GATEKEEPER COMPLIANCE AUDIT PROGRAM

GATEKEEPER COMPLIANCE AUDIT PROGRAM NOVEMBER 2011

Commonwealth of Australia 2011 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia (http://creativecommons.org/licenses/by/3.0/au/deed.en) licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document. Licence: This document is licensed under a Creative Commons Attribution Non- Commercial No Derivs 3.0 licence. The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence (http://creativecommons.org/licenses/by/3.0/legalcode ). Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour (http://www.itsanhonour.gov.au/coat-arms/index.cfm) website. Contact: Assistant Secretary Cyber Security and ICT Skills Branch Department of Finance and Deregulation John Gorton Building King Edward Terrace Parkes ACT 2600 2 November 2011 GCAP

Contents 1. Introduction 5 2. Objectives 5 2.1 Scope... 5 2.2 WebTrust audit program... 5 3. Terminology 6 4. GCAP Document Structure 7 5. Changes to the GCAP 7 6. Background 7 6.1 Gatekeeper Public Key Infrastructure Framework... 7 6.2 Categories of Gatekeeper Certificates... 8 6.3 The Gatekeeper Marketplace... 8 6.4 Audit Requirement for Gatekeeper accredited/recognised Service Providers... 8 6.4.1 Head Agreement/Memorandum of Agreement... 9 6.4.2 Approved Certificate Policy and Certification Practice Statement... 9 6.4.3 Other standards... 9 6.5 Audit Requirements for Gatekeeper Listed Organisations... 9 6.5.1 Deed of Agreement/Memorandum of Understanding... 9 7. GCAP Procedures 9 7.1 GCAP Decision-Making Procedures... 10 Figure 1: Audit process for GCAP for Service Providers... 10 7.2 GCAP Audit Engagement Procedure... 10 7.3 GCAP Reporting Procedure... 11 7.4 Audit Report Review... 12 7.5 GCAP Procedure for use of WebTrust audit work... 12 7.5.1 Considering Work Conducted on another Service Provider... 13 7.5.2 Considering Work Programs - Additional Procedures... 13 Appendix A Self Assessment Questionnaire for Gatekeeper accredited/recognised Service Providers 14 A.1 Overview... 14 A.2 Instructions to the Gatekeeper accredited/recognised Service Provider... 14 A.3 Self Assessment Questionnaire for Gatekeeper Accredited/ Recognised Service Providers... 15 3 November 2011 GCAP

Appendix B GCAP for Gatekeeper accredited / recognised Certification Authorities 22 B.1 Overview... 22 B.2 Instructions to the Authorised Auditor... 23 B.3 GCAP CA Control Questions... 24 B.4 KMP Sample Work Program... 45 Appendix C GCAP for Gatekeeper accredited Registration Authorities 50 C.1 Overview... 50 C.2 Instructions to the Authorised Auditor... 50 C.3 GCAP RA Control Questions... 51 Appendix D Self Assessment Questionnaire for Gatekeeper Listed Organisations 68 D.1 Overview... 68 D.2 Instructions to the Listed Organisation... 68 D.3 SELF ASSESSMENT QUESTIONNAIRE FOR KNOWN CUSTOMER ORGANISATIONS (KCOs) AND THREAT AND RISK ORGANISATIONS (TROs)... 69 D.4 SELF ASSESSMENT QUESTIONNAIRE FOR VALIDATION AUTHORITIES... 76 Appendix E GCAP for Known Customer and Threat and Risk Organisations) 83 E.1 Overview... 83 E.2 Instructions to the Authorised Auditor... 84 E.3 GCAP Known Customer and Threat and Risk Organisations Control Questions... 85 Appendix F GCAP for Validation Authorities 91 F.1 Overview... 91 F.2 Instructions to the Authorised Auditor... 91 F. 3 GCAP Validation Authority Control Questions... 92 Appendix G - References 99 4 November 2011 GCAP

1. Introduction Under the Gatekeeper Public Key Infrastructure Framework, annual compliance audits remain a condition of Gatekeeper accreditation and recognition. In accordance with clause 11 of the Gatekeeper Head Agreement/Memorandum of Agreement, the Department of Finance and Deregulation (Finance) requires that Authorised Auditors conduct an annual audit of Service Providers' compliance with the Gatekeeper Framework. Finance requires that Listed Organisations also undergo an external compliance audit in accordance with Gatekeeper Listing Requirements 1. The Gatekeeper Compliance Audit Program (GCAP) provides guidance to Auditors on the scope and conduct of the assessment required under Gatekeeper. The GCAP applies to: Gatekeeper accredited/recognised Certification Authorities (CAs) Gatekeeper accredited Registration Authorities (RAs) Gatekeeper Listed Organisations - Known Customer Organisations; Threat and Risk Organisations; and Validation Authorities. 2. Objectives The primary objective of the GCAP is to provide a work program to assist Service Providers in meeting the external Audit requirement stipulated in the Gatekeeper Head Agreement/Memorandum of Understanding/Deed of Agreement. The work program in the Appendices outlines the various procedures that form the scope of the Audit. 2.1 Scope The scope of the GCAP includes Gatekeeper compliance process checks as well as fundamental Audit control checks. These checks are based on: the Gatekeeper Framework under which the Service Providers are accredited/recognised; Gatekeeper Listing Requirements under which the Known Customer Organisations, Threat and Risk Organisations and Validation Authorities are Listed; and industry and Australian standards. 2.2 WebTrust audit program Service Providers that have completed, or are considering WebTrust audit program, are required to provide status reports to the Auditor. 1 Gatekeeper accredited/recognised Service Providers are required to choose an Auditor from the Gatekeeper Audit Panel listed at www.gatekeeper.gov.au; whereas Listed Organisations may choose to appoint any qualified Auditor, including from the Gatekeeper Audit Panel. 5 November 2011 GCAP

