Branch Department of Finance and Deregulation John Gorton Building

King Edward Terrace Parkes ACT 2600

(3)

1. Introduction

Under the Gatekeeper Public Key Infrastructure Framework, annual compliance audits remain a condition of Gatekeeper accreditation and recognition. In accordance with clause 11 of the Gatekeeper Head Agreement/Memorandum of Agreement, the Department of Finance and Deregulation (Finance) requires that Authorised Auditors conduct an annual audit of Service

Providers' compliance with the Gatekeeper Framework. Finance requires that Listed Organisations also undergo an external compliance audit in accordance with Gatekeeper Listing Requirements1_. The Gatekeeper Compliance Audit Program (GCAP) provides guidance to Auditors on the scope and conduct of the assessment required under Gatekeeper. The GCAP applies to:

•

Gatekeeper accredited/recognised Certification Authorities (CAs)

•

Gatekeeper accredited Registration Authorities (RAs)

•

Gatekeeper Listed Organisations - Known Customer Organisations; Threat and Risk Organisations; and Validation Authorities.

2. Objectives

The primary objective of the GCAP is to provide a work program to assist Service Providers in meeting the external Audit requirement stipulated in the Gatekeeper Head Agreement/Memorandum of Understanding/Deed of Agreement. The work program in the Appendices outlines the various procedures that form the scope of the Audit.

2.1 Scope

The scope of the GCAP includes Gatekeeper compliance process checks as well as fundamental Audit control checks. These checks are based on:

•

the Gatekeeper Framework under which the Service Providers are accredited/recognised;

•

Gatekeeper Listing Requirements under which the Known Customer Organisations, Threat and Risk Organisations and Validation Authorities are Listed; and

•

industry and Australian standards.

2.2 WebTrust audit program

Service Providers that have completed, or are considering WebTrust audit program, are required to provide status reports to the Auditor.

1_{Gatekeeper accredited/recognised Service Providers are required to choose an Auditor from the Gatekeeper Audit Panel listed at}

(6)

An Auditor may consider WebTrust audit work that has been completed and avoid duplication of audit work. The GCAP ensures it is able to incorporate WebTrust audit work that may have been undertaken within the past six months.

Incorporating previous Audit work by the Auditor provides two benefits to Service Providers:

•

reduce expenditure on external Audit requirements; and

•

reduce the extent of interruptions to operations when Audits occur.

In the event that a Service Provider has not conducted or completed an external Audit program, the Authorised Auditor will conduct the GCAP as a full Audit with all applicable control tests.

The GCAP does not unequivocally accept a WebTrust Audit as sufficient to meet the external Audit requirements for Gatekeeper. Rather, the "modular" structure of GCAP allows where possible, work programs conducted under WebTrust to be used as a substitute for parts of the GCAP work program. This is conditional on the Auditor being satisfied that the WebTrust work program provides adequate assurance within the constraints of the GCAP.

3. Terminology

In conducting a GCAP, the Authorised Auditor should have a high degree of competence in PKI and knowledge of Gatekeeper Policies and Criteria. Terms used in the GCAP are available at

www.gatekeeper.gov.au. Note the following terms:

Audit only refers to the external Audit process, unless explicitly stated otherwise. While the terms "Audit" and "external Audit" are used extensively, they are used in a generic sense in accordance with their meaning in the Australian Auditing Standards (AAS). The importance of this statement relates to the fact that an external Auditor's opinion in accordance with AAS is not being sought as a result of conducting the GCAP.

Authorised Auditor refers solely to an Auditor who is listed on Finance‟s Audit Panel to conduct a GCAP, unless explicitly stated otherwise.

CA refers solely to a Gatekeeper Accredited/Recognised Certification Authority; it does not refer to a Chartered Accountant, unless explicitly stated otherwise. Service Provider refers solely to a Gatekeeper Accredited/Recognised CA, RA, and Gatekeeper

Listed Organisations, unless explicitly stated otherwise.

For information relating to other terms, abbreviation and acronyms contained in this document, refer to the Gatekeeper Glossary at www.gatekeeper.gov.au.

(7)

4. GCAP Document Structure

The first part of this GCAP document contains:

•

information and background for Auditors

•

criteria for using WebTrust Audit work; and

•

processes for a Service Provider to engage an Auditor to conduct a GCAP. The second part of this GCAP document contains the following Appendices:

 Self-Assessment Questionnaire for the Service Provider;

 GCAP work program for the Auditor; and

 other relevant information.

5. Changes to the GCAP

Finance is responsible for ensuring the applicability and currency of this GCAP document, particularly in light of any changes to the following:

 Gatekeeper Head Agreement/Memorandum of Agreement

 Criteria for Accreditation of Certification Authorities

 Criteria for Accreditation of Registration Authorities

 Listing Requirements for Known Customer Organisations (KCOs)

 Listing Requirements for Threat and Risk Organisations (TROs)

 Listing Requirements for Validation Authorities (VAs); and

 Deed of Agreement/Memorandum of Understanding for KCOs, TROs, and VAs.

To check the currency of this program, contact the Director, Authentication and Identity Management, at [email protected].

Service Providers will be notified of changes to the GCAP document. If a change is deemed to be significant, the review process may incorporate a consultative approach with all relevant

stakeholders.

6. Background

6.1 Gatekeeper Public Key Infrastructure Framework

The Gatekeeper PKI Framework:

•

facilitates the deployment of a broader range of Digital Certificates designed to meet specific business requirements of agencies and their clients;

(8)

•

facilitates increased use of PKI by both business and the broader community through reducing the cost and complexity of producing, acquiring and using Digital Certificates; and

•

fosters a competitive market for Digital Certificates.

6.2 Categories of Gatekeeper Certificates

The Framework comprises three categories of Digital Certificates – Special, General and High Assurance - for Individuals and Organisations.

The Framework is characterised by flexibility in Evidence of Identity (EOI) requirements and the ability of Relying Parties to readily distinguish between EOI models and EOI assurance levels within those models. Digital Certificates issued under the Framework will be X.509 compliant.

6.3 The Gatekeeper Marketplace

The Gatekeeper market place is a unique environment covering a number of PKI domains that provide services from different vendors and organisations. At present, the Australian Gatekeeper marketplace consists of:

 three organisations accredited as both CA and RA - Australian Taxation Office, VeriSign Australia and the Department of Defence

 two organisations accredited as CA – Verizon Australia Pty Ltd and Medicare Australia

 ;

 one organisation accredited as RA - Australia Post

•

one organisation accredited as RA and recognised as a CA (for issuance of IdenTrust digital certificates) - ANZ Bank

•

one organisation listed as a Validation Authority – Department of Innovation, Industry Science and Resources; and

•

one organisation listed as a Relationship Organisation - Medicare Australia.

