Independent Accountants Report



Similar documents
Independent Accountants Report

WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] CA/BROWSER FORUM

Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

WEBTRUST SM/TM FOR CERTIFICATION AUTHORITIES EXTENDED VALIDATION AUDIT CRITERIA Version 1.1 CA/BROWSER FORUM

The continuity of key and certificate management operations was maintained; and

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation Code Signing

Report of Independent Accountants. To the Management of Globalsign SA/NV,

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Ericsson Group Certificate Value Statement

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Statoil Policy Disclosure Statement

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

TELSTRA RSS CA Subscriber Agreement (SA)

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Certification Practice Statement of CERTUM s Certification Services

Trust Service Principles and Criteria for Certification Authorities

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

epki Root Certification Authority Certification Practice Statement Version 1.2

Bugzilla ID: Bugzilla Summary:

Danske Bank Group Certificate Policy

Starfield Technologies, LLC. Certificate Policy and Certification Practice Statement (CP/CPS)

Certification Practice Statement. Internet Security Research Group (ISRG)

Ayla Networks, Inc. SOC 3 SysTrust 2015

Independent Service Auditors Report

ETSI TR V1.1.1 ( )

Certification Practice Statement

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Comodo Certification Practice Statement

thawte Certification Practice Statement

BUYPASS CLASS 3 SSL CERTIFICATES Effective date:

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

The name of the Contract Signer (as hereinafter defined) duly authorized by the Applicant to bind the Applicant to this Agreement is.

CMS Illinois Department of Central Management Services

CA Self-Governance: CA / Browser Forum Guidelines and Other Industry Developments. Ben Wilson, Chair, CA / Browser Forum

Payment Card Industry Data Security Standard

Internet Security Research Group (ISRG)

KIBS Certification Practice Statement for non-qualified Certificates

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Class 3 Registration Authority Charter

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Certificates

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Code Signing Certificates

Public Certification Authority Certification Practice Statement of Chunghwa Telecom (PublicCA CPS) Version 1.5

CERTIFICATION PRACTICE STATEMENT UPDATE

Information for Management of a Service Organization

Ford Motor Company CA Certification Practice Statement

CERTIFICATE POLICY (CP) (For SSL, EV SSL, OSC and similar electronic certificates)

Security Issues in Cloud Computing

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 2.0

e-tuğra CERTIFICATE POLICY E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. Version: 3.1 Validity Date: September, 2013 Update Date: 30/08/2013

Certificate Policies and Certification Practice Statements

Prioritizing Trust: Certificate Authority Best Practices

DigiCert Certification Practice Statement

Comodo Certificate Manager. Centrally Managing Enterprise Security, Trust & Compliance

Internal Server Names and IP Address Requirements for SSL:

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Review of U.S. Coast Guard's FY 2014 Drug Control Performance Summary Report

X.509 Certificate Policy for India PKI

Possible conflict between Microsoft Root Certification Technical Requirement V 2.0 and CABF Baseline Requirement about extendedkeyusage

Gain a New Level of Trust with Extended Validation SSL Certificates

CERTIFIED PUBLIC ACCOUNTANT LICENSING ACT

SAUDI NATIONAL ROOT-CA CERTIFICATE POLICY

Trustwave Holdings, Inc

Report of Independent Auditors

Fraunhofer Corporate PKI. Certification Practice Statement

March

ENTRUST CERTIFICATE SERVICES

Federal Public Key Infrastructure (FPKI) Compliance Audit Requirements

TeliaSonera Server Certificate Policy and Certification Practice Statement

Trusted Certificate Service

Comodo Certification Practice Statement

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

GENERAL PROVISIONS...6

Overview. Comodo Certificate Manager

Comodo Extended Validation (EV) Certification Practice Statement

Microsoft Trusted Root Certificate: Program Requirements

Symantec Trust Network (STN) Certificate Policy

Government CA Government AA. Certification Practice Statement

Transcription:

KPMG LLP 1601 Market Street Philadelphia, PA 19103-2499 Independent Accountants Report To the Management of Unisys Corporation: We have examined the assertion by the management of Unisys Corporation ( Unisys ) regarding the disclosure of its key and certificate life cycle management business practices, and the suitability of design and operating effectiveness of its controls over key and SSL certificate integrity, the authenticity of subscriber information, logical and physical access to CA systems and data, the continuity of key and certificate life cycle management operations, and development, maintenance and operation of systems integrity, based on the WebTrust for Certification Authorities SSL Baseline with Network Security Version 2.0 Audit Criteria, during the period July 1, 2014 through June 30, 2015, for the Root Unisys Internal Certification Authority (UIS-Root-CA), INT-B Intermediate Certification Authority (UIS-IntB-CA), and ISU-B1 Issuing Certification Authority (UIS-IsuB1-CA), which are part of the Unisys Internal Certification Authority (UICA) at Eagan, MN and Roseville, MN. Unisys management is responsible for its assertion. Our responsibility is to express an opinion on management s assertion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants, and accordingly, included (1) obtaining an understanding of Unisys SSL certificate life cycle management business practices and procedures, including its relevant controls over the issuance, renewal, and revocation of SSL certificates, and obtaining an understanding of Unisys network and system security to meet the requirements as set forth by the CA/Browser Forum; (2) selectively testing transactions executed in accordance with disclosed SSL certificate life cycle management practices; (3) testing and evaluating the operating effectiveness of the controls; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. The relative effectiveness and significance of specific controls at Unisys and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of the nature and inherent limitations of controls, Unisys ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. We noted the following issues that resulted in a modification of our opinion: No. Requirements Issues Noted 1 Principle 2 Criterion 2.1 requires the CA to meet the minimum requirements for Certificate Content and Profile, including the Issuer Information. The Issuer Information section is included within certificates issued by the CA; however the required fields for Issuer Organization Name, and Issuer Country Name are not documented. As a result, we noted that Unisys had not maintained effective controls to meet Principle 2, Criterion 2.1 during the period July 1, 2014 through June 30, 2015. KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative ( KPMG International ), a Swiss entity.

Page 2 No. Requirements Issues Noted 2 Principle 4 Criterion 3 requires that automated mechanisms under the control of CA or Delegated Third Party Trusted Roles are configured to process logged system activity and alert personnel; using notices provided to multiple destinations; of possible Critical Security Events. 3 Principle 4 Criterion 4 requires the CA to perform a Vulnerability Scan on public and private IP addresses identified by the CA or Delegated Third Party as the CA s of Delegated Third Party s Certificate Systems based on the following: Within one week of receiving a request from the CA/Browser Forum, After any system or network changes that the CA determines are significant, and At least once per quarter. Prior to June 5, 2015, an automated mechanism was not in place for the CAs subject to examination to process logged system activity and alert personnel of possible Critical Security Events. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4 Criterion 3 during the period July 1, 2014 through June 4, 2015. Prior to January 1, 2015, periodic Vulnerability Scans were performed on an annual basis. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4, Criterion 4 during the period July 1, 2014 through December 31, 2014. In our opinion, except for the effects of the matter(s) discussed in the preceding paragraphs, in providing its SSL Certification Authority (CA) services at Eagan, MN and Roseville, MN, during the period July 1, 2014 through June 30, 2015, Unisys has in all material respects disclosed its Certificate practices and procedures in its Unisys Internal PKI (UIPKI) Certificate Policy (CP) on the Unisys website and Certification Practice Statement (CPS) (restricted to authorized Unisys personnel and third party vendors), including its commitment to provide SSL Certificates in conformity with the applicable CA/Browser Forum Guidelines and provided such services in accordance with its disclosed practices and maintained effective controls to provide reasonable assurance that: - the integrity of keys and SSL certificates it manages was established and protected throughout their life cycles; - SSL subscriber information was properly collected, authenticated (for the registration activities performed by Unisys) and verified; - logical and physical access to CA systems and data was restricted to authorized individuals; - the continuity of key and certificate management operations was maintained; and - CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity. maintained effective controls to provide reasonable assurance that it met the Network and System Security Requirements as set forth by the CA/Browser Forum.

