who does a PKI audit?

[Kristin Griffin]

Who deems the need for a PKI audit and who would actually do this audit? Is
this enforced by law?

Thanks,

Kristin

 

[Tom [Pepper] Willett]

http://www.isaca.org/Template.cfm?S...EMPLATE=/ContentManagement/ContentDisplay.cfm


"Kristin Griffin" <kristin.l.griffin@gmail.com> wrote in message
news:uimfSmEZIHA.4208@TK2MSFTNGP04.phx.gbl...
: Who deems the need for a PKI audit and who would actually do this audit?
Is
: this enforced by law?
:
: Thanks,
:
: Kristin
:
:

 

[Kristin Griffin]

Thanks Tom!


"Tom [Pepper] Willett" <tom@youreadaisyifyoudo.com> wrote in message
news:OeVAFHFZIHA.4272@TK2MSFTNGP05.phx.gbl...
> http://www.isaca.org/Template.cfm?S...EMPLATE=/ContentManagement/ContentDisplay.cfm
>
>
> "Kristin Griffin" <kristin.l.griffin@gmail.com> wrote in message
> news:uimfSmEZIHA.4208@TK2MSFTNGP04.phx.gbl...
> : Who deems the need for a PKI audit and who would actually do this audit?
> Is
> : this enforced by law?
> :
> : Thanks,
> :
> : Kristin
> :
> :
>
>

 

[brian.dilley@hotmail.com]

On Jan 31, 3:40 pm, "Kristin Griffin" <kristin.l.grif...@gmail.com>
wrote:
> Who deems the need for a PKI audit and who would actually do this audit?  Is
> this enforced by law?
>
> Thanks,
>
> Kristin

Kristin,

The PKI audit is defined in the certificate policy in both IETF RFC
2527 and 3647. The audit is mandatory for all assurance levels,
however the level of detail of the audit may vary according to the
number of assertions (shall, will, must) statements in the applicable
CP. It isn't mandated by law, is defined by policy and in that
mandate it is necessary to show compliance so that an intangible
factor such as trust can be defined by relying parties.

Federal PKI policy requires that a CISA or CISSP and PKI expert with
industry recognition conduct such audits and must be organizationally
independent of the PKI.

Brian