[cabf_netsec] NSR 2nd Wave - Auditor Feedback

Tim Crawford tcrawford at bdo.com
Thu Mar 29 06:45:24 MST 2018

We have reviewed the draft update to the 2nd wave of updates to the Network Security Requirements and offer our feedback for your consideration.

We noted a lack of definition on certain terms used in the document.  Terms such as certificate system, certificate management system, issuing system, ect., are used throughout these requirements.  When scoping an engagement, the auditor will typically discuss the environment with the CA using these definitions to determine which applications and devices fall into the category of the system. Once a list of applications and devices is established, the auditor will look at the requirements for each category.  For instance, a "Certificate System" requires an annual penetration test, quarterly vulnerability scans, account lockout requirements, ect.  The proposed version changes the definition from "Certificate System" to "Certificate Issuing System", but still uses the term "Certificate System" throughout the requirements with no definition presented in the document. To clarify the requirements and ensure the audit scope addresses the necessary requirements, the definitions for these terms should be included in the document.

We have also noted the Certificate System, Certificate Management System, and Issuing System often have significant overlap in the applications and devices that fall into these categories. Any additional guidance on perceived differences in these systems would be helpful to ensure consistency from auditor to auditor, and CA to CA. One other common point of discussion is the definition for "Security Support System." The definition indicates this category MAY include the vulnerability scanning function.  We interpret this as the environment may or may not include this function, BUT if the function is present it SHALL adhere to all the requirements of a Security Support System. This would commonly be an Intrusion Detection or Prevention System installed within the environment, but it could also be interpreted as the tools used by a third party vulnerability scanner or penetration tester. This could potentially expand the scope to the third party's tools, when that was not the intention of the definition.

We have attached an example audit template used to map applications and devices to system categories for your reference.

Any clarification that can be made to this document will help drive consistency in the audit process, as well as meet the intent of the Forum.

Thank you,
WebTrust Task Force

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.


The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180329/689a012b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NSR System Assignment.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 18298 bytes
Desc: NSR System Assignment.docx
URL: <http://cabforum.org/pipermail/netsec/attachments/20180329/689a012b/attachment-0001.docx>

More information about the Netsec mailing list