An Auditor may consider WebTrust audit work that has been completed and avoid duplication of audit work. The GCAP ensures it is able to incorporate WebTrust audit work that may have been undertaken within the past six months. Incorporating previous Audit work by the Auditor provides two benefits to Service Providers: reduce expenditure on external Audit requirements; and reduce the extent of interruptions to operations when Audits occur. In the event that a Service Provider has not conducted or completed an external Audit program, the Authorised Auditor will conduct the GCAP as a full Audit with all applicable control tests. The GCAP does not unequivocally accept a WebTrust Audit as sufficient to meet the external Audit requirements for Gatekeeper. Rather, the "modular" structure of GCAP allows where possible, work programs conducted under WebTrust to be used as a substitute for parts of the GCAP work program. This is conditional on the Auditor being satisfied that the WebTrust work program provides adequate assurance within the constraints of the GCAP. 3. Terminology In conducting a GCAP, the Authorised Auditor should have a high degree of competence in PKI and knowledge of Gatekeeper Policies and Criteria. Terms used in the GCAP are available at www.gatekeeper.gov.au. Note the following terms: Audit Authorised Auditor CA Service Provider only refers to the external Audit process, unless explicitly stated otherwise. While the terms "Audit" and "external Audit" are used extensively, they are used in a generic sense in accordance with their meaning in the Australian Auditing Standards (AAS). The importance of this statement relates to the fact that an external Auditor's opinion in accordance with AAS is not being sought as a result of conducting the GCAP. refers solely to an Auditor who is listed on Finance s Audit Panel to conduct a GCAP, unless explicitly stated otherwise. refers solely to a Gatekeeper Accredited/Recognised Certification Authority; it does not refer to a Chartered Accountant, unless explicitly stated otherwise. refers solely to a Gatekeeper Accredited/Recognised CA, RA, and Gatekeeper Listed Organisations, unless explicitly stated otherwise. For information relating to other terms, abbreviation and acronyms contained in this document, refer to the Gatekeeper Glossary at www.gatekeeper.gov.au. 6 November 2011 GCAP

4. GCAP Document Structure The first part of this GCAP document contains: information and background for Auditors criteria for using WebTrust Audit work; and processes for a Service Provider to engage an Auditor to conduct a GCAP. The second part of this GCAP document contains the following Appendices: Self-Assessment Questionnaire for the Service Provider; GCAP work program for the Auditor; and other relevant information. 5. Changes to the GCAP Finance is responsible for ensuring the applicability and currency of this GCAP document, particularly in light of any changes to the following: Gatekeeper Head Agreement/Memorandum of Agreement Criteria for Accreditation of Certification Authorities Criteria for Accreditation of Registration Authorities Listing Requirements for Known Customer Organisations (KCOs) Listing Requirements for Threat and Risk Organisations (TROs) Listing Requirements for Validation Authorities (VAs); and Deed of Agreement/Memorandum of Understanding for KCOs, TROs, and VAs. To check the currency of this program, contact the Director, Authentication and Identity Management, at gatekeeper@finance.gov.au. Service Providers will be notified of changes to the GCAP document. If a change is deemed to be significant, the review process may incorporate a consultative approach with all relevant stakeholders. 6. Background 6.1 Gatekeeper Public Key Infrastructure Framework The Gatekeeper PKI Framework: facilitates the deployment of a broader range of Digital Certificates designed to meet specific business requirements of agencies and their clients; facilitates adoption of a risk management approach aligned to the National e-authentication Framework (NeAF) and Government Security Standards; 7 November 2011 GCAP

facilitates increased use of PKI by both business and the broader community through reducing the cost and complexity of producing, acquiring and using Digital Certificates; and fosters a competitive market for Digital Certificates. 6.2 Categories of Gatekeeper Certificates The Framework comprises three categories of Digital Certificates Special, General and High Assurance - for Individuals and Organisations. The Framework is characterised by flexibility in Evidence of Identity (EOI) requirements and the ability of Relying Parties to readily distinguish between EOI models and EOI assurance levels within those models. Digital Certificates issued under the Framework will be X.509 compliant. 6.3 The Gatekeeper Marketplace The Gatekeeper market place is a unique environment covering a number of PKI domains that provide services from different vendors and organisations. At present, the Australian Gatekeeper marketplace consists of: ; three organisations accredited as both CA and RA - Australian Taxation Office, VeriSign Australia and the Department of Defence two organisations accredited as CA Verizon Australia Pty Ltd and Medicare Australia one organisation accredited as RA - Australia Post one organisation accredited as RA and recognised as a CA (for issuance of IdenTrust digital certificates) - ANZ Bank one organisation listed as a Validation Authority Department of Innovation, Industry Science and Resources; and one organisation listed as a Relationship Organisation - Medicare Australia. 6.4 Audit Requirement for Gatekeeper accredited/recognised Service Providers At the conclusion of the Gatekeeper accreditation/recognition process, Service Providers are required to sign a Gatekeeper Head Agreement (HA)/Memorandum of Agreement (MOA) with the Commonwealth of Australia (represented by Finance). The HA/MOA requires that the Service Provider maintains compliance with the Gatekeeper Framework and the terms of its Gatekeeper accreditation/recognition as set out in its Approved Documents. One condition for maintaining Gatekeeper accreditation is that an annual external Compliance Audit be conducted by qualified Information Technology Auditors authorised by Finance as listed on the Gatekeeper Audit Panel at gatekeeper.gov.au. 8 November 2011 GCAP

