Beruflich Dokumente
Kultur Dokumente
Introduction
The specialised nature of information systems (IS) auditing, and the skills necessary to perform such audits, require standards that
apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association, Inc. (ISACA) is to
advance globally applicable standards to meet this need. The development and dissemination of IS Auditing Standards are a
cornerstone of the ISACA professional contribution to the audit community.
Objectives
The objectives of the ISACA IS Auditing Standards are to inform:
IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA
Code of Professional Ethics for IS auditors
Management and other interested parties of the profession’s expectations concerning the work of practitioners
The objective of IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.
The Standards Board has an ongoing development programme, and would welcome the input of members of the ISACA and holders of
the CISA designation and other interested parties to identify emerging issues requiring new standards products. Any suggestions should
be e-mailed (research@isaca.org), faxed (+1.847.253.1443) or mailed (address provided at the end of this guideline) to ISACA
International Headquarters, for the attention of the director of research standards and academic relations.
1.1 The purpose of this procedure is to provide a tool to help evaluate a certification authority (CA), both in terms of quality of
services offered and reliability.
1.2 The techniques of authentication play an essential role in electronic commerce, whether they are used to provide access to a
corporate intranet, or to identify the communicating or transacting parties (private or commercial). Authentication of the parties
to a transaction or communication is a method of building trust in electronic commerce, when appropriately carried out by
reliable and secure technology infrastructures.
1.3 Authentication may be performed at various levels of security and by different technologies based on the party’s requirements
and the transaction or communication characteristics. For years, people have used passwords or similar methods of
authentication, but today there are many more technological approaches to help facilitate this critical part of a communication.
Today there are a variety of biometric and cryptographic key-based solutions used for authentication. They can be used as
stand-alone systems, in combination or as part of a larger technological environment. Many organisations believe that public
key infrastructure (PKI) based tools provide the most scalable solutions for commercially robust authentication systems.
2.1 The term authentication refers to a large class of electronic applications whose functions may range from pure identification
and authorisation to legal recognition.
2.2 Referring to specific authentication techniques, the terms electronic signature and digital signature are often used
interchangeably. This has led to significant international confusion as to the use of the two terms. Digital signature is a
functional subset of the more inclusive term electronic signature. Terminology used in this document shall refer to definitions
with a certain level of international acceptance achieved through recognised international forums.
2.2.1 The term electronic signature has been defined by many authors as a signature in electronic form in, or attached to or logically
associated with, a data message, and used by or on behalf of a person with the intent to identify that person and to indicate
that person’s approval of the contents of the data message.
2.2.2 Consequently, digital signature has been defined as a transformation of a message using an asymmetric cryptosystem such
that a person having the signer’s message and the signer’s public key can accurately determine whether the transformation
was created using the private key that corresponds to the signer’s public key and whether the signed message has been
altered since the transformation was made.
2.3 The distinction between electronic and digital signatures has been at the core of international discussions on whether policies
should focus on electronic signatures or digital signatures. The question is still open, and this procedure applies both to
electronic signature and digital signature authentication techniques.
3.1 Verifying the security requirements for public-key security technology, involves a trusted third-party known as the certification
authority (CA). The CA distributes the electronic keys used to encrypt and decrypt user and server information and the
electronic certificates are used to authenticate users and servers.
The purpose of the above controls is to understand how the CA operates and for data and document collection. Specific topics are
covered by the following checklist:
4. EFFECTIVE DATE
4.1 This procedure is effective for all information systems audits beginning on or after 1 July 2002.
APPENDIX—GLOSSARY
Authentication—Determining that a person or computer system trying to access information is really the entity they say they are.
Certificate authority (CA)—A trusted third party that serves authentication infrastructures or organisations and registers entities
and issues them certificates.
Cross-certification—A certificate issued by one certification authority to a second certification authority so that users of the first
certification authority are able to obtain the public key of the second certification authority and verify the certificates it has
created. Often cross certification refers specifically to certificates issued to each other by two CAs at the same level in a
hierarchy.
Digital certificate—A certificate identifying a public key to its subscriber, corresponding to a private key held by that subscriber.
Electronic signature—Any technique designed to provide the electronic equivalent of a handwritten signature to demonstrate the
origin and integrity of specific data. Digital signatures are an example of electronic signatures.
Hash function—An algorithm that maps or translates one set of bits into another (generally smaller) so that: a message yields the
same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a
message to be derived or reconstituted from the result produced by the algorithm. It is computationally infeasible to find two
different messages that produce the same hash result using the same algorithm.
Nonrepudiation—The assurance that a party cannot later deny originating data, that it is the provision of proof of the integrity and
origin of the data which can be verified by a third party. Nonrepudiation may be provided by a digital signature.
Private key—A mathematical key (kept secret by the holder) used to create digital signatures and, depending upon the algorithm, to
decrypt messages or files encrypted (for confidentiality) with the corresponding public key.
Public key—In an asymmetric cryptographic scheme, the key which may be widely published to enable the operation of the scheme.
Public key infrastructure—A system which authentically distributes users’ public keys using certificates.
Smart card—A hardware token that incorporates one or more integrated-circuit (IC) chips to implement cryptographic functions and
that possesses some inherent resistance to tampering.
Trust—Generally, the assumption that an entity will behave substantially as expected. Trust may apply only for a specific function. The
key role of this term in an authentication framework is to describe the relationship between an authenticating entity and a
certificate authority (CA). An authenticating entity must be certain that it can trust the CA to create only valid and reliable
certificates, and users of those certificates rely upon the authenticating entity’s determination of trust.
Legal Considerations
ABA-PKI Assessment Guidelines (currently only draft)
American Bar Association Digital Signature Guidelines, www.abanet.org/scitech/ec/isc/dsg.html
ANSI X9.79 and the AICPA/CICA WebTrust for Certification Authorities, www.cpawebtrust.org/CertAuth_fin.htm
ESSI – Final report of the ESSI Expert Team
EU Directive on the matter can be found at http://europa.eu.int/eur-lex/en/lif/dat/1999/en_399L0093.html
IETF PKIX
ITU X.509
McBride, Baker & Coles, Summary of Electronic Commerce and Digital Signature Legislation, www.mbc.com/ds_sum.html
PKI assessment guidelines of the American Bar Association. Available at www.abanet.org/scitech/ec/isc
Software Industry Issues: Digital Signatures, www.SoftwareIndustry.org/issues/1digsig.html#s1
Applications
Entrust ISVs, www.entrust.com/ click on search and type ISV.
Netscape home page, www.netscape.com.
NIST Special Publication 800-2, Public Key Cryptography.
NIST: Public key infrastructure program (as of July 1998), http://csrc.nist.gov/pki/.
OMG home page, www.omg.org.
S/MIME Editor. S/MIME message specification PKCS security services for MIME.
Copyright 2002
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545 Fax: +1.847.253.1443
E-mail: research@isaca.org
Web site: www.isaca.org