The Information Systems Audit and
Control Association & Foundation
www.isaca.org
eCommerce Security
Public Key Infrastructure
Symmetrical (Private) Key Encryption
AUDIT PROGRAM
&
INTERNAL CONTROL QUESTIONNAIRE
The Information Systems Audit and Control Association & Foundation
With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association® (ISACA™) is a
recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences,
administers the globally respected CISA® (Certified Information Systems Auditor™) designation earned by more than 25,000
professionals worldwide, and develops globally applicable information systems (IS) auditing and control standards. An affiliated
foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, established by the
association and foundation in 1998, is designed to be a "think tank" offering presentations at both ISACA and non-ISACA
conferences, publications and electronic resources for greater understanding of the roles and relationship between IT and enterprise
governance.
Purpose of These Audit Programs and Internal Control Questionnaires
One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and
industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released
audit programs and internal control questionnaires on various topics for member use through the member-only web site and K-NET.
These products are intended to provide a basis for audit work.
E-business audit programs and internal control questionnaires were developed from material recently released in ISACA’s e-
Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Touche and ISACA’s
Research Board and are recommended for use with these audit programs and internal control questionnaires.
Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by the
Education Board. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be
all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization’s
constraints, policies, practices and operational environment.
Control Objectives for Information and related Technology (COBIT®)
COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control
practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and steps are included.
Disclaimer
The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the
professional development of ISACA members and others in the IS Audit and Control community. Although we
trust that they will be useful for that purpose, ISACA cannot warrant that the use of this material would be
adequate to discharge the legal or professional liability of members in the conduct of their practices.
September 2001
1
�Audit Program
Public Key Infrastructure—Technical Reference Guide
Symmetrical (Private) Key Encryption
Introduction
This document is offered as a supplement to the e-commerce technical reference guide:
E-commerce—Public Key Infrastructure (Good Practices for Secure Communications).
One of the primary building blocks for security in e-commerce is cryptography, the
theoretical basis for encryption. A given cryptographic technique may be based on either
private keys or public/secret key pairs. Public key infrastructure (PKI) rests atop
encryption and in turn supports e-commerce. Cryptography is the provider of security
and protection of data in public networks and PKI provides trust. The encryption needed
for secure communications among a small number of endpoints or nodes is different from
that needed for communication among a large number of unknown, anonymous nodes.
This program specifically addresses the small group of endpoints and the management
around the processes for control over private key (symmetrical) encryption.
Audit Objectives
Referenced Control Objectives for Information and related Technology
(COBIT) Control Objectives (If there is a sub-objective listed, it means that special
emphasis should be noted. All sub-objectives within each referenced objective should be
considered and related procedures performed where applicable.)
Within both the audit program and the internal control questionnaire, the primary C OBIT
control objectives have been listed for reference purposes.
PO2 – Define the Information Architecture
PO2.3 – Data Classification Scheme
PO2.4 – Security Levels
PO3 – Determine Technological Direction
PO 3.5 – Technology Standards
PO4 – Define the Information Technology Organization and Relationships
PO6 – Communicate Management Aims and Directions
PO6.8 – Security and Internal Control Framework Policy
PO8 – Ensure Compliance with External Requirements
PO9 – Assess Risks
AI1 – Identify Automated Solutions
AI3 – Acquire and Maintain Technology Infrastructure
AI3.3 – System Software Security
AI3.6 – System Software Change Controls
DS5 – Ensure Systems Security
DS5.1 – Manage Security Measures
DS5.8 – Data Classification
2
� DS5.16 – Trusted Path
DS5.21 – Protection of Electronic Value
DS11 – Manage Data
DS11.17 – Protection of Sensitive Information During Transmission and
Transport
DS11.27 – Protection of Sensitive Messages
DS11.29 – Electronic Transaction Integrity
M1 – Monitor the Process
Functional Objectives
1. Assure proper administration and applicable infrastructure controls exist around the
selection, implementation, maintenance and usage of private key encryption.
2. Key management, including generation, maintenance, distribution and expiration, is
appropriately controlled.
3. Evaluation of the selection of private key alternative methods take into consideration
organizational position on need for security as it relates to the assets (data and/or
information) as well as cost benefit.
