The Information Systems Audit and

Control Association & Foundation

www.isaca.org

eCommerce Security
PKI, Digital Certificates in E-commerce

AUDIT PROGRAM
&
INTERNAL CONTROL QUESTIONNAIRE
The Information Systems Audit and Control Association & Foundation
With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association® (ISACA™) is a
recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences,
administers the globally respected CISA® (Certified Information Systems Auditor™) designation earned by more than 25,000
professionals worldwide, and develops globally applicable information systems (IS) auditing and control standards. An affiliated
foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, established by the
association and foundation in 1998, is designed to be a "think tank" offering presentations at both ISACA and non-ISACA
conferences, publications and electronic resources for greater understanding of the roles and relationship between IT and enterprise
governance.

Purpose of These Audit Programs and Internal Control Questionnaires

One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and
industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released
audit programs and internal control questionnaires on various topics for member use through the member-only web site and K-NET.
These products are intended to provide a basis for audit work.
E-business audit programs and internal control questionnaires were developed from material recently released in ISACA’s e-
Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Touche and ISACA’s
Research Board and are recommended for use with these audit programs and internal control questionnaires.
Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by the
Education Board. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be
all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization’s
constraints, policies, practices and operational environment.

Control Objectives for Information and related Technology (COBIT®)

COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control
practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and steps are included.

Disclaimer
The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the
professional development of ISACA members and others in the IS Audit and Control community. Although we
trust that they will be useful for that purpose, ISACA cannot warrant that the use of this material would be
adequate to discharge the legal or professional liability of members in the conduct of their practices.

September 2001
1
2
Audit Program
Public Key Infrastructure - Technical Reference Guide
PKI, Digital Certificates in E-commerce
Introduction
This document is offered as a supplement to the e-commerce technical reference guide:
E-commerce—Public Key Infrastructure (Good Practices for Secure Communications).

One of the primary building blocks for security in e-commerce is cryptography, the
theoretical basis for encryption. A given cryptographic technique may be based on either
private keys or public/secret key pairs. Public key infrastructure (PKI) rests atop
encryption and in turn supports e-commerce. Asymmetric cryptographic systems (public
key) have key pairs that are uniquely associated to individuals. Therefore these key pairs
are used as identifiers in authentication. Security implies protection, safeguards to ensure
that data in transit are not tampered with or disclosed before delivery to the intended
recipient. The intended recipient is known by the possession of the corresponding secret
key that allows him or her to decrypt the transmission. A PKI gives the sender of the
message confidence that the person receiving it, the person with the secret key is, who he
or she says he or she is. The usage and PKI certificate authority (CA) can be internal or
external. This program assumes that the usage of CA is an internal activity. If using an
external CA, the steps can be applied from a third-party perspective and reviewed
accordingly. An external CA requires the addition of the typical activities that would be
reviewed in a third-party agreement.

Audit Objectives

Referenced COBIT Control Objectives (If there is a sub-objective listed, it means

that special emphasis should be noted. All sub-objectives within each referenced
objective should be considered and related procedures performed where applicable.)

Within both the audit program and the internal control questionnaire, the primary C OBIT
control objectives have been listed for reference purposes.

PO2 – Define the Information Architecture

PO2.1 – Information Architecture Model
PO2.3 – Data Classification Scheme
PO2.4 – Security Levels
PO3 – Determine Technological Direction
PO 3.5 – Technology Standards
PO4 – Define the IT Organization and Relationships
PO6 – Communicate Management Aims and Directions
PO6.8 – Security and Internal Control Framework Policy
PO8 – Ensure Compliance with External Requirements
PO9 – Assess Risks
AI1 – Identify Automated Solutions

3
AI3 – Acquire and Maintain Technology Infrastructure
AI3.3 – System Software Security
AI3.6 – System Software Change Controls
DS5 – Ensure Systems Security
DS5.1 – Manage Security Measures
DS5.8 – Data Classification
DS5.16 – Trusted Path
DS5.21 – Protection of Electronic Value
DS11 – Manage Data
DS11.17 – Protection of Sensitive Information During Transmission and Transport
DS11.27 – Protection of Sensitive Messages
DS11.28 – Authentication and Integrity
DS11.29 – Electronic Transaction Integrity
M1 – Monitor the Process

Functional Objectives

1. Infrastructure supporting the PKI and encryption technologies has adequate internal
controls.
2. Certificate authority activity is appropriate and effective to support the business
efforts.
3. Business transactions are safely completed between intended and authenticated
recipients.