6.4.1 Head Agreement/Memorandum of Agreement The Gatekeeper Head Agreement specifies under sub-clause 11.1: Finance requires an Audit to be conducted by an Authorised Auditor of the Service Provider's compliance with the Accreditation Policies and Criteria, and Approved Documents. 6.4.2 Approved Certificate Policy and Certification Practice Statement The Approved Certificate Policies (CPs) and Certification Practices Statement (CPS) of each Gatekeeper accredited/recognised Service Provider also stipulate the need for an external Audit to be conducted. 6.4.3 Other standards Section 8 of AS 4539.2.1-2000-: Information Technology - Public Key Authentication Framework (PKAF) - Assurance Framework - Certification Authorities requires a continuous external Audit to be determined by the accreditation body. 6.5 Audit Requirements for Gatekeeper Listed Organisations A Gatekeeper Listed Organisation, except Relationship Organisations, is required to undergo an annual compliance audit of its operations against the Listed Organisation s operational security and privacy criteria. Listed Organisations may select any suitably qualified auditor, including from the Gatekeeper Audit Panel. 6.5.1 Deed of Agreement/Memorandum of Understanding The Gatekeeper Deed of Agreement specifies under sub-clause 9.1: Finance requires an annual compliance audit to be conducted by a suitably qualified independent auditor (for example, a member of the Gatekeeper Audit Panel) of the Listed Organisation s operational security and privacy criteria. 7. GCAP Procedures The GCAP provides a set of procedures for Auditors to follow when they conduct an Audit of Service Providers. The GCAP provides guidance on how an Auditor can use previously conducted work programs and reduce the possibility of unnecessary re-work. The GCAP is not a substitute for the individual Auditor's professional judgment in determining the Service Provider's overall compliance. Depending upon the results of the GCAP, additional Audit procedures may be required. 9 November 2011 GCAP

7.1 GCAP Decision-Making Procedures Figure 1 shows the major decision points that an Auditor may consider when planning the Audit of a Service Provider s PKI operations. This will help Auditors determine the best way to conduct the GCAP. It should be used as a guide when deciding whether to consider prior work performed, along with the criteria specified in Section 7.5 GCAP Procedure for use of WebTrust audit work. If the Auditor chooses not to use Audit work programs that have been conducted within the past sixmonth time frame, then the full GCAP should be applied as set out in the Appendices. Figure 1: Audit process for GCAP for Service Providers Commence GCAP Has a WebTrust audit been conducted within the last six months or in the process of being conducted? NO YES Conduct full GCAP NO Does/would WebTrust audit cover Gatekeeper operations? YES Conduct MODULAR GCAP using previous work where applicable 7.2 GCAP Audit Engagement Procedure Service Providers may follow the following procedures before engaging an Auditor: Gatekeeper accredited/recognised Service Provider completes the Self Assessment Questionnaire at Appendix A and Gatekeeper Listed Organisation completes the Self Assessment Questionnaire at Appendix D; - the Self Assessment Questionnaire assists the Auditor to make an assessment of previously conducted work, the amount of work required to complete the GCAP and if a full GCAP is required. 10 November 2011 GCAP

Gatekeeper accredited/recognised Service Provider sends the completed Self-Assessment Questionnaire with its Request for Tender (RFT) for external Audit to Authorised Auditors listed on the Gatekeeper Audit Panel at www.gatekeeper.gov.au; and Listed Organisations may either choose to send completed Self Assessment Questionnaires either to Authorised Auditors or to any qualified IT Auditors of their choice; Auditors may use the completed Self-Assessment Questionnaire to assist in drafting their responses to the RFT; and the Service Provider reviews the responses to the RFT; and informs the successful Auditor and the Gatekeeper Competent Authority of its decision. Upon appointment, the chosen Auditor: formalises a contract with the Service Provider to conduct the Audit; performs the GCAP as proposed; and reports its findings to the Gatekeeper Competent Authority and the Service Provider and any other parties agreed to between the Auditor and the Service Provider. 7.3 GCAP Reporting Procedure Upon completion of the GCAP, the Auditor will issue a final Audit Report to the Gatekeeper Competent Authority, the Service Provider and any other entities agreed to in the GCAP Audit engagement contract. Unless otherwise specified in the GCAP contract, Audit Reports are considered to be sensitive commercial information and should be treated with the required level of security controls for their protection. The Auditor's report should detail the work conducted, as well as the outcomes of required testing. It will identify any adverse issues, areas of non-compliance or queries that are not resolved to the satisfaction of the Auditor and will also include associated recommendations from the Auditor. The Auditor is not required to provide a formal Audit opinion on the work performed in accordance with Australian Auditing Standards. The Auditor may wish to base its reporting framework on AUS 904 Engagements to Perform Agreed-upon Procedures. The Auditor may also consider AGS 1008 - Audit Implications of Prudential Reporting Requirements for Authorised Deposit-Taking Institutions as a possible reporting framework. The Auditor should note that AGS 1008 uses AUS 904 as a framework for reporting. When reporting issues, possible compromises and/or failures, the Auditor may, as applicable, wish to make reference to the categories defined within Australia Standard AS 4539:2.1-2000 - Assurance framework for Certification Authorities, Section 7; as well as sub Clause 11.4 of the Head Agreement/Memorandum of Agreement between Finance and the Service Provider. The Auditor will immediately notify the Service Provider and the Gatekeeper Competent Authority of issues that are considered to represent a failure or significant compromise of the Service Provider's operations. Auditors should note the following: In performing the GCAP, the Auditor's Report will be a "long-form" report detailing the findings resulting from carrying out the prescribed work procedures. Findings that should be reported include potential control and procedural weaknesses. 11 November 2011 GCAP

