Independent Accountants Report

Transcription

1 KPMG LLP 1601 Market Street Philadelphia, PA Independent Accountants Report To the Management of Unisys Corporation: We have examined the assertion by the management of Unisys Corporation ( Unisys ) regarding the disclosure of its key and certificate life cycle management business practices, and the suitability of design and operating effectiveness of its controls over key and SSL certificate integrity, the authenticity of subscriber information, logical and physical access to CA systems and data, the continuity of key and certificate life cycle management operations, and development, maintenance and operation of systems integrity, based on the WebTrust for Certification Authorities SSL Baseline with Network Security Version 2.0 Audit Criteria, during the period July 1, 2014 through June 30, 2015, for the Root Unisys Internal Certification Authority (UIS-Root-CA), INT-B Intermediate Certification Authority (UIS-IntB-CA), and ISU-B1 Issuing Certification Authority (UIS-IsuB1-CA), which are part of the Unisys Internal Certification Authority (UICA) at Eagan, MN and Roseville, MN. Unisys management is responsible for its assertion. Our responsibility is to express an opinion on management s assertion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants, and accordingly, included (1) obtaining an understanding of Unisys SSL certificate life cycle management business practices and procedures, including its relevant controls over the issuance, renewal, and revocation of SSL certificates, and obtaining an understanding of Unisys network and system security to meet the requirements as set forth by the CA/Browser Forum; (2) selectively testing transactions executed in accordance with disclosed SSL certificate life cycle management practices; (3) testing and evaluating the operating effectiveness of the controls; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. The relative effectiveness and significance of specific controls at Unisys and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of the nature and inherent limitations of controls, Unisys ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. We noted the following issues that resulted in a modification of our opinion: No. Requirements Issues Noted 1 Principle 2 Criterion 2.1 requires the CA to meet the minimum requirements for Certificate Content and Profile, including the Issuer Information. The Issuer Information section is included within certificates issued by the CA; however the required fields for Issuer Organization Name, and Issuer Country Name are not documented. As a result, we noted that Unisys had not maintained effective controls to meet Principle 2, Criterion 2.1 during the period July 1, 2014 through June 30, KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative ( KPMG International ), a Swiss entity.

2 Page 2 No. Requirements Issues Noted 2 Principle 4 Criterion 3 requires that automated mechanisms under the control of CA or Delegated Third Party Trusted Roles are configured to process logged system activity and alert personnel; using notices provided to multiple destinations; of possible Critical Security Events. 3 Principle 4 Criterion 4 requires the CA to perform a Vulnerability Scan on public and private IP addresses identified by the CA or Delegated Third Party as the CA s of Delegated Third Party s Certificate Systems based on the following: Within one week of receiving a request from the CA/Browser Forum, After any system or network changes that the CA determines are significant, and At least once per quarter. Prior to June 5, 2015, an automated mechanism was not in place for the CAs subject to examination to process logged system activity and alert personnel of possible Critical Security Events. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4 Criterion 3 during the period July 1, 2014 through June 4, Prior to January 1, 2015, periodic Vulnerability Scans were performed on an annual basis. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4, Criterion 4 during the period July 1, 2014 through December 31, In our opinion, except for the effects of the matter(s) discussed in the preceding paragraphs, in providing its SSL Certification Authority (CA) services at Eagan, MN and Roseville, MN, during the period July 1, 2014 through June 30, 2015, Unisys has in all material respects disclosed its Certificate practices and procedures in its Unisys Internal PKI (UIPKI) Certificate Policy (CP) on the Unisys website and Certification Practice Statement (CPS) (restricted to authorized Unisys personnel and third party vendors), including its commitment to provide SSL Certificates in conformity with the applicable CA/Browser Forum Guidelines and provided such services in accordance with its disclosed practices and maintained effective controls to provide reasonable assurance that: - the integrity of keys and SSL certificates it manages was established and protected throughout their life cycles; - SSL subscriber information was properly collected, authenticated (for the registration activities performed by Unisys) and verified; - logical and physical access to CA systems and data was restricted to authorized individuals; - the continuity of key and certificate management operations was maintained; and - CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity. maintained effective controls to provide reasonable assurance that it met the Network and System Security Requirements as set forth by the CA/Browser Forum.