Completed Test Results, Remarks, Auto. COBIT

Audit Step By/Date W/P Ref. Tool Reference
A. Prior Audit/Examination
Report Follow-Up

Review prior report and verify M1

completion of any agreed-
upon corrections. Note
remaining deficiencies

B. Preliminary Audit Steps

Obtain: PO2
-Information architecture model PO3
for the organization PO6
-Organization chart PO8
-Data classification policy
-Network infrastructure
documentation
-Inventory of operating
systems, applications and
operating systems impacting

4
 Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
classified data and need for
PKI
-Specifications of
authentication and encryption
requirements
-Understanding of external
requirements
-Understanding of
authentication requirements
-Applicable certification policy
-Applicable certification
practices statement
-Applicable registration
authority information

Obtain or perform risk PO9

assessment on information
needed for authentication
Consider future e-business
requirements

Obtain infrastructure software AI1

acquisition procedures AI3

C. Detailed Audit Steps

Planning

Identify the security PO4

responsibilities within the
organization. Determine the
level of involvement in the
encryption processes by the
security staff

Review the data requirements PO2

for authentication for the e- DS11
commerce environment

Review the regulatory PO8

requirements for encryption
and authentication within the
country, industry and
organization

5
 Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
Determine level of compliance

Determine level of risk existing PO9

considering the level of
encryption and authentication
processes and implementation
status
Identify acceptable risk and
determine if any residual risk
exceeds the acceptable level

Review the decision process for AI3

selection of PKI usage (public
key)

Review the tools selection PO3

process relative to
compatibility with existing
technologies

Review the certificate policy PO2

(CP). Does it include a
statement of:
 Organizational business
objectives?
 Value placed on
information?
 Responsibilities of
issuer in protecting the
certificate and the data
to which it allows
access?
 Usage for PKI
(encryption, secure
authentication or
electronic signature)?

Review the certificate practices PO1

statement (CPS). Does it PO2
include:
 Legal responsibilities?
 Financial
responsibilities?

6
 Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
 CA’s responsibilities?
 Intermediate CA’s
responsibilities (if
hierarchy exists)?
 End-user
responsibilities?
 Outside parties’
responsibilities and
consequences for failure
to comply?
 Definition of proper
usage of issued
certificates?

Compare the CPS to the PO2

certificate policy
Assure all elements of the CP
are included appropriately

For any registration authority PO2

used, compare registration
information (its CPS) to the
CP to assure compliance

Review all certificates and note PO2

the levels and review for
appropriate requirements of
revocation, expiration

Supporting Infrastructure

Review the inventory of AI3

systems, applications and
operating systems using (or to
use) PKI

Review the network AI3

environment for adequate
internal controls

Review controls around all AI3

systems administration DS5
functions

7
 Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference

If directory services are used for DS5

security profiling, review the
profiles against authorizing
documentation, and compare
access capabilities to need

Review the acquisition process AI3

by which the PKI either has
been or will be obtained, and
determine validity to needs
requirements

Review the implementation AI1

procedures for PKI

Determine access controls over DS5

asymmetric encryption keys
during the acquisition/
development process

Review the change control AI3

processes over infrastructure
software and identify impacts
to PKI usage

Assess effectiveness of the PKI DS5

output compliance to external
regulations and organizational
policies

Certificate Activity

Review the key generation AI3

process and determine:
 Sufficient capability
exists
 It is done in a secure
environment
 Responsibilities during
the process
 Storage of data about
the keys is proper

8
 Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
 Keys are stored properly
 Keys are made into
parts, and the same
processes apply for all
parts