Finance does not require an audit opinion in accordance with Australian Auditing Standards. It is envisaged that the Auditor's reporting will be largely based on AUS 904 - Engagement to Perform Agreed-upon Procedures. 7.4 Audit Report Review The specific process for dealing with final Audit Report findings is contained within each Service Provider's Gatekeeper Head Agreement/Memorandum of Understanding/Agreement. Finance will review the findings and Report from the Auditor and will subsequently issue either a: statement to the Service Provider advising that its Gatekeeper Accreditation/Recognition or Listing will be maintained; or notice (whether or not it is a major or minor non-compliance) to the Service Provider specifying any adverse Audit findings and the required remedial actions that will enable the Service Provider to maintain its Gatekeeper accreditation/recognition or Listing (this may also require an additional Audit). 7.5 GCAP Procedure for use of WebTrust audit work The Auditor selected by the Service Provider has discretion in deciding whether to use prior work as part of the GCAP process. It is important that the Auditor performs quality assurance procedures so that the GCAP Audit Report is adequately supported. The Auditor may only consider work programs conducted as part of a WebTrust Audit Program. The current market has indicated that WebTrust is the most common program for external CA Audits. Accordingly, Finance has decided that GCAP does not warrant the inclusion of additional Audit programs. The WebTrust program includes appropriate continuous control checking procedures that may provide a framework for the Auditor to follow. The Auditor is responsible for the conduct of the GCAP in all situations. Under the GCAP, Auditors can only consider prior audit work if it has been undertaken within the past six months. The final report from the Auditor will indicate if prior Audit work has been taken into consideration and the reasons for the decision. The following conditions apply when considering prior work: an Auditor may choose not to consider previous work done and therefore conduct a full GCAP. The Auditor and the Service Provider will discuss and agree to the factors contributing to this assessment; - the Auditor may decide to conduct a full Audit if prior work is deemed to be insufficient, work papers are not available, or there is lack of evidence on the nature of the work undertaken; 12 November 2011 GCAP

the beginning of the permitted six month period is the completion date of the "actual" individual work program conducted, not the date on which the final Audit report was issued; - preparation of final Audit Reports can take time, especially if re-assessment of certain areas is required. The GCAP only requires that the entire work-program be conducted to a satisfactory outcome. The Auditor has the final responsibility in deciding whether prior work will be considered for inclusion. Auditors should be aware that some Service Providers may wish to request an early Gatekeeper Audit to co-ordinate with WebTrust audit activities underway in their organisation. It is beneficial for the Service Provider to request the GCAP to be performed within three months after completion of their external audit. 7.5.1 Considering Work Conducted on another Service Provider Where Service Providers use the services or facilities of another Gatekeeper accredited entity (who may not be subject to an Audit at the specific time), GCAP sets the following additional conditions: the other entity must be Gatekeeper Accredited and provide the service to the Service Provider who is required to undergo the GCAP the constraints of the work program and timing must relate to the specific Service Provider that provides the services; and the other Service Provider must also maintain its Gatekeeper accreditation throughout the conduct of the Service Provider's GCAP. These provisions have been included for situations where a CA may be outsourcing some of its management by using the facilities of another Gatekeeper Accredited CA, or where a CA may be outsourcing its RA operations to another Gatekeeper Accredited Service Provider. 7.5.2 Considering Work Programs - Additional Procedures When a decision has been made to use work from a WebTrust Audit of a Service Provider, or to use work or controls conducted on another Service Provider, the Auditor must ensure that the decision is adequately supported. In addition to the Auditor's Audit procedures, GCAP requires the Auditor to: review relevant communication with Finance and Gatekeeper Evaluators to determine that: - nothing has changed in the area that the work was based upon; and - there are no outstanding or pending issues that may affect the area on which that work was based. If there are changes to the area that would lessen the security or increase the risk of adverse affects, the Auditor should not consider using the prior work. 13 November 2011 GCAP

Appendix A Self Assessment Questionnaire for Gatekeeper accredited/recognised Service Providers A.1 Overview The Self Assessment Questionnaire assists Auditors to assess the nature and extent of audit required for the Service Provider. The Questionnaire facilitates the collection of information necessary to understand the current environment in which the Service Provider operates and any implemented changes. The information also enables the Auditor to consider whether a Modular approach may be proposed under the GCAP, allowing previous work to be taken into account. The Self Assessment Questionnaire will then form part of the supporting work papers for the GCAP carried out by the Auditor. There is a requirement to perform an on-site Audit to review and test the Service Provider s established operations and controls. A.2 Instructions to the Gatekeeper accredited/recognised Service Provider The Service Provider is required to respond to a majority of the Self Assessment questions with a Yes or No. There are also a number of questions that require the Service Provider to enter written details. All information provided by the Service Provider will be taken as a management representation and deemed to be accurate by the Auditor. All responses provided by the Service Provider will be taken as a representation of their activities, which can be subject to testing during on-site visits. Note: Some of the Questions may not be applicable to all Service Providers. 14 November 2011 GCAP

