|
|
 |
SPYRUS Policies and Procedures - Audit Guidelines
The SPYRUS Policies and Procedures Suite demonstrates that PKI is much more than hardware, software and networks. Business analysis and detailed planning precede deployment of a PKI, and, in a similar manner, the PKI is not complete with having being successfully audited for trust and assurance. International standards, national and local legislation and regulations, and corporate policy, demand a regular audit schedule. In addition, those who use the certification service - clients, partners, suppliers - want to be assured of the trustworthiness of the PKI system. Audit is an integral part of a PKI.
PKI is inherently oriented towards interoperability or at least external connections. To facilitate evidence of trust in a PKI, a number of schemes are being developed world-wide, amongst them T-Scheme in the U.K. and WebTrust in North America. All such schemes require successful audit against a specified set of criteria for assurance, covering all aspects of the PKI and its environment.
SPYRUS has developed a set of generic audit guidelines to assist our PKI customers in preparing for audit, whether it is an internal review by another division of the organization (e.g., the audit department), or whether it is an audit carried out by an independent third-party (e.g., one of the major audit firms). In either case, SPYRUS has considerable experience in preparing for audit, and, in the case of internal review, specifying the policies, procedures, and systems that need to be audited - and how to do it.
In addition to our generic audit guidelines, which are based on auditing against a Certificate Policy and Certification Practice Statement, SPYRUS works with its customers to develop audit guidelines for specific requirements, such as compliance with the EU Directive or with HIPAA regulations.
For PKI, the developing PKI Accreditation Guidelines (PAG) of the American Bar Association Information Security Committee set out a detailed foundation for audit. SPYRUS has participated in the drafting of the PAG, and continues to do so. We can bring this expertise to the benefit of our customers.
For the PKI environment, many governments at all levels and private sector organizations are using the recently published ISO Standard 17799 - Code of practice for Information Security (December 2000). SPYRUS contributes extensively to the current revision of IS 17799, as well as its companion ISO documents, Technical Report 13335 - Guidelines on the management of Information Technology Security. We bring this expertise as well to our customers, to ensure successful audit against a carefully planned program.
For more information on PKI Audit, see our "SPYRUS Audit Framework for PKI" White Paper.
|
|
