The Information Systems Audit and
Control Association & Foundation
www.isaca.org
eCommerce Security
PKI, Digital Certificates in E-commerce
AUDIT PROGRAM
&
INTERNAL CONTROL QUESTIONNAIRE
The Information Systems Audit and Control Association & Foundation
With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association® (ISACA™) is a
recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences,
administers the globally respected CISA® (Certified Information Systems Auditor™) designation earned by more than 25,000
professionals worldwide, and develops globally applicable information systems (IS) auditing and control standards. An affiliated
foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, established by the
association and foundation in 1998, is designed to be a "think tank" offering presentations at both ISACA and non-ISACA
conferences, publications and electronic resources for greater understanding of the roles and relationship between IT and enterprise
governance.
Purpose of These Audit Programs and Internal Control Questionnaires
One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and
industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released
audit programs and internal control questionnaires on various topics for member use through the member-only web site and K-NET.
These products are intended to provide a basis for audit work.
E-business audit programs and internal control questionnaires were developed from material recently released in ISACA’s e-
Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Touche and ISACA’s
Research Board and are recommended for use with these audit programs and internal control questionnaires.
Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by the
Education Board. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be
all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization’s
constraints, policies, practices and operational environment.
Control Objectives for Information and related Technology (COBIT®)
COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control
practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and steps are included.
Disclaimer
The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the
professional development of ISACA members and others in the IS Audit and Control community. Although we
trust that they will be useful for that purpose, ISACA cannot warrant that the use of this material would be
adequate to discharge the legal or professional liability of members in the conduct of their practices.
September 2001
1
�2
�Audit Program
Public Key Infrastructure - Technical Reference Guide
PKI, Digital Certificates in E-commerce
Introduction
This document is offered as a supplement to the e-commerce technical reference guide:
E-commerce—Public Key Infrastructure (Good Practices for Secure Communications).
One of the primary building blocks for security in e-commerce is cryptography, the
theoretical basis for encryption. A given cryptographic technique may be based on either
private keys or public/secret key pairs. Public key infrastructure (PKI) rests atop
encryption and in turn supports e-commerce. Asymmetric cryptographic systems (public
key) have key pairs that are uniquely associated to individuals. Therefore these key pairs
are used as identifiers in authentication. Security implies protection, safeguards to ensure
that data in transit are not tampered with or disclosed before delivery to the intended
recipient. The intended recipient is known by the possession of the corresponding secret
key that allows him or her to decrypt the transmission. A PKI gives the sender of the
message confidence that the person receiving it, the person with the secret key is, who he
or she says he or she is. The usage and PKI certificate authority (CA) can be internal or
external. This program assumes that the usage of CA is an internal activity. If using an
external CA, the steps can be applied from a third-party perspective and reviewed
accordingly. An external CA requires the addition of the typical activities that would be
reviewed in a third-party agreement.
Audit Objectives
Referenced COBIT Control Objectives (If there is a sub-objective listed, it means
that special emphasis should be noted. All sub-objectives within each referenced
objective should be considered and related procedures performed where applicable.)
Within both the audit program and the internal control questionnaire, the primary C OBIT
control objectives have been listed for reference purposes.
PO2 – Define the Information Architecture
PO2.1 – Information Architecture Model
PO2.3 – Data Classification Scheme
PO2.4 – Security Levels
PO3 – Determine Technological Direction
PO 3.5 – Technology Standards
PO4 – Define the IT Organization and Relationships
PO6 – Communicate Management Aims and Directions
PO6.8 – Security and Internal Control Framework Policy
PO8 – Ensure Compliance with External Requirements
PO9 – Assess Risks
AI1 – Identify Automated Solutions
3
�AI3 – Acquire and Maintain Technology Infrastructure
AI3.3 – System Software Security
AI3.6 – System Software Change Controls
DS5 – Ensure Systems Security
DS5.1 – Manage Security Measures
DS5.8 – Data Classification
DS5.16 – Trusted Path
DS5.21 – Protection of Electronic Value
DS11 – Manage Data
DS11.17 – Protection of Sensitive Information During Transmission and Transport
DS11.27 – Protection of Sensitive Messages
DS11.28 – Authentication and Integrity
DS11.29 – Electronic Transaction Integrity
M1 – Monitor the Process
Functional Objectives
1. Infrastructure supporting the PKI and encryption technologies has adequate internal
controls.