6.4 Audit Requirement for Gatekeeper accredited/recognised

Service Providers

At the conclusion of the Gatekeeper accreditation/recognition process, Service Providers are required to sign a Gatekeeper Head Agreement (HA)/Memorandum of Agreement (MOA) with the Commonwealth of Australia (represented by Finance). The HA/MOA requires that the Service Provider maintains compliance with the Gatekeeper Framework and the terms of its Gatekeeper accreditation/recognition as set out in its Approved Documents. One condition for maintaining Gatekeeper accreditation is that an annual external Compliance Audit be conducted by qualified Information Technology Auditors authorised by Finance as listed on the Gatekeeper Audit Panel at gatekeeper.gov.au.

(9)

6.4.1 Head Agreement/Memorandum of Agreement

The Gatekeeper Head Agreement specifies under sub-clause 11.1:

Finance requires an Audit to be conducted by an Authorised Auditor of the Service Provider's compliance with the Accreditation Policies and Criteria, and Approved Documents.

6.4.2 Approved Certificate Policy and Certification Practice Statement

The Approved Certificate Policies (CPs) and Certification Practices Statement (CPS) of each Gatekeeper accredited/recognised Service Provider also stipulate the need for an external Audit to be conducted.

6.4.3 Other standards

Section 8 of AS 4539.2.1-2000-: Information Technology - Public Key Authentication Framework (PKAF) - Assurance Framework - Certification Authorities requires a continuous external Audit to be determined by the accreditation body.

6.5 Audit Requirements for Gatekeeper Listed Organisations

A Gatekeeper Listed Organisation, except Relationship Organisations, is required to undergo an annual compliance audit of its operations against the Listed Organisation‟s operational security and privacy criteria. Listed Organisations may select any suitably qualified auditor, including from the Gatekeeper Audit Panel.

6.5.1 Deed of Agreement/Memorandum of Understanding

The Gatekeeper Deed of Agreement specifies under sub-clause 9.1:

Finance requires an annual compliance audit to be conducted by a suitably qualified independent auditor (for example, a member of the Gatekeeper Audit Panel) of the Listed Organisation‟s operational security and privacy criteria.

7. GCAP Procedures

The GCAP provides a set of procedures for Auditors to follow when they conduct an Audit of Service Providers.

The GCAP provides guidance on how an Auditor can use previously conducted work programs and reduce the possibility of unnecessary re-work. The GCAP is not a substitute for the individual

Auditor's professional judgment in determining the Service Provider's overall compliance. Depending upon the results of the GCAP, additional Audit procedures may be required.

(10)

7.1 GCAP Decision-Making Procedures

Figure 1 shows the major decision points that an Auditor may consider when planning the Audit of a Service Provider‟s PKI operations. This will help Auditors determine the best way to conduct the GCAP. It should be used as a guide when deciding whether to consider prior work performed, along with the criteria specified in Section 7.5 GCAP Procedure for use of WebTrust audit work.

If the Auditor chooses not to use Audit work programs that have been conducted within the past six-month time frame, then the full GCAP should be applied as set out in the Appendices.

Figure 1: Audit process for GCAP for Service Providers

7.2 GCAP Audit Engagement Procedure

Service Providers may follow the following procedures before engaging an Auditor:

 Gatekeeper accredited/recognised Service Provider completes the Self Assessment Questionnaire at Appendix A and Gatekeeper Listed Organisation completes the Self Assessment Questionnaire at Appendix D;

- the Self Assessment Questionnaire assists the Auditor to make an assessment of previously conducted work, the amount of work required to complete the GCAP and if a full GCAP is required.

Commence GCAP

Does/would WebTrust audit cover Gatekeeper operations? Conduct full GCAP YES NO NO YES

Has a WebTrust audit been conducted within the last six months or in the

process of being conducted?

Conduct MODULAR GCAP using

previous work where

(11)

 Gatekeeper accredited/recognised Service Provider sends the completed Self-Assessment Questionnaire with its Request for Tender (RFT) for external Audit to Authorised Auditors listed on the Gatekeeper Audit Panel at www.gatekeeper.gov.au; and Listed Organisations may either choose to send completed Self Assessment Questionnaires either to Authorised Auditors or to any qualified IT Auditors of their choice;

 Auditors may use the completed Self-Assessment Questionnaire to assist in drafting their responses to the RFT; and

 the Service Provider reviews the responses to the RFT; and informs the successful Auditor and the Gatekeeper Competent Authority of its decision.

Upon appointment, the chosen Auditor:

 formalises a contract with the Service Provider to conduct the Audit;

 performs the GCAP as proposed; and

 reports its findings to the Gatekeeper Competent Authority and the Service Provider and any other parties agreed to between the Auditor and the Service Provider.

7.3 GCAP Reporting Procedure

Upon completion of the GCAP, the Auditor will issue a final Audit Report to the Gatekeeper Competent Authority, the Service Provider and any other entities agreed to in the GCAP Audit engagement contract. Unless otherwise specified in the GCAP contract, Audit Reports are

considered to be sensitive commercial information and should be treated with the required level of security controls for their protection.

The Auditor's report should detail the work conducted, as well as the outcomes of required testing. It will identify any adverse issues, areas of non-compliance or queries that are not resolved to the satisfaction of the Auditor and will also include associated recommendations from the Auditor. The Auditor is not required to provide a formal Audit opinion on the work performed in accordance with Australian Auditing Standards. The Auditor may wish to base its reporting framework on AUS 904 Engagements to Perform Agreed-upon Procedures. The Auditor may also consider AGS 1008 - Audit Implications of Prudential Reporting Requirements for Authorised Deposit-Taking Institutions

as a possible reporting framework. The Auditor should note that AGS 1008 uses AUS 904 as a framework for reporting.

When reporting issues, possible compromises and/or failures, the Auditor may, as applicable, wish to make reference to the categories defined within Australia Standard AS 4539:2.1-2000 - Assurance framework for Certification Authorities, Section 7; as well as sub Clause 11.4 of the Head

Agreement/Memorandum of Agreement between Finance and the Service Provider.

The Auditor will immediately notify the Service Provider and the Gatekeeper Competent Authority of issues that are considered to represent a failure or significant compromise of the Service Provider's operations.