3 Page 3 based on the WebTrust for Certification Authorities SSL Baseline with Network Security Audit Criteria v2.0 for the Unisys SSL CAs. This report does not include any representation as to the quality of Unisys CA's certification services beyond those covered by the WebTrust for Certification Authorities SSL Baseline with Network Security Audit Criteria v2.0, nor the suitability of any of Unisys CA's services for any customer's intended purpose. September 28, 2015

4 September 28, 2015: Assertion of Management as to its Disclosure of its Business Practices and its Controls over its Certification Authority Operations during the period from July 1, 2014 through June 30, 2015 Unisys Corporation ("Unisys") provides its SSL certification authority (CA) services through the Root Unisys Internal Certification Authority (UIS-Root-CA), INT-B Intermediate Certification Authority (UIS-IntB-CA), and ISU-B1 Issuing Certification Authority (UIS-IsuB1-CA), which are part of the Unisys Internal Certification Authority (UICA). The management of Unisys has assessed the disclosure of its certificate practices and its controls over its SSL CA services. Based on that assessment, in Unisys Management s opinion, in providing its SSL CA services at Eagan, MN and Roseville, MN, during the period from July 1, 2014 through June 30, 2015, Unisys has:: disclosed its Certificate practices and procedures in its Unisys Internal PKI (UIPKI) Certificate Policy (CP) on the Unisys website and Certification Practice Statement (CPS) (restricted to authorized Unisys personnel and third party vendors), including its commitment to provide SSL Certificates in conformity with the applicable CA/Browser Forum Guidelines and provided such services in accordance with its disclosed practices and maintained effective controls to provide reasonable assurance that: - SSL subscriber information was properly collected, authenticated (for the registration activities performed by Unisys) and verified; - the integrity of keys and SSL certificates it manages was established and protected throughout their life cycles; - logical and physical access to CA systems and data was restricted to authorized individuals; - the continuity of key and certificate management operations was maintained; and - CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity. maintained effective controls to provide reasonable assurance that it met the Network and System Security Requirements as set forth by the CA/Browser Forum. based on the WebTrust for Certification Authorities SSL Baseline with Network Security Audit Criteria v2.0 for the Unisys SSL CAs except for the effects of the matters noted below: No. Requirements Issues Noted Additional Information Provided by Unisys Corporation 1 Principle 2 Criterion 2.1 requires the CA to meet the minimum requirements for Certificate Content and Profile, including the Issuer Information. The Issuer Information section is included within certificates issued by the CA; however the required fields for Issuer Organization Name, and Issuer Country Name are not documented. As a result, we noted that Unisys had not While these specific fields are not included, this information can be inferred by the following information present in every certificate: Other Issuer Information fields include both the name of the company (Unisys), and their

5 Page 2 2 Principle 4 Criterion 3 requires that automated mechanisms under the control of CA or Delegated Third Party Trusted Roles are configured to process logged system activity and alert personnel; using notices provided to multiple destinations; of possible Critical Security Events. 3 Principle 4 Criterion 4 requires the CA to perform a Vulnerability Scan on public and private IP addresses identified by the CA or Delegated Third Party as the CA s of Delegated Third Party s Certificate Systems based on the following: Within one week of receiving a request from the CA/Browser Forum, maintained effective controls to meet Principle 2, Criterion 2.1 during the period July 1, 2014 through June 30, Prior to June 5, 2015, an automated mechanism was not in place for the CAs subject to examination to process logged system activity and alert personnel of possible Critical Security Events. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4 Criterion 3 during the period July 1, 2014 through June 4, Prior to January 1, 2015, periodic Vulnerability Scans were performed on an annual basis. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4, Criterion 4 during the period July 1, 2014 through December 31, stock symbol (UIS), from which the data for these fields may be inferred. The Extensions fields include links to the external Unisys PKI website, and the Relying Party Agreement and Certificate Policy document, which document this information and provide specific names, addresses and telephone numbers available for contact. All SSL certificates are issued to internal Unisys resources, and the Organization and Country name are displayed in the Subject fields. We note that providing the information in the format specified would have required retirement of the existing CAs, invalidation of existing end user certificates and replacement by new CAs. The PKI Auditor performs a manual review of event logs for critical security events on a weekly basis. In addition, effective June 5, 2015 an automated process has been implemented, which scans the logs for critical events and alerts CA staff via immediate upon notification of a possible Critical Security Event. We are updating the assessment period from the previous annual basis to a quarterly basis for future reviews. Q3 and Q4 vulnerability scans have been completed on the new schedule.

6 Page 3 After any system or network changes that the CA determines are significant, and At least once per quarter. Chris Joerg Unisys Corporation Director, Information Security