2. Certificate authority activity is appropriate and effective to support the business
efforts.
3. Business transactions are safely completed between intended and authenticated
recipients.
Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
A. Prior Audit/Examination
Report Follow-Up
Review prior report and verify M1
completion of any agreed-
upon corrections. Note
remaining deficiencies
B. Preliminary Audit Steps
Obtain: PO2
-Information architecture model PO3
for the organization PO6
-Organization chart PO8
-Data classification policy
-Network infrastructure
documentation
-Inventory of operating
systems, applications and
operating systems impacting
4
� Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
classified data and need for
PKI
-Specifications of
authentication and encryption
requirements
-Understanding of external
requirements
-Understanding of
authentication requirements
-Applicable certification policy
-Applicable certification
practices statement
-Applicable registration
authority information
Obtain or perform risk PO9
assessment on information
needed for authentication
Consider future e-business
requirements
Obtain infrastructure software AI1
acquisition procedures AI3
C. Detailed Audit Steps
Planning
Identify the security PO4
responsibilities within the
organization. Determine the
level of involvement in the
encryption processes by the
security staff
Review the data requirements PO2
for authentication for the e- DS11
commerce environment
Review the regulatory PO8
requirements for encryption
and authentication within the
country, industry and
organization
5
� Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
Determine level of compliance
Determine level of risk existing PO9
considering the level of
encryption and authentication
processes and implementation
status
Identify acceptable risk and
determine if any residual risk
exceeds the acceptable level
Review the decision process for AI3
selection of PKI usage (public
key)
Review the tools selection PO3
process relative to
compatibility with existing
technologies
Review the certificate policy PO2
(CP). Does it include a
statement of:
Organizational business
objectives?
Value placed on
information?
Responsibilities of
issuer in protecting the
certificate and the data
to which it allows
access?
Usage for PKI
(encryption, secure
authentication or
electronic signature)?
Review the certificate practices PO1
statement (CPS). Does it PO2
include:
Legal responsibilities?
Financial
responsibilities?
6
� Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
CA’s responsibilities?
Intermediate CA’s
responsibilities (if
hierarchy exists)?
End-user
responsibilities?
Outside parties’
responsibilities and
consequences for failure
to comply?
Definition of proper
usage of issued
certificates?
Compare the CPS to the PO2
certificate policy
Assure all elements of the CP
are included appropriately
For any registration authority PO2
used, compare registration
information (its CPS) to the
CP to assure compliance
Review all certificates and note PO2
the levels and review for
appropriate requirements of
revocation, expiration
Supporting Infrastructure
Review the inventory of AI3
systems, applications and
operating systems using (or to
use) PKI
Review the network AI3
environment for adequate
internal controls
Review controls around all AI3
systems administration DS5
functions
7
� Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
If directory services are used for DS5
security profiling, review the
profiles against authorizing
documentation, and compare
access capabilities to need
Review the acquisition process AI3
by which the PKI either has
been or will be obtained, and
determine validity to needs
requirements
Review the implementation AI1
procedures for PKI
Determine access controls over DS5
asymmetric encryption keys
during the acquisition/
development process
Review the change control AI3
processes over infrastructure
software and identify impacts
to PKI usage
Assess effectiveness of the PKI DS5
output compliance to external
regulations and organizational
policies
Certificate Activity
Review the key generation AI3
process and determine:
Sufficient capability
exists
It is done in a secure
environment
Responsibilities during
the process
Storage of data about
the keys is proper
8
� Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
Keys are stored properly
Keys are made into
parts, and the same
processes apply for all
parts
Determine proper information is DS5
used for registration by taking
