Electronic signature and compliance assurance: what s new?



Similar documents
ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

ETSI TR V0.0.3 ( )

NIST-Workshop 10 & 11 April 2013

STANDARDISIERUNG FÜR EIDAS IM MANDATE/460

ETSI TC ESI PRESENTATION TO CAB FORUM. ETSI All rights reserved

DS : Trust eservices. The policy context: eidas Regulation

Implementation of eidas through Member States Supervisory Bodies

ETSI TS V2.1.1 ( )

ETSI EN V2.2.2 ( )

Prof. Udo Helmbrecht

esignature building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics


Terms of Reference for an IT Audit of

OneCoin Blockchain Audit Report

Information Security Specialist Training on the Basis of ISO/IEC 27002

Security framework. Guidelines for trust services providers Part 1. Version 1.0 December 2013

SSLPost Electronic Document Signing

ONR CEN/TS Security Requirements for Trustworthy Systems Supporting Server Signing (prcen/ts :2013) DRAFT ICS

Qualified Time Stamping and eregistered Delivery Services Overall considerations

IS Audit and Assurance Guideline 2402 Follow-up Activities

LEGAL FRAMEWORK FOR E-SIGNATURE IN LITHUANIA AND ENVISAGED CHANGES OF THE NEW EU REGULATION

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

BANK OF RUSSIA RECOMMENDATIONS ON STANDARDISATION MAINTENANCE OF INFORMATION SECURITY OF THE RUSSIAN BANKING SYSTEM ORGANISATIONS

ETSI TS V1.1.1 ( )

Electronic Signatures in Norway Supervision and Legal Aspects

ETSI EN V1.1.1 ( )

TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures: overview

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

GSA FIPS 201 Evaluation Program

An Electronic Signature Service Infrastructure for the European Commission

Draft ETSI EN V1.1.1 ( )

Domain 1 The Process of Auditing Information Systems

Presented by. Denis Darveau CISM, CISA, CRISC, CISSP

CISA TIMETABLE (4 DAYS)

ISO 27001:2005 & ISO 9001:2008

ETSI TS V1.1.1 ( ) Technical Specification

Profil stručnjaka za informacijsku sigurnost - certificirati se ili ne? Biljana Cerin, CISA, CISM, CGEIT, CBCP, PMP

Automation for Electronic Forms, Documents and Business Records (NA)

Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens)

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

TTP.NL Scheme. for management system certification. of Trust Service Providers issuing. Qualified Certificates for Electronic Signatures,

Protection Profiles for TSP cryptographic modules Part 1: Overview

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Signature policy for TUPAS Witnessed Signed Document

IT Audit in the Cloud

Submitted to the EC on 03/06/2012. COMPETITIVENESS AND INNOVATION FRAMEWORK PROGRAMME ICT Policy Support Programme (ICT PSP) e-codex

Cloud Computing Security Audit

BMC Client Management - SCAP Implementation Statement. Version 12.0

for Information Security

Digital Signature Verification using Historic Data

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

AHIA HCCA Auditing & Monitoring Focus Group Defining the Key Roles and Responsibilities Corporate Compliance and Internal Audit.

Recommendation for IT Governance Using the COBIT 4.1 Framework

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

FOR A PAPERLESS FUTURE. Petr DOLEJŠÍ Senior Solution Consultant SEFIRA Czech Republic

Trusted e-id Infrastructures and services in EU

Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market

COMMISSION OF THE EUROPEAN COMMUNITIES

ETSI TS V2.1.1 ( ) Technical Specification

Key Management Best Practices

A Contrarian Risk Management Perspective. Nicole Keaton SVP Identity & Access Management CGEIT CISA CISM

ETSI TR V1.1.1 ( )

COBIT Helps Organizations Meet Performance and Compliance Requirements

AlphaTrust PRONTO Enterprise Platform Product Overview

Certified Information Systems Auditor (CISA)

Quality Assurance Checklist

ELECTRONIC PRESENTATION AND E-SIGNATURE FOR ELECTRONIC FORMS, DOCUMENTS AND BUSINESS RECORDS ALPHATRUST PRONTO ENTERPRISE PLATFORM

Information Security Certifications

ow to use CobiT to assess the security & reliability of Digital Preservation

JTC 1/SC 27Security Techniques - Översikt arbetsgrupper och standarder

Standards in the Digital Single Market: setting priorities and ensuring delivery

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Pharmaceutical, Biotech and Medical Device Manufacturers. Be Compliant and Audit Ready - Implement an LMS!

Certification and Training

TrustedX: eidas Platform

NEMA Standards Publication PS 3 Supplement 41. Digital Imaging and Communications in Medicine (DICOM) Digital Signatures

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

CEF Building blocks. Informatics. Joao Rodrigues Frade DIGIT.B4. CEF Project and Architecture Office Directorate-General for Informatics

EXAMPLES OF FUNCTIONAL COMPETENCIES

Digital Signatures The Law and Best Practices for Compliance. January 2014

COMMISSION RECOMMENDATION. of

Transcription:

Electronic signature and compliance assurance: what s new? Ignacio ( Nacho ) Alamillo Domingo, CISA, CISM, ITIL-F ISACA Valencia Chapter Research Director Astrea Managing Partner

March 2013 2 Table of contents Electronic signature standards status. Conformity assessment. Opportunities for auditors.

