Hello,
We are seeking clarification on CCADB Policy Section 5.2 "Audit Statement Content" ( https://www.ccadb.org/policy#52-audit-statement-content ), specifically regarding how incident disclosures should be presented in audit statements when both audited subordinate CAs and externally-operated subordinate CAs exist within the same root CA hierarchy.
As a starting point, we intend to separate the presentation of Bugzilla-reported incidents into two distinct categories within the root CA owner’s audit statement:
This separation is intended to clearly distinguish audit scope, available audit evidence, and verification responsibility, while ensuring that all incidents disclosed by SECOM in Bugzilla are fully accounted for.
Under this presentation model, we are considering the following approach:
For subordinate CAs included in the root CA owner’s audit scope, the auditor will verify not only the existence of incidents but also the status and appropriateness of the Root Cause analysis and corresponding Action Items.
For externally-operated subordinate CAs outside the scope of the root CA owner’s audit, the auditor will rely on the independent audit statement issued for the subordinate CA. In such cases, that audit is expected to cover the Root Cause analysis and Action Items relating to both the externally-operated subordinate CA’s responsibilities and any relevant responsibilities attributable to the root CA owner.
However, within the root CA owner’s audit statement, the extent of verification for externally operated subordinate CAs may differ depending on the availability of audit evidence.
In such cases, verification of the Root Cause analysis and corresponding Action Items is performed based on available evidence within the root CA owner’s audit, while detailed verification is expected to be performed as part of the audit of the externally operated subordinate CA, in accordance with its independent audit scope.
This approach does not change the underlying responsibility model, but reflects how audit procedures are applied based on scope and available evidence.
In this way, all Bugzilla incidents disclosed by SECOM are included, while audit evidence and verification responsibilities are separated according to audit scope.
Additionally, even in cases where incidents related to externally-operated subordinate CAs are already covered by the subordinate CA’s independent audit statement, we consider that including those incidents in the root CA owner’s audit statement (i.e., duplicating the disclosure) would not present compliance concerns and may enhance overall transparency.
We would
appreciate the community’s feedback on the following specific points:
1. Whether separating incident disclosure based on audit scope (i.e., in-scope
vs. out-of-scope subordinate CAs) is acceptable under CCADB Policy Section 5.2
2. Whether including incidents related to externally operated subordinate CAs
in the root CA owner’s audit
statement, even when those incidents are already covered in the subordinate CA’s independent audit statement (i.e.,
duplication of disclosure), is considered acceptable or preferred from a
compliance and transparency perspective.
Best regards,
ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.
Dear Ono-san,
Thank you for your questions.
Here is a brief response limited to the specific questions you raised. No opinion is expressed regarding any other content or explanation provided in your email.
1. Is it acceptable to separate incident disclosures based on audit scope (i.e., in-scope vs. out-of-scope subordinate CAs)?
Response: Yes. This is acceptable, provided that all required incidents are disclosed and the presentation clearly identifies which audit statement addresses each incident.
2. Is it acceptable to include incidents related to externally operated subordinate CAs in the Root CA Owner's audit statement, even when those incidents are already covered in the subordinate CA's independent audit statement?
Response: Yes. The CCADB Policy does not prohibit duplicate disclosure. Including an incident in more than one audit statement is acceptable and may improve clarity and transparency.
Sincerely yours,
Ben Wilson
CCADB Support
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/57b50af4-9a0d-4078-ac59-4ec3b16a7450n%40ccadb.org.