a sample of certificates and
tracing the information back
to registration data
Review distribution processes DS11
over certificates to assure only
the recipient and intended user
accesses it
Review usage and determine: DS11
Who retains the keys
How the keys are to be
used
Limitation of validity
periods for keys and
certificates
How keys and
certificates are to be
revoked
Who is responsible for
remedies for failure or
compromise of
cryptography
Compare to certificate practice
statement (CPS); assess
completeness of CPS and
compliance to CPS
Review the revocation process DS11
and test for compliance
9
� Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
Review the expiration process DS11
and test for compliance
Assess effectiveness of the PKI DS5
output compliance to external M1
regulations and organizational
policies
Review control around meta- DS5
data over PKI and certificates DS11
Business Transactions
Assess effectiveness of the PKI DS5
output compliance to external
regulations and organizational
policies
10
�Internal Control Questionnaire
PKI, Digital Certificates in E-commerce
The usage of a PKI certificate authority (CA) can be internal or external. This program
assumes that the usage of CA is an internal activity. If using an external CA, the steps can be
applied from a third-party perspective and reviewed accordingly. An external CA requires the
addition of the typical activities that would be reviewed in a third-party agreement.
Response Primary
Question No. Question Description COBIT
YES NO N/A
Reference
General M1, M2
Have all items from prior audits been cleared?
Do business objectives clearly define the PO1
organization’s e-commerce requirements?
Is there an information architecture model that PO1
reflects current business needs and objectives?
Does the information architecture model support PO2
e-commerce data requirements?
Are sufficient policies in place and PO6
communicated to define data/information as an
asset?
Either by policy or precedent, is information PO1
required to have the following characteristics: PO11
- Efficiency? DS11
- Effectiveness?
- Integrity?
- Availability?
- Confidentiality?
- Compliance?
- Reliability?
Has a concept of acceptable risk been adopted? PO9
11
� Response Primary
Question No. Question Description
YES NO N/A COBIT
Is there a risk measure performed regarding the PO9
need for public key infrastructure?
Is there a compliance “watch” function? M3
M4
Does the current hardware infrastructure support PO3
the e-commerce plan?
Does the current software infrastructure support PO2
the e-commerce data requirements?
If the current infrastructure does not support the PO3
e-commerce plan, are there sufficient hardware
and software planning initiatives in place?
Will these initiatives provide the appropriate
support to obtain the necessary tools and not
present unacceptable risk?
Is there an IT security function involved in DS5
security tool recommendations?
Are there detailed procedures for public key DS5
management?
Do the detailed procedures for public key DS5
management include:
- Generation?
- Dissemination?
- Implementation?
- Expiration?
Do the current or planned PKI tools work with DS5
existing infrastructure? PO3
Does the organization issue certificates of DS5
authority (CA) to both employees and external
entities?
Are multiple classes of CAs manageable? DS5
12
� Response Primary
Question No. Question Description
YES NO N/A COBIT
Are all classes of CAs reflected in the certificate DS5
practice statement (CPS)?
Is the CPS protected as sensitive information? DS5
Do current tools meet all organizational PO1
requirements?
Do all systems that require encryption and DS5
authentication use it?
Do infrastructure programs (encryption) follow AI6
established change control procedures?
Are encryption practices compliant with all PO8
applicable regulatory entities?
Does the organization have sufficient capability DS13
to generate keys?
Does the key generation take place in a secure DS5
environment?
Is the organization trusted to generate keys DS5
securely?
Is the key generation process properly M1
supervised and properly witnessed?
Are key generation records properly controlled? DS11
Once generated, are keys stored properly? DS5
13
� Response Primary
Question No. Question Description
YES NO N/A COBIT
Are keys cut into parts and are they properly DS5
controlled?
Is information complete that is used in DS11
registration?
Are all registration attempts maintained? DS11
Are certificates distributed properly? DS11
14