Auditors should note the following:

 In performing the GCAP, the Auditor's Report will be a "long-form" report detailing the findings resulting from carrying out the prescribed work procedures. Findings that should be reported include potential control and procedural weaknesses.

(12)

 Finance does not require an audit opinion in accordance with Australian Auditing Standards. It is envisaged that the Auditor's reporting will be largely based on AUS 904 - Engagement to Perform Agreed-upon Procedures.

7.4 Audit Report Review

The specific process for dealing with final Audit Report findings is contained within each Service Provider's Gatekeeper Head Agreement/Memorandum of Understanding/Agreement.

Finance will review the findings and Report from the Auditor and will subsequently issue either a:

 statement to the Service Provider advising that its Gatekeeper Accreditation/Recognition or Listing will be maintained; or

 notice (whether or not it is a major or minor non-compliance) to the Service Provider

specifying any adverse Audit findings and the required remedial actions that will enable the Service Provider to maintain its Gatekeeper accreditation/recognition or Listing (this may also require an additional Audit).

7.5 GCAP Procedure for use of WebTrust audit work

The Auditor selected by the Service Provider has discretion in deciding whether to use prior work as part of the GCAP process. It is important that the Auditor performs quality assurance procedures so that the GCAP Audit Report is adequately supported.

The Auditor may only consider work programs conducted as part of a WebTrust Audit Program. The current market has indicated that WebTrust is the most common program for external CA Audits. Accordingly, Finance has decided that GCAP does not warrant the inclusion of additional Audit programs.

The WebTrust program includes appropriate continuous control checking procedures that may provide a framework for the Auditor to follow.

The Auditor is responsible for the conduct of the GCAP in all situations.

Under the GCAP, Auditors can only consider prior audit work if it has been undertaken within the past six months.

The final report from the Auditor will indicate if prior Audit work has been taken into consideration and the reasons for the decision.

The following conditions apply when considering prior work:

 an Auditor may choose not to consider previous work done and therefore conduct a full GCAP. The Auditor and the Service Provider will discuss and agree to the factors contributing to this assessment;

- the Auditor may decide to conduct a full Audit if prior work is deemed to be insufficient, work papers are not available, or there is lack of evidence on the nature of the work undertaken;

(13)

 the beginning of the permitted six month period is the completion date of the "actual"

individual work program conducted, not the date on which the final Audit report was issued; - preparation of final Audit Reports can take time, especially if re-assessment of certain

areas is required. The GCAP only requires that the entire work-program be conducted to a satisfactory outcome.

The Auditor has the final responsibility in deciding whether prior work will be considered for inclusion. Auditors should be aware that some Service Providers may wish to request an early Gatekeeper Audit to co-ordinate with WebTrust audit activities underway in their organisation. It is beneficial for the Service Provider to request the GCAP to be performed within three months after completion of their external audit.

7.5.1 Considering Work Conducted on another Service Provider

Where Service Providers use the services or facilities of another Gatekeeper accredited entity (who may not be subject to an Audit at the specific time), GCAP sets the following additional conditions:

 the other entity must be Gatekeeper Accredited and provide the service to the Service Provider who is required to undergo the GCAP

 the constraints of the work program and timing must relate to the specific Service Provider that provides the services; and

 the other Service Provider must also maintain its Gatekeeper accreditation throughout the conduct of the Service Provider's GCAP.

These provisions have been included for situations where a CA may be outsourcing some of its management by using the facilities of another Gatekeeper Accredited CA, or where a CA may be outsourcing its RA operations to another Gatekeeper Accredited Service Provider.

7.5.2 Considering Work Programs - Additional Procedures

When a decision has been made to use work from a WebTrust Audit of a Service Provider, or to use work or controls conducted on another Service Provider, the Auditor must ensure that the decision is adequately supported.

In addition to the Auditor's Audit procedures, GCAP requires the Auditor to:

 review relevant communication with Finance and Gatekeeper Evaluators to determine that: - nothing has changed in the area that the work was based upon; and

- there are no outstanding or pending issues that may affect the area on which that work was based.

 If there are changes to the area that would lessen the security or increase the risk of adverse affects, the Auditor should not consider using the prior work.

(14)

Appendix A – Self Assessment Questionnaire for

Gatekeeper accredited/recognised Service Providers

A.1 Overview

The Self Assessment Questionnaire assists Auditors to assess the nature and extent of audit required for the Service Provider.

The Questionnaire facilitates the collection of information necessary to understand the current environment in which the Service Provider operates and any implemented changes.

The information also enables the Auditor to consider whether a Modular approach may be proposed under the GCAP, allowing previous work to be taken into account. The Self Assessment Questionnaire will then form part of the supporting work papers for the GCAP carried out by the Auditor.

There is a requirement to perform an on-site Audit to review and test the Service Provider‟s established operations and controls.

A.2 Instructions to the Gatekeeper accredited/recognised Service

Provider

The Service Provider is required to respond to a majority of the Self Assessment questions with a „Yes‟ or „No. There are also a number of questions that require the Service Provider to enter written details.

All information provided by the Service Provider will be taken as a management representation and deemed to be accurate by the Auditor.

All responses provided by the Service Provider will be taken as a representation of their activities, which can be subject to testing during on-site visits.

(15)

A.3 Self Assessment Questionnaire for Gatekeeper Accredited/

Recognised Service Providers

No

Self Assessment Questions

1. GENERAL BACKGROUND

NOTES

1.1 Name of Service Provider 1.2 Type of Service (CA, RA)

1.3 Location/URL of Approved CPs and CPS

1.4 Date of Gatekeeper accreditation/recognition and the latest variation 1.5 Do you remain compliant with the latest Gatekeeper Accreditation

Criteria and Policies? If No, provide details.

YES NO

2. PRIOR AUDITS

NOTES

2.1 Has a WebTrust Audit been conducted on your operations within the

last year? YES NO

2.2 Did the scope of the WebTrust Audit cover your Gatekeeper operations?

If No, what did the Audit cover?

YES NO

2.3 What date was the WebTrust Audit signed off? 2.4 2

. 4

When do your WebTrust “Updates” occur?

2.4 Who was the Auditor who conducted the WebTrust Audit? 2.5 Are the work papers used available for release to your eventual

GCAP Auditor? YES NO

NOTE: Questions 3.4 to 3.6 only apply if you outsource your facilities, management or operations to another Gatekeeper Accredited Service Provider (i.e. if the answer to 3.1 or 3.2 is NO or 3.3 is Yes)

3. RELATIONSHIPS

3 NOTES

3.1 Is your Gatekeeper related operations entirely located in your own facilities?

If No, please state where they are located

YES NO

3.2 Is your operation entirely managed and operated by your own personnel?

If No, please state the name of the Gatekeeper Accredited Service Provider you use and which aspects of your activities are

managed/operated by this organisation.