Completed Auto. COBIT
Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference
A. Prior Audit/Examination Report
Follow-Up
Review prior report and verify M1
completion of any agreed-upon
corrections. Note remaining
deficiencies
B. Preliminary Audit Steps
Obtain: PO2
-Organization chart PO3
-Information architecture model for PO6
the organization PO8
-Data classification policy
-Network infrastructure documentation
-Inventory of operating systems,
applications, and operating systems
impacting classified data
-Specifications of encryption tool(s)
-Understanding of external
requirements (consider international
encryption laws)
3
� Completed Auto. COBIT
Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference
Obtain or perform risk assessment on PO9
the information need for encryption
Obtain infrastructure software AI1
acquisition procedures AI3
Obtain maintenance history of all AI3
encryption tools in use
C. Detailed Audit Steps
Planning
Identify the security responsibilities PO4
within the organization.
Determine the level of involvement in
the encryption processes by the
security staff
Review the data requirements for PO2
encryption for the e-commerce DS11
environment
Review the regulatory requirements for PO8
encryption within the country,
industry and organization and
determine level of compliance
Determine level of risk existing PO9
considering the level of encryption
implementation status.
Identify acceptable risk and determine
if any residual risk exceeds the
acceptable level
Review the decision process for AI3
selection of symmetrical (private
key) usage
Review the tools selection process PO3
relative to compatibility with
existing technologies
Acquisition, Implementation,
4
� Completed Auto. COBIT
Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference
Maintenance of Encryption
Review the acquisition process by AI3
which the encryption either has been
or will be obtained, and determine
validity to needs requirements
Review the implementation AI1
procedures for encryption tools
Determine access controls over keys DS5
during the acquisition/development
process
Review the change control processes AI3
over infrastructure software
(encryption tools)
Review the inventory of systems, AI3
applications and operating systems
using (or to use) this encryption
technique
Assess effectiveness of the encryption DS5
output compliance to external
regulations and organizational
policies
Key Management
Determine the access over keys is DS5
appropriate
Review the processes by which keys DS5
are/will be disseminated, maintained
and cancelled
Review the key’s expiration process DS5
Miscellaneous
Review control around meta-data over DS5
5
� Completed Auto. COBIT
Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference
keys, key management, encryption
processes and related infrastructure
resources
6
�Internal Control Questionnaire
Symmetrical (Private) Key Encryption
Response
Question No. Question Description
YES NO N/A
General
Have all items from prior audits been M1, M2
cleared?
Do business objectives clearly PO1
define e-commerce requirements of
the organization?
Is there an information architecture PO3
model that reflects current business
needs?
Does the information architecture PO2
model support e-commerce data
requirements?
Are sufficient policies in place and PO6
communicated to define
data/information as an asset?
Either by policy or precedent, is PO1,
information required to have the PO11,
following characteristics: DS11
- Efficiency?
- Effectiveness?
- Integrity?
- Availability?
- Confidentiality?
- Compliance?
- Reliability?
Is there a risk measure performed on PO9
an organizational need for
encryption?
Has a concept of acceptable risk PO9
been adopted?
Is there a compliance “watch” M1
function?
Does the current hardware PO3
7
� Response
Question No. Question Description
YES NO N/A
infrastructure support the e-
commerce
plan?
Does the current software PO2
infrastructure support the e-
commerce data requirements?
If the current infrastructure does not PO3
support the e-commerce plan, are
there sufficient hardware and
software planning initiatives that will
provide the appropriate support to
obtain the necessary tools and will
not present unacceptable risk?
Planning
Is there an IT security function DS5
involved in security tool
recommendations?
Are there detailed procedures for DS1
private key management? DS5
DS13
Do they include: DS5
- Generation?
- Dissemination?
- Implementation?
- Expiration?
Do the current or planned encryption DS5
tools work with existing
infrastructure?
Acquisition, Implementation,
Maintenance of Encryption
Do current tools meet all PO1
requirements? DS5
Do all systems that require DS5
encryption use it?
8
� Response
Question No. Question Description
YES NO N/A
Do infrastructure programs AI6
(encryption) follow established DS5
change control procedures?
Are encryption practices compliant PO8
with all applicable regulatory DS5
entities?
Key Management
Are appropriate controls in place DS5
over encryption keys?
