Closed Bug 1649724 Opened 4 years ago Closed 4 years ago

Firmaprofesional: 2020 Audit Report Finding 3 out of 4

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mprieto, Assigned: mprieto)

Details

(Whiteboard: [ca-compliance] [audit-finding])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Steps to reproduce:

Annual audit

Actual results:

Findings were found

Expected results:

An unqualified audit report

#3 While frequent reviews of firewall rules are performed, we could not evidence adequate documentation of such reviews and results.

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
In the last eIDAS audit carried out in March 2020.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
On 2020-04-14 13:59, this Non Conformity was registered in our JIRA (Ticketing System) and an action plan was established.
On 2020-06-16 audit trail in Firewalls is enabled
On 2020-06 Firewalls Configuration Policy will be written.
On 2020-06 Firewall logs will be centralized in the new log management tool.

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
It does not apply.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
It does not apply.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
It does not apply.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
In our vision this did not represent a non-conformity, but keeping in mind the high degree of compliance by Firmaprofesional, eiDAS auditors are increasingly demanding in the review of security controls, in matters such as the generation of audit evidence and documentation, which always represents an opportunity for improvement.

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Write Firewalls Configuration Policy (On 2020-07)
Enable audit trail in Firewalls: Active On 2020-06-16
Centralization of Firewall Logs in the new log management tool (On 2020-07)

Assignee: bwilson → mprieto
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → task
Ever confirmed: true
Whiteboard: [ca-compliance]

In our vision this did not represent a non-conformity,

Why?

Flags: needinfo?(mprieto)
  • In our vision this did not represent a non-conformity,

Why?

There are always ways to improve or modify the collection of evidence based on different types of auditors and audits help in the perfection of these processes.

Flags: needinfo?(mprieto)

Dear Ryan,
We also want to add the following information:

  • Auditing functionalities have been enabled in Firewalls
  • A Firewall Configuration Policy has been drafted
  • A new log certralization tool (Elasticsearch) has been launched and firewall logs have been redirected to this new tool

(In reply to Maria Jose Prieto from comment #3)

  • In our vision this did not represent a non-conformity,

Why?

There are always ways to improve or modify the collection of evidence based on different types of auditors and audits help in the perfection of these processes.

This doesn't explain why it doesn't represent a non-conformity, and thus doesn't really answer the question.

The expectation, for all CAs, is to maintain sufficient evidence that demonstrates you adhere to the rules and expectations, to facilitate an independent audit. Not maintaining a paper trail of performing the tasks is, to both auditors and the relying party, indistinguishable from not having performed that task at all. If anything, it raises questions about the previous auditor and the controls that were demonstrated, rather than seen as an opportunity for improvement.

If I'm misunderstanding this issue, this is the time to clarify, because I fail to see how this "answer" helps build a better understanding, especially given the baseline expectations.

Flags: needinfo?(mprieto)

From the very moment that this issue appears in an audit report, it is a non-conformity. This is clear.

This is one of the findings during the audit process that we defended as an observation or improvement opportunity, since the real work is done and for sure, we failed evidencing this to the auditors.

We agree that it would be worrying if we state "In our vision this did not represent a non-conformity" and do nothing, but we did.

We have implemented the measures to provide the required evidence next time. See c#4.

I am inclined to close this audit finding as remediated. I'll schedule this for closure on or about 17-Sept-2020 provided there are no additional questions or issues to be raised.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(mprieto)
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.