A.3 Self Assessment Questionnaire for Gatekeeper Accredited/ Recognised Service Providers No Self Assessment Questions 1. GENERAL BACKGROUND NOTES 1.1 Name of Service Provider 1.2 Type of Service (CA, RA) 1.3 Location/URL of Approved CPs and CPS 1.4 Date of Gatekeeper accreditation/recognition and the latest variation 1.5 Do you remain compliant with the latest Gatekeeper Accreditation Criteria and Policies? If No, provide details. 2. PRIOR AUDITS NOTES 2.1 Has a WebTrust Audit been conducted on your operations within the last year? 2.2 Did the scope of the WebTrust Audit cover your Gatekeeper operations? If No, what did the Audit cover? 2.3 What date was the WebTrust Audit signed off? 2.4 When Who 2 was do your the Auditor WebTrust who Updates conducted occur? the WebTrust Audit? 2.5. Are 4 the work papers used available for release to your eventual GCAP Auditor? 3. RELATIONSHIPS 3 3.1 Is your Gatekeeper related operations entirely located in your own facilities? If No, please state where they are located 3.2 Is your operation entirely managed and operated by your own personnel? If No, please state the name of the Gatekeeper Accredited Service Provider you use and which aspects of your activities are managed/operated by this organisation. 3.3 Are you reliant on another Service Provider s Certification Practice Statement? If Yes, please specify the name of the Service Provider, its location and the reason for using this CPS. NOTES NOTE: Questions 3.4 to 3.6 only apply if you outsource your facilities, management or operations to another Gatekeeper Accredited Service Provider (i.e. if the answer to 3.1 or 3.2 is NO or 3.3 is Yes) 3.4 Has the other Service Provider been through an external audit? 15 November 2011 GCAP

If Yes: i) who was the auditor? ii) when was the Audit conducted? 3.5 If applicable, did the scope of the other Service Provider s external WebTrust Audit cover your Gatekeeper operations? 3.6 Please specify if any issues were identified. 4. BUSINESS MODEL NOTES 4.1 Have there been changes to your business model since the version set out in your Head Agreement/Memorandum of Agreement? If Yes, please provide details. 5. INTERNAL AUDIT COMPLIANCE NOTES 5.1 Are procedures in place to check that internal Audits are performed in accordance with the Operations Manual and the Security Profile? 5.2 Has an internal compliance audit been conducted within the last 12 months? If yes, please state the date of Audit? 5.3 Did the findings of this internal Audit highlight any deficiencies? If Yes, please detail their status. 6. CA OBLIGATIONS NOTES 6.1 Do you continue to maintain an up-to-date list of all revoked certificates? 6.2 Do you continue to make available this list to all Relying Parties? 6.3 If you are issuing certificates to ROs, do you make the list of revoked certificates available to those Agencies participating in the defined Community of Interest? 6.4 Since your accreditation/recognition or last Audit, have there been instances of compromise, or suspected compromise of Keys and Certificates belonging to the CA or its operational staff or systems that may threaten the integrity of your PKI? If Yes, did you initiate Certificate revocation or suspension (if service provided) following the compromise? 7. RA OBLIGATIONS NOTES 7.1 Are procedures in place to check that your operations conform to the practices described in the CA s CPS? 7.2 Are procedures in place to check that you provide your customers with copies of other documentation required? (e.g. Subscriber Agreement)? 16 November 2011 GCAP

If No, do you advise customers how to obtain these documents? 7.3 Are the minimum EOI requirements for end-entities still in accordance with the Gatekeeper EOI Policy? 7.4 Do your procedures and processes for collection and storage of personal information still comply with the requirements of the Approved Documents? 7.5 Since accreditation, has there been instances of compromise, or suspected compromise of data holdings that may threaten the integrity of the PKI? 7.6 Has there been any change to the procedures that you use for conducting EOI? If Yes, please provide details. 8. CERTIFICATION PRACTICE STATEMENT MANAGEMENT NOTES 8.1 Since your accreditation/recognition or last Audit, has the management group undertaken a review of business risks, security requirements and operational procedures? Did the outcome of the review warrant a change in your practices/procedures or your CPS? 8.2 Has your CPS changed since accreditation/recognition or last Audit? If Yes: i) has Finance approved the changes? ii) if yes, state the date when Finance approved the changes. Date: 9. CERTIFICATE POLICY MANAGEMENT NOTES 9.1 What types of Certificates do you provide? 9.2 Do you maintain a management group with the final authority and responsibility for your CP(s) (e.g. Policy Approval Authority or Policy Management Authority)? 9.3 Has any of your CP(s) changed since your accreditation or last Audit? If Yes, have you submitted the amended CP(s) to Finance for reevaluation? If Yes: i) has Finance approved the changes? ii) if yes, state the date when Finance approved the changes. Date: 17 November 2011 GCAP

10. DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN NOTES 10.1 Has your Disaster Recovery and Business Continuity Plan (DRBCP) been reviewed in accordance with its set timeframe? 10.2 Were there any negative/deficient results from the test procedures? If Yes, please detail the outcomes of required actions. 10.3 Are agreements with external service providers in relation to the DRBCP current? 10.4 Have you trained all employees under the provisions of the DRBCP? 10.5 Has your DRBCP been changed since your accreditation or last Audit? If Yes, have you submitted the amended DRBCP to Finance for reevaluation? If Yes i) has Finance approved the changes? ii) if yes, state the date when Finance approved the changes. Date: 11. SUBSCRIBER AGREEMENT/RELYING PARTY AGREEMENT 11.1 Do the procedures you have put in place enable Subscribers and Relying Parties to have a good understanding of their responsibilities and obligations (e.g. providing accurate information; safeguarding their Private Keys; CRL checking)? 11.2 Do you notify Agencies, Subscribers, or other parties as required in regard to liability arrangements? 11.3 Have you amended your CPS or CP(s) since your accreditation/recognition or last Audit? If Yes, have you reviewed the Subscriber Agreement/Relying Party Agreement to ensure that the changes have been incorporated? If Yes i) has Finance approved these changes? ii) if yes, state the date when Finance approved the changes. NOTES Date: 18 November 2011 GCAP

12 LEGAL REQUIREMENTS NOTES 12.1 Since your Accreditation/Recognition or last Audit, has there been any change in the ownership / management of your organisation that may impact your Gatekeeper Accreditation/ Recognition status? If Yes, please provide details. 13 SECURITY PROFILE [comprises protective security risk review, Threat/Risk Assessment (TRA), protective security plan and policy; and Key Management Plan (KMP)] 13.1 How often are your security policies, procedures and practices reviewed? When was the last review done? 13.2 Have there been changes to your security policies and procedures since your accreditation/recognition or last Audit? If Yes, have you submitted the amended Security Profile to Finance for re-evaluation? If yes: i) has Finance approved the changes? ii) if yes, state the date when Finance approved the changes. 13.3 How often do you conduct a TRA? When was this last done? 13.4 Have there been changes to your TRA since your Accreditation/Recognition or last Audit? If Yes, have you submitted the amended TRA to Finance for reevaluation? If Yes: i) has Finance approved the changes? ii) if yes, state the date when Finance approved the changes. 13.5 Does the Security Profile address the issue of residual risk? NOTES Date: Date: If Yes, has residual risk been accepted and signed-off by management? 13.6 How often do you conduct a review of your KMP? Specify when this was last done? 13.7 Have there been changes to your KMP since your Accreditation/Recognition or last Audit? If Yes, have you submitted the amended KMP to Finance for reevaluation? If Yes: i) has Finance approved the changes? ii) if yes, state the date when Finance approved the changes. Date: 19 November 2011 GCAP

14 PHYSICAL SECURITY NOTES 14.1 Have there been changes to physical security since your accreditation/recognition or last Audit? If Yes, have you notified Finance? 14.2 When was the last time a security assessment of your facility conducted? 14.3 Are there any contracts with an external Security Guard company? 14.4 Since your accreditation/recognition or last Audit, have there been instances of compromise, or suspected compromise of the Physical Security of your establishment? If Yes, please include details of the following: Was the investigation process carried out in accordance with the Approved Documents? Was the investigation and resolution documented? 14.5 Since your accreditation/recognition or last Audit, have there been instances of compromise, or suspected compromise of confidential information? If Yes, please include details of the following: Was the investigation process carried out in accordance with the Approved Documents? Was the investigation and resolution documented? 14.6 Since your accreditation/recognition or last Audit, have all alarm and physical security control systems been tested and reviewed for maintenance (as per Approved Documents and manufacturer s instructions)? If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings. 14.7 Since your accreditation/recognition or last Audit has the emergency response process been tested? If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings. 14.8 Since your accreditation/recognition or last Audit, have environmental and fire control systems been tested and reviewed for maintenance (as per manufacturer s instructions)? If Yes, were all the tests / maintenance results acceptable? Please detail any adverse findings. 14.9 Since your accreditation/recognition or last Audit, have the UPS and power generators been tested and reviewed for maintenance (as per manufacturer s instructions)? If Yes, were all the tests/maintenance results acceptable? Please detail any adverse findings. 14.1 Does your Security Profile contain elements dealing with Site Security? If Yes, please provide details. 20 November 2011 GCAP

15 PERSONNEL SECURITY NOTES 15.1 Have all relevant personnel obtained the level of security clearance required for performance of their duties? 15.2 When were access rights of personnel last reviewed? 15.3 What were the results of the most recent review of access listings? 15.4 Have there been any security incidents since your accreditation/recognition or last Audit concerning vetted personnel? 15.5 Have there been any security incidents since your accreditation/recognition or last Audit concerning any other personnel? 15.6 Are there any vetted employees with reviewed/lapsed clearances since your accreditation/ recognition or last Audit? Note: Personnel are required to have their clearance reviewed at a minimum of every five years. 15.7 Are there any vetted employees whose circumstances have changed since your accreditation/recognition or last Audit, which may affect their security clearance? 15.8 Has your Facility Security Officer (FSO) changed since accreditation/recognition or last deed of variation? If Yes, has the new FSO received appropriate security clearance? Is your FSO position outsourced? 16 FINANCIAL OBLIGATIONS NOTES 16.1 If applicable, are you registered on the ICT Multi Use List? 16.2 Is your insurance current? E 21 November 2011 GCAP

