Independent Accountants Report



Similar documents
Independent Accountants Report

WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] CA/BROWSER FORUM

WEBTRUST SM/TM FOR CERTIFICATION AUTHORITIES EXTENDED VALIDATION AUDIT CRITERIA Version 1.1 CA/BROWSER FORUM

The continuity of key and certificate management operations was maintained; and

Report of Independent Accountants. To the Management of Globalsign SA/NV,

Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation Code Signing

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

TELSTRA RSS CA Subscriber Agreement (SA)

Certification Practice Statement of CERTUM s Certification Services

Ericsson Group Certificate Value Statement

Statoil Policy Disclosure Statement

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Independent Service Auditors Report

Trust Service Principles and Criteria for Certification Authorities

Bugzilla ID: Bugzilla Summary:

epki Root Certification Authority Certification Practice Statement Version 1.2

BUYPASS CLASS 3 SSL CERTIFICATES Effective date:

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Gain a New Level of Trust with Extended Validation SSL Certificates

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Certificate Policies and Certification Practice Statements

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Certificates

Review of U.S. Coast Guard's FY 2014 Drug Control Performance Summary Report

Comodo Certification Practice Statement

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Comodo Certification Practice Statement

Starfield Technologies, LLC. Certificate Policy and Certification Practice Statement (CP/CPS)

Frost & Sullivan. Publisher Sample

Certification Practice Statement

Danske Bank Group Certificate Policy

Public Certification Authority Certification Practice Statement of Chunghwa Telecom (PublicCA CPS) Version 1.5

Possible conflict between Microsoft Root Certification Technical Requirement V 2.0 and CABF Baseline Requirement about extendedkeyusage

DigiCert Certification Practice Statement

ASSESSMENT REPORT Federal PKI Compliance Report September 6, 2013

The name of the Contract Signer (as hereinafter defined) duly authorized by the Applicant to bind the Applicant to this Agreement is.

ETSI TR V1.1.1 ( )

Comodo Extended Validation (EV) Certification Practice Statement

The Internet Corporation for Assigned Names and Numbers (ICANN)

thawte Certification Practice Statement

Extended Validation SSL

KIBS Certification Practice Statement for non-qualified Certificates

Internal Server Names and IP Address Requirements for SSL:

e-tuğra CERTIFICATE POLICY E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş. Version: 3.1 Validity Date: September, 2013 Update Date: 30/08/2013

PKI Audit Methodology

CA Self-Governance: CA / Browser Forum Guidelines and Other Industry Developments. Ben Wilson, Chair, CA / Browser Forum

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Certification Practice Statement. Internet Security Research Group (ISRG)

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Code Signing Certificates

Shared Service System Audits: What User Management and Auditors Need to Know

Operating a CSP in Switzerland or Playing in the champions league of IT Security

CERTIFICATE POLICY (CP) (For SSL, EV SSL, OSC and similar electronic certificates)

Ford Motor Company CA Certification Practice Statement

Trusted Certificate Service

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 2.0

QUOVADIS ROOT CERTIFICATION AUTHORITY CERTIFICATE POLICY/ CERTIFICATION PRACTICE STATEMENT. OIDs:

AUDIT REPORT. Federal Energy Regulatory Commission's Fiscal Year 2014 Financial Statement Audit

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

TeliaSonera Server Certificate Policy and Certification Practice Statement

Extended Validation SSL Certificates

Class 3 Registration Authority Charter

CERTIFICATION PRACTICE STATEMENT UPDATE

Fraunhofer Corporate PKI. Certification Practice Statement

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Internet Security Research Group (ISRG)

TC TrustCenter GmbH. Certification Practice Statement

Trustwave Holdings, Inc

SECOM Trust.net Root1 CA

CMS Illinois Department of Central Management Services

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Capitalized terms not defined below shall have the meaning given to them in the applicable CP/CPS, unless the context requires otherwise.