Determine proper information is DS5

used for registration by taking
a sample of certificates and
tracing the information back
to registration data

Review distribution processes DS11

over certificates to assure only
the recipient and intended user
accesses it

Review usage and determine: DS11

 Who retains the keys
 How the keys are to be
used
 Limitation of validity
periods for keys and
certificates
 How keys and
certificates are to be
revoked
 Who is responsible for
remedies for failure or
compromise of
cryptography

Compare to certificate practice

statement (CPS); assess
completeness of CPS and
compliance to CPS

Review the revocation process DS11

and test for compliance

9
 Completed Test Results, Remarks, Auto. COBIT
Audit Step By/Date W/P Ref. Tool Reference
Review the expiration process DS11
and test for compliance

Assess effectiveness of the PKI DS5

output compliance to external M1
regulations and organizational
policies

Review control around meta- DS5

data over PKI and certificates DS11

Business Transactions

Assess effectiveness of the PKI DS5

output compliance to external
regulations and organizational
policies

10
Internal Control Questionnaire
PKI, Digital Certificates in E-commerce

The usage of a PKI certificate authority (CA) can be internal or external. This program
assumes that the usage of CA is an internal activity. If using an external CA, the steps can be
applied from a third-party perspective and reviewed accordingly. An external CA requires the
addition of the typical activities that would be reviewed in a third-party agreement.

Response Primary
Question No. Question Description COBIT
YES NO N/A
Reference
General M1, M2

Have all items from prior audits been cleared?

Do business objectives clearly define the PO1
organization’s e-commerce requirements?

Is there an information architecture model that PO1

reflects current business needs and objectives?

Does the information architecture model support PO2

e-commerce data requirements?

Are sufficient policies in place and PO6

communicated to define data/information as an
asset?

Either by policy or precedent, is information PO1

required to have the following characteristics: PO11
- Efficiency? DS11
- Effectiveness?
- Integrity?
- Availability?
- Confidentiality?
- Compliance?
- Reliability?

Has a concept of acceptable risk been adopted? PO9

11
 Response Primary
Question No. Question Description
YES NO N/A COBIT
Is there a risk measure performed regarding the PO9
need for public key infrastructure?

Is there a compliance “watch” function? M3

M4

Does the current hardware infrastructure support PO3

the e-commerce plan?

Does the current software infrastructure support PO2

the e-commerce data requirements?

If the current infrastructure does not support the PO3

e-commerce plan, are there sufficient hardware
and software planning initiatives in place?
Will these initiatives provide the appropriate
support to obtain the necessary tools and not
present unacceptable risk?
Is there an IT security function involved in DS5
security tool recommendations?

Are there detailed procedures for public key DS5

management?
Do the detailed procedures for public key DS5
management include:
- Generation?
- Dissemination?
- Implementation?
- Expiration?

Do the current or planned PKI tools work with DS5

existing infrastructure? PO3

Does the organization issue certificates of DS5

authority (CA) to both employees and external
entities?
Are multiple classes of CAs manageable? DS5

12
 Response Primary
Question No. Question Description
YES NO N/A COBIT
Are all classes of CAs reflected in the certificate DS5
practice statement (CPS)?

Is the CPS protected as sensitive information? DS5

Do current tools meet all organizational PO1

requirements?

Do all systems that require encryption and DS5

authentication use it?

Do infrastructure programs (encryption) follow AI6

established change control procedures?

Are encryption practices compliant with all PO8

applicable regulatory entities?

Does the organization have sufficient capability DS13

to generate keys?

Does the key generation take place in a secure DS5

environment?

Is the organization trusted to generate keys DS5

securely?

Is the key generation process properly M1

supervised and properly witnessed?

Are key generation records properly controlled? DS11

Once generated, are keys stored properly? DS5

13
 Response Primary
Question No. Question Description
YES NO N/A COBIT
Are keys cut into parts and are they properly DS5
controlled?

Is information complete that is used in DS11

registration?

Are all registration attempts maintained? DS11

Are certificates distributed properly? DS11

14