Appendix B GCAP for Gatekeeper accredited / recognised Certification Authorities B.1 Overview The Table below details the accreditation Criteria applicable to Gatekeeper Accredited/ Recognised CAs. For further details on the Criteria, refer to Certification Authority Accreditation Criteria available at www.gatekeeper.gov.au PO1 PO1a PO2 SEC1 OPS1 PP1 PHY1 TECH1 PER1 PER1B Certificate Policy (except Special category) Documentation/ Criteria Subscriber / Relying Party Agreements (except Special category) Certification Practice Statement (all categories) Security Profile document will include the following (all categories): i. Protective security risk review ii. Security policy iii. Protective security plan iv. Key management plan i. Operations Manual; and ii. Disaster Recovery & Business Continuity Plan (all categories) ICT Multi Use List (all categories) Compliance with Physical Security to SR1 standard (all categories) Certified Technology ITSEC E3 / EAL:4 (all categories) (In-evaluation products have no status) Fully vetted employment profiles to a minimum Level 1 - Negative Vetting (all categories except High Assurance) including Facility Security Officer (all categories) Fully vetted employment profiles to SECRET (High Assurance Category only) including Facility Security Officer (all categories) 22 November 2011 GCAP

B.2 Instructions to the Authorised Auditor This GCAP CA work program is for use by appointed GCAP Authorised Auditors to facilitate their professional assessment of the Service Provider s compliance with Gatekeeper Policies and Criteria as documented in the Service Provider s Approved Documents. The GCAP comprises both Compliance questions and fundamental Audit control questions that are based on Gatekeeper accreditation Criteria and Policies and is also comparable with some WebTrust Program Controls. The GCAP work program should be used in conjunction with the Self Assessment Questionnaire and Service Provider s Approved Documentation. Applicable Australian and Industry Standards may also be used as reference documents. NOTE: Where the Service Provider is accredited as a CA and RA, the Authorised Auditor will be required to perform the work program set out in both Appendix B and Appendix C. As such, a separate audit of the RA and CA operations of the Service Provider will be necessary. Each question specifies where the Authorised Auditor has considered prior work, provided that the conditions stipulated in Section 7.5 GCAP Procedure for use of WebTrust Audit work - are met and supporting procedures are followed. In answering the questions, the Authorised Auditor is required to: respond with results of checks, testing and any associated work; reference where supporting work papers are contained; if a control question receives an adverse response, the Authorised Auditor is to detail the findings; and if a situation occurs where documentation provided by the Service Provider has different date and version numbers supplied by Finance, the Authorised Auditor is to contact Finance before proceeding with the section control questions. 23 November 2011 GCAP

B.3 GCAP CA Control Questions PP1 Control Questions (include but are not limited to the following) Multi Use List 1.1 Is the Service Provider registered on the ICT Multi Use List at www.esa.finance.gov.au? Prior Work considered Result of testing PO1 CERTIFICATE POLICY (CP) Note: The Auditor should be aware that a Service Provider may have a number of CPs, depending on the structure of its PKI. The questions below refer to the CP in a singular format, though should be applied to all CPs within the Service Provider's Gatekeeper PKI. 2.1 Is there more than one CP? 2.2 Is the CP publicly available from the URL specified in the Self Assessment Questionnaire 1.3? Obtain a copy of the CP from the URL of the Service Provider Obtain the date and version number(s) of the CP(s) from Finance. Review the CP to check if the version number and date are the same as those provided by Finance. 2.3 Determine if the CA has a management group (Policy Approval Authority (PAA), Policy Management Authority (PMA) or equivalent group) with final authority and responsibility for specifying and approving the CA s CP(s) and CPS. (Self Assessment Questionnaire 9.2) Review details of the Group and that the details of Persons are all current. Reference documents if required 24 November 2011 GCAP

2.4 If any of the CP s have been changed since accreditation/recognition or the last Audit as stated by Self Assessment Questionnaire (9.3) obtain evidence of: Service Provider s submission to Finance for re-evaluation; and subsequent approval. 2. 5 If the amended CPs have been submitted to Finance for re-evaluation and not yet Approved, please detail the date of submission and any reasons why it has not been Approved. 2.6 Check if the Service Provider s CP contains sections for Subscriber/Relying Parties relating to: provision for protection of personal privacy any reliance or financial limits for Certificate usage liability arrangements (Self Assessment Questionnaire 12.1) accuracy of representations in Certificate application information on protection of the subscriber s Private Key restrictions on Private Key and Certificate use; and notification of procedures for Private Key compromise. For Relying Parties, in addition to the above: purposes for which Certificate is used digital signature verification responsibilities revocation and suspension checking responsibilities; and acknowledgement of liability caps and warranties. 25 November 2011 GCAP

P002 CERTIFICATION PRACTICES STATEMENT (CPS) Prior Work considered 3.1 Is the CPS publicly available from the URL specified in the Self Assessment Questionnaire 1.3? Result of testing Obtain a copy of the CP from the URL of the Service Provider Obtain the date and version number(s) of the CP(s) from Finance. Review the CPS to check if the version number and date are the same as those provided by Finance. 3.2 If the CPS has been changed since accreditation/recognition or the last Audit as stated by Self Assessment Questionnaire (8.2) or there are differences between the dates and version numbers (3.1 above), obtain evidence of: Service Provider s submission to Finance for re-evaluation; and subsequent approval. 3.3 If the amended CPS has been submitted to Finance for re-evaluation and not yet Approved, please detail the date of submission and any reasons why it has not been Approved. 3.4 Review each of the controls and practices within the CA s CPS and crossreference them against the policies contained within each of the CP(s), to determine if the controls appear to reflect and achieve the objectives and criteria set forth within each CP. 3.5 Review at minimum, two months of recent statistical data relating to Certificates that have been: issued renewed 26 November 2011 GCAP

rekeyed revoked suspended (if service provided). Determine using event logging or other means if the Certificates have been processed as prescribed and report on any anomalies. Determine, over the same period, that: certificate distribution to End Users and the Database/Repository (if service provided); and CRL processing was also conducted as prescribed. SEC1 SECURITY PROFILE Prior Work considered 4.1 Obtain Result of testing the latest copy of the Approved Security Profile from the Service Provider; and the date and version number(s) of the Security Profile from Finance. Review the Security Profile to check if the version number and date are the same as those provided by Finance. 4.2 If the Security Profile has been changed since accreditation/recognition or the last Audit as stated by Self Assessment Questionnaire (13.2), obtain evidence of Service Provider s submission to Finance for re-evaluation; and subsequent Approval. 27 November 2011 GCAP

