Confirm, administrator
5,526
edits
Changes
Drafting section about Delayed or Partial Audits
* Whiteboard = [ca-compliance] Audit Delay COVID-19
'''Potential Remediation:''' <br />Situations will be considered and treated on a case by case basis, with discussions including the CA, the browsers, and the auditor. * ETSI Audits:** [https://groups.google.com/d/msg/mozilla.dev.security.policy/4Q6WAgLAvDo/zMJu6HWkAQAJ Guidance provided in mozilla.dev.security.policy] included the following: *** If facilities can’t be audited by auditors of the CAB in person, possible alternatives are:**** “Network-assisted auditing techniques” are possible (ETSI EN 319 403, 7.4.1.2)**** CAB may subcontract auditors that do not fall under the restriction, if they fulfil the auditor requirements. The CAB always remains fully responsible for such outsourced activities. (ISO/IEC 17065, 6.2.2 ).**** If such alternatives were accepted by the CAB to provide reasonable assurance with regard to the requirements to be audited, this would result in a normal audit conclusion and would not be visible on an audit attestation letter.*** everything which can be audited will be audited - there is especially no restriction to do a full Stage 1 document audit.**** If facilities cannot be audited by auditors of the CAB in person ... An audit attestation letter shall be issued stating which parts have not been covered by the audit. *** It is possible to re-use the original audit results and perform an additional audit just with regard to the non audited requirements (ISO/IEC 17065, 7.4). Usually, the period during which this is possible is limited by the CAB (ACAB’c: 6 month). Once the original audit becomes too old, a completely new audit would be necessary.* WebTrust Audits** [https://groups.google.com/d/msg/mozilla.dev.security.policy/4Q6WAgLAvDo/K7u11d6xAgAJ Guidance provided in mozilla.dev.security.policy] included the following: *** Ultimately, when an auditor is not able to obtain assurance on the entire scope of the engagement, and realizing a carved out approach is not permitted in a WebTrust audit, for example, when a certain data center is not able to be visited to observe controls operating and underlying documentation, the auditor will not be able to provide an unmodified/unqualified/clean opinion and the client would not be able to display the WebTrust seal. In these situations, the auditor would include an explanatory paragraph that details what gave rise to the scope limitation and issue one of the following modified opinions:**** Qualified opinion (when conditions are least severe but significant enough to mention), stating an except for paragraph explaining the condition(s) arising from the scope limitation, such as not being able to test the data center.**** Adverse opinion (when conditions are more severe), stating that the conditions are such that due to the severity of the scope limitation, the auditor states controls are not operating effectively and they were not able to satisfy themselves that the necessary controls were able to operate.**** Disclaimer of opinion (when conditions are most severe), stating that the auditor is unable to form any opinion due to the nature of the scope limitation.*** If the potential threat of a scope limitation is primarily due do an auditor not being able to travel to perform necessary testing, as with the Coronavirus, there are potential remedies for the auditor to consider, including, but not limited to:**** Using the work of another auditor, whereby the lead auditor verifies the independence, qualifications and technical competency of another firm that can do a portion of the work, and the lead auditor directs the work, plans, supervises and reviews the other auditor’s work, taking ultimate responsibility. In this case, no mention of the other firm is made in the report as the lead auditor is taking responsibility for the other firm’s work.**** Using technology to observe physical controls and underlying documents/artifacts via remote means, such as video. In this case, the auditor must ensure the authenticity, integrity, security and confidentiality of the transmission.
= Revocation =