March 2013 3 Electronic signature standards status 1 Electronic signature is quickly maturing, especially when based in digital certificates (PKI-based e-sign). The European Telecommunication Standards Institute, under the EU Commission Mandate 460, is producing a Rationalised Framework for Electronic Signature Standardisation (SR 001 604 v1.1.1): Signature Creation and Validation. Signature Creation and Other Related Devices. Cryptographic Suites. Trust Service Providers supporting esignatures. Trust Application Service Providers. Trust Service Status (List) Provider.

March 2013 4 Electronic signature standards status 2 Rationalised Framework for Electronic Signature Standardisation (SR 001 604 v1.1.1). Document types: Guidance: This type of documents does not include any normative requirements but provides business driven guidance on addressing the esignature (functional) area, on the selection of applicable standards and their options for a particular business implementation context and associated business requirements, on the implementation of a standard (or a series of standards), on the assessment of a business implementation against a standard (or a series of standards), etc. Policy & Security Requirements: This type of document specifies policy and security requirements for services and systems, including protection profiles. This brings together use of other technical standards and the security, physical, procedural and personnel requirements for systems implementing those technical standards.

March 2013 5 Electronic signature standards status 3 Rationalised Framework for Electronic Signature Standardisation (SR 001 604 v1.1.1). Document types: Technical Specifications: This type of document specifies technical requirements on systems. This includes but is not restricted to technical architectures (describing standardised elements for a system and their interrelationships), formats, protocols, algorithms, APIs, profiles of specific standards, etc. Conformity Assessment: This type of document addresses requirements for assessing the conformity of a system claiming conformity to a specific set of technical specifications, policy or security requirements (including protection profiles when applicable). This primarily includes conformity assessment rules (e.g. common criteria evaluation of products or assessment of systems and services).

March 2013 6 Electronic signature standards status 4 Rationalised Framework for Electronic Signature Standardisation (SR 001 604 v1.1.1). Document types: Testing Compliance & Interoperability: This type of document addresses requirements and specifications for setting-up interoperability tests or testing systems or for setting-up tests or testing systems that will provide automated checks of compliance of products, services or systems with specific set(s) of technical specifications.

March 2013 7 Conformity assessment 1 Signature Creation & Validation: EN 19 103 Conformity Assessment for Signature Creation and Validation Applications (& Procedures) This document introduces the three aspects of assessment detailed in separate specifications: a) Assessment of user environment against policy requirements: the conformity rules for assessing conformity of SCA or SVA against Policy Requirements. b) Assessment of products and applications for electronic signature creation and validation against protection profiles. c) Assessment of conformity to Advanced Electronic Signature formats and protocols. d) Assessment of conformity of a specific machine processable signature policy to the business process policy requirements.

March 2013 8 Conformity assessment 2 Signature Creation and other Related Devices: EN 19 203 Conformity Assessment of Secure Devices and Trustworthy systems This document provides guidance on conformity assessment of Secure Creation Devices against the specifications EN 19 211 and guidance on conformity assessment for trustworthy systems against the specifications EN 19 221, EN 19 231, EN 19 241 and EN 19 251.The guidance is intended for use by designated bodies, assessors, evaluators and manufacturers.

March 2013 9 Conformity assessment 3 Trust Service Providers supporting Electronic Signatures: EN 19 403: General requirements and guidance for Conformity Assessment of TSPs Supporting Electronic Signatures This document specifies general requirements for conformity assessment independent of the form of TSP and provides guidance for the supervision and assessment of a TSP supporting electronic signatures. EN 19 413: Conformity Assessment for TSPs Issuing Certificates This document specifies requirements and provides guidance for the supervision and assessment of a TSP issuing certificates. EN 19 423 Conformity Assessment for TSPs providing Time-Stamping Services This document specifies requirements and provides guidance for the supervision and assessment of a TSP providing time-stamping services.

March 2013 10 Conformity assessment 4 Trust Service Providers supporting Electronic Signatures: EN 19 433 Conformity Assessment for TSPs providing Signature Generation Services This document specifies requirements and provides guidance for the supervision and assessment of a TSP providing Signature Generation Services. EN 19 443 Conformity Assessment for TSPs providing Signature Validation Services This document specifies requirements and provides guidance for the supervision and assessment of a TSP providing Signature Validation Services.

March 2013 11 Conformity assessment 5 Trust Application Service Providers: EN 19 513 Conformity Assessment of Registered Electronic Mail Service Providers This document specifies requirements and provides guidance for the supervision and assessment of a Registered Electronic Mail Service Provider based on general requirements and guidance for conformity assessment specified in EN 19 403. EN 19 523 Conformity Assessment of Data Preservation Service Providers This document specifies requirements and provides guidance for the supervision and assessment of a DPSP based on general requirements and guidance for conformity assessment specified in EN 19 403.

March 2013 12 Opportunities for auditors ISACA body of standards offer a comprehensive body of ethics and practice foundations (e.g. under ITAF). We may provide value when performing the conformity assessment, fostering the adoption of this technologies BUT current audit procedures and standards are a bit old (2002). We should possibly update and align our practices to the rationalised framework. The approach should maintain regulatory neutrality but may leverage the ETSI structure, and apply it on a global basis.

MANY THANKS Ignacio ( Nacho ) Alamillo Domingo ISACA Valencia Chapter Research Director Astrea Managing Partner nacho@astrea.cat

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information