4.3 If the amended Security Profile has been submitted to Finance for re-evaluation and it has not yet been Approved, please detail the date of submission and any reason why it has not been Approved. 4.4 Review the Security Profile to determine that it contains the intended security objectives covering the handling and processing of each Certificate contained within the relevant sections of the CP/CPS. 4.5 If the CA is relying on another entity for some particular aspect of security or trust, determine that this is clearly indicated within the Security Profile. (Reference Section 3 Relationships in the Self Assessment Questionnaire) 4.6 Obtain evidence of when the Security Profile was last reviewed as stated by Self Assessment Questionnaire (13.1) 4.7 Has the Security Profile been reviewed within the required time frame? 4.8 Review the Internal Service Provider Report from the last Security Profile review. Have any and all action points been implemented? 4.9 When was the last Threat and Risk Assessment (TRA) done and was it completed within the time frame prescribed in the Approved Documents? (Self Assessment Questionnaire 13.3) 4.10 Have any and all action points from the TRA review been implemented? Detail any that have not and reasons why. 4.11 If any actions do not appear to have been implemented and reasons are not given, are they addressed as residual risks? Have they been officially approved and signed off by management? 4.12 Since accreditation/recognition or last Audit, have there been instances of compromise, or suspected compromise of Keys (Self Assessment Questionnaire 6.3) belonging to end users? Review evidence of the documentation and procedures taken to deal with the Key revocation or suspension (if service provided) following the compromise, for a random sampling of situations. Report on any situations that are not actioned in accordance with Approved 28 November 2011 GCAP

Documents. 4.13 Review each of the processes within the Key Management Plan and test to determine if they are implemented as prescribed. Consider in particular the outcomes of the following procedures: generating Keys distributing Keys to intended users, including how Keys should be activated when received storing Keys, including how authorised users obtain access to Keys Changing or updating Keys including rules governing Key changes and how this will be done dealing with compromised Keys revoking Keys including how Keys should be withdrawn or deactivated, e.g. when Keys have been compromised or when a user leaves an organisation (in which case Keys should also be archived) recovering Keys that are lost or corrupted as part of business continuity management, e.g. for recovery of encrypted information backing up and Archiving Keys, e.g. for information archived or backing up destroyed Keys logging and Auditing of Key management related activities; and escrowing Keys (if service is provided). 4.14 Since accreditation or the last Audit, have there been instances of compromise, or suspected compromise of Keys (Self Assessment Questionnaire 6.3) belonging to the CA or its Operational staff/systems that may threaten the integrity of the PKI. Review evidence of the documentation and procedures taken to deal with the Key revocation or suspension (if service provided) following the compromise for all situations. 29 November 2011 GCAP

Report on any situations that are not actioned in accordance with the Approved Documents. 4.15 The Authorised Auditor is to perform testing on each of the Service Provider s procedures and controls detailed within the Approved Documents and identify and report on any deficiencies or issues. Consider in particular the outcomes of the following procedures: is the CA computing and network infrastructure installed and operating in the manner described in the Security Profile, the Operations Manual, the CPS and the DRBCP? access control mechanisms - Audit trail collection and review security incident monitoring, incident management and incident response procedures the maintenance and use of information about vulnerabilities in the CA facility the Key Management Plan (for example, secure generation, storage, archival and disposal of keys) user account management control of removable media backup and recovery of data and systems, including off-site storage (Refer DRBCP) inventory control, including registration procedures to control location of and access to critical assets (for example, private keys); and internet firewall / Gateway installation and management. Approved Defence Signals Directorate Evaluated Products List (DSD EPL) / ITSec Gateway. 30 November 2011 GCAP

OPS1. DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN (DRBCP) Prior Work considered 5.1 Obtain Result of testing a copy of the latest Approved DRBCP from the Service Provider; and the date and version number from Finance Review the DRBCP to check if the version number and date are the same as those provided by Finance. 5.2 If the DRBCP has been changed since accreditation or the last Audit as stated by the Self Assessment Questionnaire (10.5) or there are differences between the compared documents (Security Profile), obtain evidence of Service Provider s submission to Finance for re-evaluation; and subsequent Approval. 5.3 If the amended DRBCP has been submitted to Finance for re-evaluation and it has not yet been Approved, please detail the date of submission and any reasons why it has not been Approved. 5.4 Obtain evidence that the DRBCP has been tested in accordance with the required timeframe and procedures. (Reference Self Assessment Questionnaire 10.1) 5.5 Have all actions points from the testing been implemented? Check documentation to determine that the tests are documented and that any issues identified have been resolved. Detail any that have not and reasons why. (Reference Self Assessment Questionnaire 10.2) 5.6 Does the Service Provider maintain an updated list of personnel and organisations responsible for operational and business continuity (Internal and External)? Is this list communicated to Operational Staff in the certified facility? Obtain a sample of the documents and test for accuracy. 5.7 Determine if the agreements with external organisations referenced in the 31 November 2011 GCAP