YES NO

3.3 Are you reliant on another Service Provider‟s Certification Practice Statement?

If Yes, please specify the name of the Service Provider, its location and the reason for using this CPS.

YES NO

(16)

4. BUSINESS MODEL

NOTES

4.1 Have there been changes to your business model since the version set out in your Head Agreement/Memorandum of Agreement?

If Yes, please provide details.

YES NO

5. INTERNAL AUDIT COMPLIANCE

NOTES

5.1 Are procedures in place to check that internal Audits are performed in

accordance with the Operations Manual and the Security Profile? YES NO

5.2 Has an internal compliance audit been conducted within the last 12

months?

If yes, please state the date of Audit?

YES NO

5.3 Did the findings of this internal Audit highlight any deficiencies?

If Yes, please detail their status.

YES NO If Yes:

i) who was the auditor?

ii) when was the Audit conducted?

3.5 If applicable, did the scope of the other Service Provider‟s external

WebTrust Audit cover your Gatekeeper operations? YES NO 3.6 Please specify if any issues were identified.

6. CA OBLIGATIONS

NOTES

6.1 Do you continue to maintain an up-to-date list of all revoked

certificates? YES NO

6.2 Do you continue to make available this list to all Relying Parties? YES NO 6.3 If you are issuing certificates to ROs, do you make the list of revoked

certificates available to those Agencies participating in the defined Community of Interest?

YES NO

6.4 Since your accreditation/recognition or last Audit, have there been

instances of compromise, or suspected compromise of Keys and Certificates belonging to the CA or its operational staff or systems that may threaten the integrity of your PKI?

If Yes, did you initiate Certificate revocation or suspension (if service provided) following the compromise?

YES NO

7. RA OBLIGATIONS

NOTES

7.1 Are procedures in place to check that your operations conform to the

practices described in the CA‟s CPS? YES NO 7.2 Are procedures in place to check that you provide your customers

with copies of other documentation required? (e.g. Subscriber Agreement)?

(17)

8. CERTIFICATION PRACTICE STATEMENT MANAGEMENT

NOTES

8.1

Since your accreditation/recognition or last Audit, has the

management group undertaken a review of business risks, security requirements and operational procedures?

Did the outcome of the review warrant a change in your practices/procedures or your CPS?

YES NO

8.2

Has your CPS changed since accreditation/recognition or last Audit? If Yes:

i) has Finance approved the changes?

ii) if yes, state the date when Finance approved the changes.

YES NO

YES NO Date:

9. CERTIFICATE POLICY MANAGEMENT

NOTES

9.1 What types of Certificates do you provide?

9.2 Do you maintain a management group with the final authority and responsibility for your CP(s) (e.g. Policy Approval Authority or Policy Management Authority)?

YES NO

9.3 Has any of your CP(s) changed since your accreditation or last Audit?

If Yes, have you submitted the amended CP(s) to Finance for re-evaluation?

If Yes:

YES NO

YES NO Date:

If No, do you advise customers how to obtain these documents? YES NO 7.3 Are the minimum EOI requirements for end-entities still in

accordance with the Gatekeeper EOI Policy? YES NO 7.4 Do your procedures and processes for collection and storage of

personal information still comply with the requirements of the Approved Documents?

YES NO

7.5 Since accreditation, has there been instances of compromise, or suspected compromise of data holdings that may threaten the integrity of the PKI?

YES NO

7.6 Has there been any change to the procedures that you use for conducting EOI?

(18)

10. DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN

NOTES

10.1 Has your Disaster Recovery and Business Continuity Plan (DRBCP)

been reviewed in accordance with its set timeframe? YES NO 10.2 Were there any negative/deficient results from the test procedures?

If Yes, please detail the outcomes of required actions.

YES NO

10.3 Are agreements with external service providers in relation to the

DRBCP current? YES NO

10.4 Have you trained all employees under the provisions of the DRBCP? YES NO 10.5 Has your DRBCP been changed since your accreditation or last

Audit?

If Yes, have you submitted the amended DRBCP to Finance for re-evaluation?

If Yes

YES NO

YES NO Date:

11. SUBSCRIBER AGREEMENT/RELYING PARTY

AGREEMENT

NOTES

11.1 Do the procedures you have put in place enable Subscribers and Relying Parties to have a good understanding of their

responsibilities and obligations (e.g. providing accurate information; safeguarding their Private Keys; CRL checking)?

YES NO

11.2 Do you notify Agencies, Subscribers, or other parties as required in

regard to liability arrangements? YES NO 11.3 Have you amended your CPS or CP(s) since your

accreditation/recognition or last Audit?

If Yes, have you reviewed the Subscriber Agreement/Relying Party Agreement to ensure that the changes have been incorporated? If Yes

i) has Finance approved these changes?

YES NO

YES NO Date:

(19)

12 LEGAL REQUIREMENTS

NOTES

12.1 Since your Accreditation/Recognition or last Audit, has there been any change in the ownership / management of your organisation that may impact your Gatekeeper Accreditation/ Recognition status? If Yes, please provide details.

YES NO

13 SECURITY PROFILE [comprises protective security risk review, Threat/Risk Assessment (TRA), protective security plan and policy; and Key Management Plan (KMP)]

NOTES

13.1 How often are your security policies, procedures and practices reviewed?

When was the last review done?

13.2 Have there been changes to your security policies and procedures since your accreditation/recognition or last Audit?

If Yes, have you submitted the amended Security Profile to Finance for re-evaluation?

If yes:

YES NO

YES NO Date:

13.3 How often do you conduct a TRA? When was this last done?

13.4 Have there been changes to your TRA since your Accreditation/Recognition or last Audit?

If Yes, have you submitted the amended TRA to Finance for re-evaluation?

If Yes:

YES NO

YES NO Date:

13.5 Does the Security Profile address the issue of residual risk?

If Yes, has residual risk been accepted and signed-off by management?

YES NO

13.6 How often do you conduct a review of your KMP? Specify when this was last done?

13.7 Have there been changes to your KMP since your Accreditation/Recognition or last Audit?

If Yes, have you submitted the amended KMP to Finance for re-evaluation?

If Yes:

YES NO

YES NO Date:

(20)

14 PHYSICAL SECURITY

NOTES

14.1 Have there been changes to physical security since your accreditation/recognition or last Audit?

If Yes, have you notified Finance?