Page 3 based on the WebTrust for Certification Authorities SSL Baseline with Network Security Audit Criteria v2.0 for the Unisys SSL CAs. This report does not include any representation as to the quality of Unisys CA's certification services beyond those covered by the WebTrust for Certification Authorities SSL Baseline with Network Security Audit Criteria v2.0, nor the suitability of any of Unisys CA's services for any customer's intended purpose. September 28, 2015

September 28, 2015: Assertion of Management as to its Disclosure of its Business Practices and its Controls over its Certification Authority Operations during the period from July 1, 2014 through June 30, 2015 Unisys Corporation ("Unisys") provides its SSL certification authority (CA) services through the Root Unisys Internal Certification Authority (UIS-Root-CA), INT-B Intermediate Certification Authority (UIS-IntB-CA), and ISU-B1 Issuing Certification Authority (UIS-IsuB1-CA), which are part of the Unisys Internal Certification Authority (UICA). The management of Unisys has assessed the disclosure of its certificate practices and its controls over its SSL CA services. Based on that assessment, in Unisys Management s opinion, in providing its SSL CA services at Eagan, MN and Roseville, MN, during the period from July 1, 2014 through June 30, 2015, Unisys has:: disclosed its Certificate practices and procedures in its Unisys Internal PKI (UIPKI) Certificate Policy (CP) on the Unisys website and Certification Practice Statement (CPS) (restricted to authorized Unisys personnel and third party vendors), including its commitment to provide SSL Certificates in conformity with the applicable CA/Browser Forum Guidelines and provided such services in accordance with its disclosed practices and maintained effective controls to provide reasonable assurance that: - SSL subscriber information was properly collected, authenticated (for the registration activities performed by Unisys) and verified; - the integrity of keys and SSL certificates it manages was established and protected throughout their life cycles; - logical and physical access to CA systems and data was restricted to authorized individuals; - the continuity of key and certificate management operations was maintained; and - CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity. maintained effective controls to provide reasonable assurance that it met the Network and System Security Requirements as set forth by the CA/Browser Forum. based on the WebTrust for Certification Authorities SSL Baseline with Network Security Audit Criteria v2.0 for the Unisys SSL CAs except for the effects of the matters noted below: No. Requirements Issues Noted Additional Information Provided by Unisys Corporation 1 Principle 2 Criterion 2.1 requires the CA to meet the minimum requirements for Certificate Content and Profile, including the Issuer Information. The Issuer Information section is included within certificates issued by the CA; however the required fields for Issuer Organization Name, and Issuer Country Name are not documented. As a result, we noted that Unisys had not While these specific fields are not included, this information can be inferred by the following information present in every certificate: Other Issuer Information fields include both the name of the company (Unisys), and their

Page 2 2 Principle 4 Criterion 3 requires that automated mechanisms under the control of CA or Delegated Third Party Trusted Roles are configured to process logged system activity and alert personnel; using notices provided to multiple destinations; of possible Critical Security Events. 3 Principle 4 Criterion 4 requires the CA to perform a Vulnerability Scan on public and private IP addresses identified by the CA or Delegated Third Party as the CA s of Delegated Third Party s Certificate Systems based on the following: Within one week of receiving a request from the CA/Browser Forum, maintained effective controls to meet Principle 2, Criterion 2.1 during the period July 1, 2014 through June 30, 2015. Prior to June 5, 2015, an automated mechanism was not in place for the CAs subject to examination to process logged system activity and alert personnel of possible Critical Security Events. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4 Criterion 3 during the period July 1, 2014 through June 4, 2015. Prior to January 1, 2015, periodic Vulnerability Scans were performed on an annual basis. As a result, we noted that Unisys had not maintained effective controls to meet Principle 4, Criterion 4 during the period July 1, 2014 through December 31, 2014. stock symbol (UIS), from which the data for these fields may be inferred. The Extensions fields include links to the external Unisys PKI website, and the Relying Party Agreement and Certificate Policy document, which document this information and provide specific names, addresses and telephone numbers available for contact. All SSL certificates are issued to internal Unisys resources, and the Organization and Country name are displayed in the Subject fields. We note that providing the information in the format specified would have required retirement of the existing CAs, invalidation of existing end user certificates and replacement by new CAs. The PKI Auditor performs a manual review of event logs for critical security events on a weekly basis. In addition, effective June 5, 2015 an automated process has been implemented, which scans the logs for critical events and alerts CA staff via immediate email upon notification of a possible Critical Security Event. We are updating the assessment period from the previous annual basis to a quarterly basis for future reviews. Q3 and Q4 vulnerability scans have been completed on the new schedule.

Page 3 After any system or network changes that the CA determines are significant, and At least once per quarter. Chris Joerg Unisys Corporation Director, Information Security

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information