Trusted Certificate Service (TCS)

Information for Management of a Service Organization

ENTRUST CERTIFICATE SERVICES

ENTRUST CERTIFICATE SERVICES

FS Regulatory Brief SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule

Visa Public Key Infrastructure Certificate Policy (CP)

Auditor view about ETSI and WebTrust criteria. Christoph SUTTER

Microsoft Trusted Root Certificate: Program Requirements

Transcription:

KPMG LLP 345 Park Avenue New York, NY 10154-0102 Independent Accountants Report To the Management of Unisys Corporation: We have examined the assertion by the management of Unisys Corporation (Unisys) regarding the disclosure of its key and certificate life cycle management business practices, and the suitability of design of its controls over key and SSL certificate integrity, the authenticity of subscriber information, logical and physical access to CA systems and data, the continuity of key and certificate life cycle management operations, and development, maintenance and operation of systems integrity, based on the WebTrust for Certification Authorities SSL Baseline Requirements Audit Criteria, as of June 30, 2014, for the Root Unisys Internal Certification Authority, INT-B Intermediate CA, and ISU-B1 Issuing CA, which are part of the Unisys Internal Certification Authority (UICA) at Eagan, MN and Roseville, MN. Unisys management is responsible for its assertion. Our responsibility is to express an opinion on management s assertion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants, and accordingly, included (1) obtaining an understanding of Unisys key and SSL certificate life cycle management business practices and its controls over key and SSL certificate integrity, over the continuity of key and certificate life cycle management operations, and over the development, maintenance, and operation of systems integrity; (2) selectively testing transactions executed in accordance with disclosed SSL certificate life cycle management business practices; (3) testing and evaluating the design of the controls; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. The relative effectiveness and significance of specific controls at Unisys and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. Because of the nature and inherent limitations of controls, Unisys ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative ( KPMG International ), a Swiss entity.

We noted the following issues that resulted in a modification of our opinion: No. Requirements 1 Principle 2 Criterion 2.1 requires the CA to meet the minimum requirements for Certificate Content and Profile, including the Issuer Information. 2 Principle 2 Criterion 4.2 requires the CA to verify the identity and address of the organization and that the address is the Applicant s address of existence or operation if the Subject Identity Information is to include the name or address of an organization. 3 Principle 2 Criterion 8.1 requires the CA to perform ongoing self assessments on at least a quarterly basis against a randomly selected sample of at least three percent (3%) of the Certificates issued during the period commencing immediately after the previous self assessment samples was taken, Issues Noted The Issuer Information section is included within certificates issued by the CA; however the required fields for Issuer Organization Name, and Issuer Country Name are not documented. As a result, we noted that Unisys had not maintained effective controls to meet Principle 2, Criterion 2.1 The organization address information (address, state, and country) that is included in the Subject field of a certificate request was not vetted prior to certificate issuance as per Baseline Requirements section 11.2. As a result, we noted that Unisys had not maintained effective controls to meet Principle 2, Criterion 4.2 Documentation was provided to show that a self assessment had started, however no evidence was available to show the results of the assessment, or that the self assessment represented 3% of the certificates issued during the quarter or were scheduled on a quarterly basis. As a result, we noted that Unisys had not maintained effective controls to meet Principle 2, Criterion 8.1 In our opinion, except for the effects of the matter(s) discussed in the preceding paragraphs, in providing its SSL Certification Authority (CA) services at Eagan, MN and Roseville, MN, as of June 30, 2014, Unisys has in all material respects disclosed its Certificate practices and procedures in its Unisys Internal PKI (UIPKI) Certificate Policy (CP) on the Unisys website and Certification Practice Statement (CPS) (restricted to authorized Unisys personnel and third party vendors), including its commitment to provide SSL Certificates in conformity with the applicable CA/Browser Forum Guidelines and provided such services in accordance with its disclosed practices and designed suitable controls to provide reasonable assurance that: - subscriber information was properly collected, authenticated (for the registration activities performed by Unisys) and verified; - the integrity of keys and certificates it manages was established and protected throughout their life cycles;

- logical and physical access to CA systems and data was restricted to authorized individuals; - the continuity of key and certificate management operations was maintained; and - CA systems development, maintenance and operations were properly authorized and performed to maintain CA systems integrity. Based on the WebTrust for Certification Authorities SSL Baseline Requirements Audit Criteria for the Unisys SSL CAs. This report does not include any representation as to the quality of Unisys CA's certification services beyond those covered by the WebTrust for Certification Authorities SSL Baseline Requirements Audit Criteria, nor the suitability of any of Unisys CA's services for any customer's intended purpose Very truly yours, October 20, 2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information