YES NO

YES NO 14.2 When was the last time a security assessment of your facility

conducted?

14.3 Are there any contracts with an external Security Guard company? YES NO

14.4 Since your accreditation/recognition or last Audit, have there been instances of compromise, or suspected compromise of the Physical Security of your establishment?

If Yes, please include details of the following:

•

Was the investigation process carried out in accordance with the Approved Documents?

•

Was the investigation and resolution documented?

YES NO

YES NO 14.5 Since your accreditation/recognition or last Audit, have there been

instances of compromise, or suspected compromise of confidential information?

If Yes, please include details of the following:

•

Was the investigation process carried out in accordance with the Approved Documents?

•

Was the investigation and resolution documented?

YES NO

YES NO 14.6 Since your accreditation/recognition or last Audit, have all alarm and

physical security control systems been tested and reviewed for maintenance (as per Approved Documents and manufacturer‟s instructions)?

If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings.

YES NO

14.7 Since your accreditation/recognition or last Audit has the emergency response process been tested?

YES NO

YES NO 14.8 Since your accreditation/recognition or last Audit, have

environmental and fire control systems been tested and reviewed for maintenance (as per manufacturer‟s instructions)?

YES NO

14.9 Since your accreditation/recognition or last Audit, have the UPS and power generators been tested and reviewed for maintenance (as per manufacturer‟s instructions)?

If Yes, were all the tests/maintenance results acceptable? Please detail any adverse findings.

YES NO

14.1 Does your Security Profile contain elements dealing with Site Security?

(21)

15 PERSONNEL SECURITY

NOTES

15.1 Have all relevant personnel obtained the level of security clearance

required for performance of their duties? YES NO 15.2 When were access rights of personnel last reviewed? YES NO 15.3 What were the results of the most recent review of access listings? YES NO 15.4 Have there been any security incidents since your

accreditation/recognition or last Audit concerning vetted personnel? YES NO 15.5 Have there been any security incidents since your

accreditation/recognition or last Audit concerning any other personnel?

YES NO

15.6 Are there any vetted employees with reviewed/lapsed clearances since your accreditation/ recognition or last Audit?

Note: Personnel are required to have their clearance reviewed at a minimum of every five years.

YES NO

15.7 Are there any vetted employees whose circumstances have changed since your accreditation/recognition or last Audit, which may affect their security clearance?

YES NO

15.8 Has your Facility Security Officer (FSO) changed since accreditation/recognition or last deed of variation?

If Yes, has the new FSO received appropriate security clearance? Is your FSO position outsourced?

YES NO YES NO YES NO

16 FINANCIAL OBLIGATIONS

NOTES

16.1 If applicable, are you registered on the ICT Multi Use List? YES NO

16.2 Is your insurance current? YES NO

(22)

Appendix B – GCAP for Gatekeeper accredited /

recognised Certification Authorities

B.1 Overview

The Table below details the accreditation Criteria applicable to Gatekeeper Accredited/ Recognised CAs. For further details on the Criteria, refer to Certification Authority Accreditation Criteria available at www.gatekeeper.gov.au

Documentation/ Criteria PO1 Certificate Policy

(except Special category)

PO1a Subscriber / Relying Party Agreements (except Special category)

PO2 Certification Practice Statement (all categories)

SEC1 Security Profile document will include the following (all categories): i. Protective security risk review

ii. Security policy

iii. Protective security plan iv. Key management plan OPS1 i. Operations Manual; and

ii. Disaster Recovery & Business Continuity Plan (all categories)

PP1 ICT Multi Use List (all categories)

PHY1 Compliance with Physical Security to SR1 standard (all categories)

TECH1 Certified Technology ITSEC E3 / EAL:4 (all categories)

(In-evaluation products have no status)

PER1 Fully vetted employment profiles to a minimum “Level 1 - Negative Vetting” (all categories except High Assurance) including Facility Security Officer (all categories)

PER1B Fully vetted employment profiles to “SECRET” (High Assurance Category only) including Facility Security Officer

(23)

B.2 Instructions to the Authorised Auditor

This GCAP CA work program is for use by appointed GCAP Authorised Auditors to facilitate their professional assessment of the Service Provider‟s compliance with Gatekeeper

Policies and Criteria as documented in the Service Provider‟s Approved Documents. The GCAP comprises both “Compliance” questions and fundamental “Audit” control questions that are based on Gatekeeper accreditation Criteria and Policies and is also comparable with some WebTrust Program Controls.

The GCAP work program should be used in conjunction with the Self Assessment Questionnaire and Service Provider‟s Approved Documentation.

Applicable Australian and Industry Standards may also be used as reference documents.

NOTE:

Where the Service Provider is accredited as a CA and RA, the Authorised Auditor will be required to perform the work program set out in both Appendix B and Appendix C. As such, a separate audit of the RA and CA operations of the Service Provider will be necessary.

Each question specifies where the Authorised Auditor has considered prior work, provided that the conditions stipulated in Section 7.5 – GCAP Procedure for use of WebTrustAudit work - are met and supporting procedures are followed.

In answering the questions, the Authorised Auditor is required to:

•

respond with results of checks, testing and any associated work;

•

reference where supporting work papers are contained;

•

if a control question receives an adverse response, the Authorised Auditor is to detail the findings; and

•

if a situation occurs where documentation provided by the Service Provider has different date and version numbers supplied by Finance, the Authorised Auditor is to contact Finance before proceeding with the section control questions.

(24)

B.3 GCAP CA Control Questions

Control Questions (include but are not limited to the following)

Prior Work

considered

Result of testing

PP1

Multi Use List

1.1 Is the Service Provider registered on the ICT Multi Use List at

www.esa.finance.gov.au?

PO1

CERTIFICATE POLICY (CP)

Note: The Auditor should be aware that a Service Provider may have a number of CPs, depending on the structure of its PKI. The questions below refer to the CP in a „singular‟ format, though should be applied to all CPs within the Service Provider's Gatekeeper PKI.

2.1 Is there more than one CP?

2.2 Is the CP publicly available from the URL specified in the Self Assessment Questionnaire 1.3?

•

Obtain a copy of the CP from the URL of the Service Provider

•

Obtain the date and version number(s) of the CP(s) from Finance.

Review the CP to check if the version number and date are the same as those provided by Finance.

2.3 Determine if the CA has a management group (Policy Approval Authority (PAA), Policy Management Authority (PMA) or equivalent group) with final authority and responsibility for specifying and approving the CA‟s CP(s) and CPS. (Self Assessment Questionnaire 9.2)

Review details of the Group and that the details of Persons are all current.

(25)

2.4 If any of the CP‟s have been changed since accreditation/recognition or the last Audit as stated by Self Assessment Questionnaire (9.3) obtain evidence of:

•

Service Provider‟s submission to Finance for re-evaluation; and

•

subsequent approval.

2. 5 If the amended CPs have been submitted to Finance for re-evaluation and not yet

Approved, please detail the date of submission and any reasons why it has not been Approved.

2.6 Check if the Service Provider‟s CP contains sections for Subscriber/Relying Parties relating to:

•

provision for protection of personal privacy

•

any reliance or financial limits for Certificate usage

•

liability arrangements (Self Assessment Questionnaire 12.1)

•

accuracy of representations in Certificate application

•

information on protection of the subscriber‟s Private Key

•

restrictions on Private Key and Certificate use; and

•

notification of procedures for Private Key compromise.

For Relying Parties, in addition to the above:

•

purposes for which Certificate is used

•

digital signature verification responsibilities

•

revocation and suspension checking responsibilities; and

(26)

P002

CERTIFICATION PRACTICES STATEMENT (CPS)

Prior Work

considered

Result of testing

3.1 Is the CPS publicly available from the URL specified in the Self Assessment Questionnaire 1.3?

•

Obtain a copy of the CP from the URL of the Service Provider

•

Obtain the date and version number(s) of the CP(s) from Finance.

Review the CPS to check if the version number and date are the same as those provided by Finance.

3.2 If the CPS has been changed since accreditation/recognition or the last Audit as stated by Self Assessment Questionnaire (8.2) or there are differences between the dates and version numbers (3.1 above), obtain evidence of:

•

subsequent approval.

3.3 If the amended CPS has been submitted to Finance for re-evaluation and not yet Approved, please detail the date of submission and any reasons why it has not been Approved.

3.4 Review each of the controls and practices within the CA‟s CPS and cross-reference them against the policies contained within each of the CP(s), to determine if the controls appear to reflect and achieve the objectives and criteria set forth within each CP.

3.5 Review at minimum, two months of recent statistical data relating to Certificates that have been:

•

issued

(27)

•

rekeyed

•

revoked

•

suspended (if service provided).

Determine using event logging or other means if the Certificates have been processed as prescribed and report on any anomalies.

Determine, over the same period, that:

•

certificate distribution to End Users and the Database/Repository (if service provided); and

•

CRL processing

was also conducted as prescribed.

SEC1

SECURITY PROFILE

Prior Work

considered

Result of testing

4.1 Obtain

•

the latest copy of the Approved Security Profile from the Service Provider; and

•

the date and version number(s) of the Security Profile from Finance.

Review the Security Profile to check if the version number and date are the same as those provided by Finance.

4.2 If the Security Profile has been changed since accreditation/recognition or the last Audit as stated by Self Assessment Questionnaire (13.2), obtain evidence of Service Provider‟s submission to Finance for re-evaluation; and subsequent Approval.

(28)

4.3 If the amended Security Profile has been submitted to Finance for re-evaluation and it has not yet been Approved, please detail the date of submission and any reason why it has not been Approved.

4.4 Review the Security Profile to determine that it contains the intended security objectives covering the handling and processing of each Certificate contained within the relevant sections of the CP/CPS.

4.5 If the CA is relying on another entity for some particular aspect of security or trust, determine that this is clearly indicated within the Security Profile. (Reference Section 3 Relationships in the Self Assessment Questionnaire) 4.6 Obtain evidence of when the Security Profile was last reviewed as stated by Self

Assessment Questionnaire (13.1)

4.7 Has the Security Profile been reviewed within the required time frame?

4.8 Review the Internal Service Provider Report from the last Security Profile review. Have any and all action points been implemented?

4.9 When was the last Threat and Risk Assessment (TRA) done and was it completed within the time frame prescribed in the Approved Documents? (Self Assessment Questionnaire 13.3)

4.10 Have any and all action points from the TRA review been implemented? Detail any that have not and reasons why.

4.11 If any actions do not appear to have been implemented and reasons are not given, are they addressed as residual risks?

Have they been officially approved and signed off by management? 4.12 Since accreditation/recognition or last Audit, have there been instances of

compromise, or suspected compromise of Keys (Self Assessment Questionnaire 6.3) belonging to end users?

Review evidence of the documentation and procedures taken to deal with the Key revocation or suspension (if service provided) following the compromise, for a random sampling of situations.

(29)

Documents.

4.13 Review each of the processes within the Key Management Plan and test to determine if they are implemented as prescribed.

Consider in particular the outcomes of the following procedures:

•

generating Keys

•

distributing Keys to intended users, including how Keys should be activated when received

•

storing Keys, including how authorised users obtain access to Keys

•

Changing or updating Keys including rules governing Key changes and how this will be done

•

dealing with compromised Keys

•

revoking Keys including how Keys should be withdrawn or deactivated, e.g. when Keys have been compromised or when a user leaves an organisation (in which case Keys should also be archived)

•

recovering Keys that are lost or corrupted as part of business continuity management, e.g. for recovery of encrypted information

•

backing up and Archiving Keys, e.g. for information archived or backing up destroyed Keys

•

logging and Auditing of Key management related activities; and

•

escrowing Keys (if service is provided).

4.14 Since accreditation or the last Audit, have there been instances of compromise, or suspected compromise of Keys (Self Assessment Questionnaire 6.3)

belonging to the CA or its Operational staff/systems that may threaten the integrity of the PKI.

Review evidence of the documentation and procedures taken to deal with the Key revocation or suspension (if service provided) following the compromise for all situations.

(30)

Report on any situations that are not actioned in accordance with the Approved Documents.

4.15 The Authorised Auditor is to perform testing on each of the Service Provider‟s procedures and controls detailed within the Approved Documents and identify and report on any deficiencies or issues.

Consider in particular the outcomes of the following procedures:

•

is the CA computing and network infrastructure installed and operating in the manner described in the Security Profile, the Operations Manual, the CPS and the DRBCP?

•

access control mechanisms - Audit trail collection and review

•

security incident monitoring, incident management and incident response procedures

•

the maintenance and use of information about vulnerabilities in the CA facility

•

the Key Management Plan (for example, secure generation, storage, archival and disposal of keys)

•

user account management

•

control of removable media

•

backup and recovery of data and systems, including off-site storage (Refer DRBCP)

•

inventory control, including registration procedures to control location of and access to critical assets (for example, private keys); and

•

internet firewall / Gateway installation and management. Approved Defence Signals Directorate Evaluated Products List (DSD EPL)/ ITSec Gateway.

