CA/Audit Statements: Difference between revisions

CA/Audit Statements (view source)

Revision as of 22:36, 23 March 2020

997 bytes added , 23 March 2020

Added clarification about specifying locations that were audited

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 111: / Line 111: @@
 '''Minimum Expectations:''' <br />
 Situations will be considered and treated on a case by case basis.
-* Both ETSI and WebTrust Audits must:
+* Both ETSI and WebTrust Audits should:
-** Disclose each location that was included in the scope of the audit, as well as whether the inspection was physically carried out in person.
+** Disclose each ''CA Processing Location'' that was included in the scope of the audit, as well as whether the inspection was physically carried out in person.
+*** ''CA Processing Location'' as defined in the [https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/practitioner-qualification-and-guidance WebTrust Practitioner Guidance]: "city, state/province (if applicable), and country of all physical locations used in CA operations. This includes data center locations (primary and alternate sites), registration authority locations (for registration authority operations performed by the CA), and all other locations where general IT and business process controls that are relevant to CA operations are performed.
+*** If there are more than one CA Processing Locations in the same city, then use terminology to clarify the number of facilities in that city and whether or not all of them were audited. For example: "Facility 1 in City", "Facility 2 in City, Facility 3 in City" '''or''' "Primary Facility in City", "Secondary Facility in City", "Tertiary Facility in City".
 * ETSI Audits:
 ** [https://groups.google.com/d/msg/mozilla.dev.security.policy/4Q6WAgLAvDo/zMJu6HWkAQAJ Guidance provided in mozilla.dev.security.policy] included the following: