|
Trust Services - Principles and Criteria
Privacy
Program
(Go to www.cica.ca/privacy)
Availability
The system is available for operation and use as committed or agreed.
Service providers help their customers' communicate and conduct business over the Internet through a number
of services.
Some provide customers with a pipeline to the Internet. Some provide online processing and other applications
for use by their customers. And some act as a data center processing operation for customers' businesses.
These services are vital to a customer's business and livelihood. It is critical that a customer's access to
the data center, network and/or Internet backbone is available as advertised or promised by the service
provider in its service-level agreement. If the service is unavailable for a significant period of time,
customers may likewise suffer temporary loss of revenue, impaired cash flow, and/or diminished public image.
By complying with the Trust Services Availability principle, a service provider or other entity can
demonstrate its ability to meet critical needs of business customers. To avoid risks and ensure the
reliability of your service provider, insist that your service provider meet the Trust Services Availability
principle and criteria.
Security
The system is protected against unauthorized access (both physical and logical).
Information you share with a web site can be misused or stolen. It can be intercepted and opened during
transmission over the Internet or hacked into while it is stored on the other party's computer systems. Just
recently, the media has reported the theft of credit cards is on the rise. While the financial risk is low,
the inconvenience can be significant and your sense of well being compromised. From a business to
business standpoint, the risks are very high. Suppose another company finds out your bank account number? Or
a corporate spy learns that you use different pricing scales for business partners and threatens to reveal
that information? The Trust Services Security Principle addresses these concerns by ensuring that
businesses maintain secure sites for e-Commerce. Licensed auditors may provide either a WebTrust or
SysTrust seal to clients that can be displayed on the client's web site.
Processing Integrity
System processing is complete, accurate, timely, and authorized.
Have you ever wondered about how a web site handles customer complaints? Or whether you'll receive your
merchandise in time? Unfortunately, on the Internet, every site looks inviting. Behind the scenes who knows?
Business transactions sent electronically to another party are susceptible to loss, duplicate
processing, or the corruption of information associated with the transaction. For example, if an electronic
order is sent through the Internet from one company to another, without appropriate transaction integrity
controls, the buyer may not receive the goods ordered, or receive more of the goods than originally
requested, or receive the wrong goods altogether. However, if appropriate business practices are
followed and processing integrity controls exist and are operational within the system, the buyer can be
reasonably assured that the correct goods, in the correct quantity, at the correct price are received when
promised. Customers expect their business transactions to be processed completely and accurately.
Complete means your order is processed without exception and not processed more than once. Accurate means key
information doesn't get garbled later. A site that has met the standards for Processing Integrity
can be trusted. Licensed auditors may provide either a WebTrust or SysTrust seal to clients that can be
displayed on the client's web site.
Confidentiality
Confidentiality is similar to privacy except that privacy includes only personally identifiable information.
Confidentiality refers to the information held by an organization that it needs to protect securely, for
example, sensitive corporate information, competitive information, etc. Users want to be assured that any
information that they provide for processing or storage is protected and only accessible to authorized
users.
WebTrust for Certification Authorities (CAs) Engagements
& WebTrust for Extended Validation Certificates
Certification Authorities are an increasingly important component of electronic commerce. Anyone selecting a
CA should seek independent verification that the following key areas have been examined:
CA Business Practices Disclosure
Security and privacy policies and practices are important matters, especially to the customer of a CA. Thus,
the WebTrust Business Practices Disclosure Principle requires that the CA disclose its key and certificate
life cycle management business and information privacy practices. Information regarding the CA's business
practices should be made available to all subscribers and all potential relying parties, typically by posting
on its Web site. Such disclosure may be contained in a Certificate Policy (CP) and/or Certification Practice
Statement (CPS), or other informative materials that are available to users (subscribers and relying
parties).
Service Integrity
Effective key management controls and practices are essential to the trustworthiness of the public key
infrastructure. Cryptographic key management controls and practices cover CA key generation, CA key storage,
backup and recovery, CA public key distribution, CA key escrow (optional), CA key usage, CA key destruction,
CA key archival, the management of CA cryptographic hardware through its life cycle, and CA-provided
subscriber key management services (optional). Strong key life cycle management controls are vital to guard
against key compromise which can damage the integrity of the public key infrastructure.
CA Environmental Controls
The establishment and maintenance of a trustworthy CA environment is essential to the reliability of the CA's
business processes. Without effective CA environmental controls, strong key and certificate life cycle
management controls are severely diminished in value.
CA environmental controls include CPS and CP management, security policy management, security management,
asset classification and management, personnel security, physical and environmental security of the CA
facility, operations management, system access management, systems development and maintenance, business
continuity management, monitoring and compliance, and event journaling.
WebTrust
for Extended Validation Certificates
(see also www.cabforum.org)
The Guidelines for Extended Validation Certificates have been developed by the CA/Browser Forum (CAB Forum),
a voluntary organization of leading certificate authorities and Internet Browser software vendors. These
guidelines establish requirements for a new type of Extended Validation (EV) certificate, including
standardized procedures for verifying and ensuring the identity of the certificate holder.
The Webtrust for Certification Authorities - Extended Validation are the criteria that an auditor would use
to provide the assurance on the extended validation certificate system. A pre-requisite for this service is
the completion of a WebTrust for Certification Authorities engagement. Together they provide the basis for
practitioners to offer a complete trust building service to this important sector of the internet
community.
|