(31)

OPS1. DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN (DRBCP)

Prior Work

considered

Result of testing

5.1 Obtain

•

a copy of the latest Approved DRBCP from the Service Provider; and

•

the date and version number from Finance

Review the DRBCP to check if the version number and date are the same as those provided by Finance.

5.2 If the DRBCP has been changed since accreditation or the last Audit as stated by the Self Assessment Questionnaire (10.5) or there are differences between the compared documents (Security Profile), obtain evidence of Service Provider‟s submission to Finance for re-evaluation; and subsequent Approval.

5.3 If the amended DRBCP has been submitted to Finance for re-evaluation and it has not yet been Approved, please detail the date of submission and any reasons why it has not been Approved.

5.4 Obtain evidence that the DRBCP has been tested in accordance with the

required timeframe and procedures. (Reference Self Assessment Questionnaire 10.1)

5.5 Have all actions points from the testing been implemented?

Check documentation to determine that the tests are documented and that any issues identified have been resolved. Detail any that have not and reasons why. (Reference Self Assessment Questionnaire 10.2)

5.6 Does the Service Provider maintain an updated list of personnel and

organisations responsible for operational and business continuity (Internal and External)?

Is this list communicated to Operational Staff in the certified facility? Obtain a sample of the documents and test for accuracy.

(32)

Service Provider‟s DRBCP are current and in place. (Reference Self Assessment Questionnaire 10.3)

5.8 Check the insurance as specified in the Service Provider‟s DRBCP is current. (Self Assessment Questionnaire 16.2)

5.9 Did the last test include full restoration of the Root/CA servers, Keys and data? If yes, report on any issues identified.

5.10 Check if the training programs referenced in the Service Provider‟s DBRCP have been implemented in accordance with the documented procedures.

(Self Assessment Questionnaire 10.4)

P01a

SUBSCRIBER / RELYING PARTY AGREEMENT

Note: The Authorised Auditor should be aware that the Service Provider may have a combined or separate Subscriber Agreement and Relying Party Agreement

Prior work considered Results of testing

6.1 Obtain

•

a copy of the Approved Agreement from the Service Provider; and

•

the date and version number from Finance

Review the document to check if the version number and date are the same as those provided by Finance.

6.2 If the Agreement has been changed since accreditation or the last Audit as stated by Self Assessment Questionnaire (11.3) obtain evidence of:

•

subsequent Approval

6.3 If the amended Agreement has been submitted to Finance for re-evaluation and it has not yet been Approved, please detail the date of submission and any reasons why it has not been Approved.

(33)

CPS and relevant CP?

6.5 In terms of the processes in place to keep Subscribers / Relying Parties up to date with changes to relevant CPs and CPS and consequent agreement provisions, determine that these actions have been taken.

HEAD AGREEMENT/MEMORANDUM OF AGREEMENT/DEED OF AGREEMENT

7.1 If detailed in Self Assessment Questionnaire 12.1 that there has been change in the ownership / management of the Service Provider, sight evidence of Notification to Finance of the situation.

Determine if the Head Agreement/Memorandum of Agreement is presently assigned to the correctly designated organisation or is under revision by Finance.

PHY1

COMPLIANCE WITH PHYSICAL SECURITY TO SR1 STANDARD

Prior work

considered

Results of testing

8.1 Obtain evidence that a review of Physical Security was conducted by a member of the Physical Evaluation Panel as stated in Self Assessment Questionnaire 14.2

8.2 If there were any action points for the Service Provider raised in the last review, determine if they have all been actioned and completed.

Detail any actions that do not appear to be resolved

8.3 If there are any contracts with an external guard company (Self Assessment Questionnaire 14.3) review them for currency in covering any outsourced requirements.

Determine if the guard firm has the required security clearances. Determine that written duties are in place.

(34)

Questionnaire 14.10) as per the ISM

8.5 Review the Security Profile to determine if each Site Security control/measure detailed in the document is still in place and operating as outlined in the Approved Documents.

The Authorised Auditor is to consider* the controls in the Service Provider‟s Security Profile relating to:

•

computer room construction

•

security door locks

•

air conditioning and other vents

•

electrical and other wiring

•

access control mechanisms and systems

•

security alarm systems

•

backup power supply systems

•

offsite storage premises (if used)

•

out of hours Restricted Zones

•

physical security certification

•

physical security violations

•

access control mechanisms and systems

•

physical standards for an HP/Secret area

•

Comsec standards

•

privately owned equipment and media; and

•

visual access to „overlook‟ media and screens.

*NOTE: If an auditor thinks that he/she is not qualified to conduct audit of physical security, please include a representative from the Gatekeeper Physical Security Panel.

(35)

8.6 If in Self Assessment Questionnaire 14.4 and 14.5 there were instances of compromise, or suspected compromise of Physical Security/ Confidential Information:

sight evidence that the consequent investigation process was carried out as per Approved Documentation and the issue(s) resolved, along with any associated increase in security measures.

8.7 Determine if since accreditation/recognition or the last Audit, (as per Approved Documentation and manufacturer‟s instructions) that all the tests and

maintenance checks were conducted and that any adverse findings were resolved. Consider:

•

alarm and physical security control systems

•

emergency response processes

•

environmental and fire control systems; and

•

UPS and power generators.

(Self Assessment Questionnaire 14.6, 14.7, 14.8 and 14.9) 8.8 Determine that for off-Site Back-ups:

•

data tapes (if used) are secured prior to transporting to the offsite location

•

remote transfer is done securely

•

the process allows only authorised people to access and retrieve the offsite backups; and

•

there is an agreement in place with the off-site party to provide required security controls over the data.

Perform a sample test of registers to determine if all data transfers have been conducted as prescribed.

(36)

TECH1 Certified Technology ITSEC E3/EAL:4 (all categories) NOTE: „In-evaluation‟ products have no status

Prior work

considered Results of testing 9.1 Obtain the “Certification Report” for the Technology from DSD EPL and

determine that the System being utilised by the CA is the same as the Certified Technology on the EPL.

Points to consider are:

•

version of PKI application(s)

•

version of database

•

version of operating systems

•

type of hardware; and

•

patches, service packs and other fixes applied.

Report on any inconsistency or deviation from the Certified Technology. If available obtain evidence of:

•

request from the Service Provider to DSD to change (with associated outcomes); and

•

internal Sign-off and reasons for Change.

PER1 Fully Vetted Employment Profiles to a minimum “Level 1 – Negative Vetting (all categories except High Assurance) including Facility Security Officer (all categories).

10.1 Review lists of all staff with access to secure areas.

Determine if they are all cleared to the at least the Level 1 - Negative Vetting via Finance sponsorship.

10.2 Obtain evidence that the access rights of personnel have been reviewed (Self Assessment Questionnaire 15.2)

(37)

10.3 Assess the results of the most recent review of access (Self Assessment Questionnaire 15.3) to ascertain if access rights are as prescribed. Determine if the Service Provider has identified and followed:

•

which positions involve a Position of Trust (POT);

•

the procedures for gaining Security Clearances for POT positions; and

•

the responsibilities for each of the POT roles.

10.4 Review any security incidents which occurred during the year concerning vetted personnel and determine if the actions taken were as prescribed. (Self Assessment Questionnaire 15.4)

10.5 Determine if the formal disciplinary process that exists is followed for employees who have violated organisational security policies and procedures.

10.6 Determine if Finance has been informed of all employees that held a

security clearance in relation to the Gatekeeper Service who have since left the Service Provider.

10.7 Determine if the formal change control process that exists is followed for employees who have had a change in circumstances that may affect their security clearance.

10.8 Determine if Finance has been informed of employees who have had a change in circumstances that may affect their security clearance. (Self Assessment Questionnaire 15.7)

PER1B Fully Vetted Employment Profiles to “Secret” (High Assurance Category only) including Facility Security Officer (all categories)

11.1 Determine which person is nominated as FSO.

11.2 Determine if his/her SECRET Security Vetting is still valid.

(38)

Finance has been informed. Subsequently determine that his/her clearance is still valid. (Self Assessment Questionnaire 15.7.) 11.4 Determine that the duties and responsibilities for the FSO role are

documented.

11.5 If there has been a change in FSO since accreditation/recognition or the last Audit, determine if the new FSO has been properly informed of his/her new duties and responsibilities.

(Self Assessment Questionnaire 15.8).

11.6 If the Information Technology Security Manager (ITSM) is also performing the role as the FSO, determine whether the ITSM has been fully informed of the additional FSO duties and responsibilities.

OPS1 CA Operations Manual

In reviewing the CA Operations Manual, the Authorised Auditor may revisit sections that are similar to control question checks that have previously been covered in the GCAP. The CA Operations Manual describes the methodologies followed in developing the Security Profile and the DRBCP.

12.1 Obtain:

•

a copy of the CA Operations Manual from the Service Provider; and

•

the date and version number from Finance.

Review the document to check if the version number and date are the same as those provided by Finance.

12.2 If the Operations Manual has changed since accreditation or the last Audit or there are differences between the compared documents obtain evidence of:

•

(39)

12.3 If the amended Operations Manual has only been submitted to Finance for re-evaluation and it has not yet been Approved, please detail the date of submission and any reasons why it has not been Approved.

12.4 Review the Operations Manual and test each detailed control/procedure as required, to determine if it is still in place and operating as prescribed.

NOTE:

The Authorised Auditor is to pay particular attention to the following control questions to supplement any tests conducted as part of 12.4.

12.5 Determine if formal management procedures exist and are followed to control all changes to CA equipment, software and operating procedures. 12.6 Determine that duties and areas of responsibility are segregated in order to

reduce opportunities for unauthorised modification or misuse of information or services.

12.7 Determine that the CA has addressed and implemented as prescribed:

•

power and air conditioning systems to provide a suitable operating environment

•

precautions to minimise the impact of water exposure; and

•

fire prevention and protection mechanisms in place.

12.8 Determine that, prior to using external facilities management or outsourcing operational services, risks are identified and controls are agreed upon with the outsourcing party and are incorporated into the contract.

12.9 Determine if the procedures used for capacity requirement and monitoring appear to be implemented and that they address projections of future capacity requirements including processing power and storage requirements.

12.10 Determine that development, maintenance and testing facilities are separated from operational facilities and procedures.

(40)

relate to:

•

business requirement documentation for all systems or enhancements to existing systems

•

change control procedures exist and are followed for the implementation of software on operational systems, software updates and modifications

•

change control procedures exist and are followed for emergency software fixes

•

test data is protected and controlled

•

strict control is maintained over access to program source libraries

•

the implementation of changes is strictly controlled by the use of formal change control procedures to minimise the risk of corruption of

information systems

•

applications are reviewed and tested when operating system changes occur

•

documentation exists that sets out the acceptance criteria for new information systems, upgrades and new versions and that tests of the system and/or application are carried out prior to acceptance

•

purchase, use and modification of software is controlled and checked to protect against possible covert channels and Trojan code; and

•

controls are in place to secure outsourced software development.

12.11 Determine that a formal reporting procedure exists and is followed, together with an incident response procedure (see the DRBCP/Security Profile) that sets out the actions to be taken in the event of an incident. Consider:

•

whether incident management responsibilities and procedures exist and are followed to provide a quick, effective and orderly response to

security incidents and malfunctions

GATEKEEPER COMPLIANCE AUDIT PROGRAM

GATEKEEPER COMPLIANCE AUDIT PROGRAM

Contents

1.

Introduction

5

2.

Objectives

5

2.1

Scope

... 5

2.2

WebTrust audit program

... 5

3.

Terminology

6

4.

GCAP Document Structure

7

5.

Changes to the GCAP

7

6.

Background

7

6.1

Gatekeeper Public Key Infrastructure Framework

... 7

6.2

Categories of Gatekeeper Certificates

... 8

6.3

The Gatekeeper Marketplace

... 8

6.4

Audit Requirement for Gatekeeper accredited/recognised Service Providers

.... 8

6.4.1

Head Agreement/Memorandum of Agreement

... 9

6.4.2

Approved Certificate Policy and Certification Practice Statement

... 9

6.4.3

Other standards

... 9

6.5

Audit Requirements for Gatekeeper Listed Organisations

... 9

6.5.1

Deed of Agreement/Memorandum of Understanding

... 9

7.

GCAP Procedures

9

7.1

GCAP Decision-Making Procedures

... 10

Figure 1: Audit process for GCAP for Service Providers

... 10

7.2

GCAP Audit Engagement Procedure

... 10

7.3

GCAP Reporting Procedure

... 11

7.4

Audit Report Review

... 12

7.5

GCAP Procedure for use of WebTrust audit work

... 12

7.5.1

Considering Work Conducted on another Service Provider

... 13

7.5.2

Considering Work Programs - Additional Procedures

... 13