The Information Systems Audit and

Control Association & Foundation

www.isaca.org

eCommerce Security
Public Key Infrastructure
Symmetrical (Private) Key Encryption
AUDIT PROGRAM
&
INTERNAL CONTROL QUESTIONNAIRE
The Information Systems Audit and Control Association & Foundation
With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association® (ISACA™) is a
recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences,
administers the globally respected CISA® (Certified Information Systems Auditor™) designation earned by more than 25,000
professionals worldwide, and develops globally applicable information systems (IS) auditing and control standards. An affiliated
foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, established by the
association and foundation in 1998, is designed to be a "think tank" offering presentations at both ISACA and non-ISACA
conferences, publications and electronic resources for greater understanding of the roles and relationship between IT and enterprise
governance.

Purpose of These Audit Programs and Internal Control Questionnaires

One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and
industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released
audit programs and internal control questionnaires on various topics for member use through the member-only web site and K-NET.
These products are intended to provide a basis for audit work.
E-business audit programs and internal control questionnaires were developed from material recently released in ISACA’s e-
Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Touche and ISACA’s
Research Board and are recommended for use with these audit programs and internal control questionnaires.
Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by the
Education Board. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be
all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization’s
constraints, policies, practices and operational environment.

Control Objectives for Information and related Technology (COBIT®)

COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control
practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and steps are included.

Disclaimer
The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the
professional development of ISACA members and others in the IS Audit and Control community. Although we
trust that they will be useful for that purpose, ISACA cannot warrant that the use of this material would be
adequate to discharge the legal or professional liability of members in the conduct of their practices.

September 2001
1
Audit Program
Public Key Infrastructure—Technical Reference Guide
Symmetrical (Private) Key Encryption

Introduction

This document is offered as a supplement to the e-commerce technical reference guide:

E-commerce—Public Key Infrastructure (Good Practices for Secure Communications).

One of the primary building blocks for security in e-commerce is cryptography, the
theoretical basis for encryption. A given cryptographic technique may be based on either
private keys or public/secret key pairs. Public key infrastructure (PKI) rests atop
encryption and in turn supports e-commerce. Cryptography is the provider of security
and protection of data in public networks and PKI provides trust. The encryption needed
for secure communications among a small number of endpoints or nodes is different from
that needed for communication among a large number of unknown, anonymous nodes.
This program specifically addresses the small group of endpoints and the management
around the processes for control over private key (symmetrical) encryption.

Audit Objectives

Referenced Control Objectives for Information and related Technology

(COBIT) Control Objectives (If there is a sub-objective listed, it means that special
emphasis should be noted. All sub-objectives within each referenced objective should be
considered and related procedures performed where applicable.)

Within both the audit program and the internal control questionnaire, the primary C OBIT
control objectives have been listed for reference purposes.

PO2 – Define the Information Architecture

PO2.3 – Data Classification Scheme
PO2.4 – Security Levels
PO3 – Determine Technological Direction
PO 3.5 – Technology Standards
PO4 – Define the Information Technology Organization and Relationships
PO6 – Communicate Management Aims and Directions
PO6.8 – Security and Internal Control Framework Policy
PO8 – Ensure Compliance with External Requirements
PO9 – Assess Risks
AI1 – Identify Automated Solutions
AI3 – Acquire and Maintain Technology Infrastructure
AI3.3 – System Software Security
AI3.6 – System Software Change Controls
DS5 – Ensure Systems Security
DS5.1 – Manage Security Measures
DS5.8 – Data Classification

2
 DS5.16 – Trusted Path
DS5.21 – Protection of Electronic Value
DS11 – Manage Data
DS11.17 – Protection of Sensitive Information During Transmission and
Transport
DS11.27 – Protection of Sensitive Messages
DS11.29 – Electronic Transaction Integrity
M1 – Monitor the Process

Functional Objectives

1. Assure proper administration and applicable infrastructure controls exist around the
selection, implementation, maintenance and usage of private key encryption.
2. Key management, including generation, maintenance, distribution and expiration, is
appropriately controlled.
3. Evaluation of the selection of private key alternative methods take into consideration
organizational position on need for security as it relates to the assets (data and/or
information) as well as cost benefit.

Completed Auto. COBIT

Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference

A. Prior Audit/Examination Report

Follow-Up

Review prior report and verify M1

completion of any agreed-upon
corrections. Note remaining
deficiencies

B. Preliminary Audit Steps

Obtain: PO2
-Organization chart PO3
-Information architecture model for PO6
the organization PO8
-Data classification policy
-Network infrastructure documentation
-Inventory of operating systems,
applications, and operating systems
impacting classified data
-Specifications of encryption tool(s)
-Understanding of external
requirements (consider international
encryption laws)

3
 Completed Auto. COBIT
Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference

Obtain or perform risk assessment on PO9

the information need for encryption

Obtain infrastructure software AI1

acquisition procedures AI3

Obtain maintenance history of all AI3

encryption tools in use

C. Detailed Audit Steps

Planning

Identify the security responsibilities PO4

within the organization.
Determine the level of involvement in
the encryption processes by the
security staff

Review the data requirements for PO2

encryption for the e-commerce DS11
environment

Review the regulatory requirements for PO8

encryption within the country,
industry and organization and
determine level of compliance

Determine level of risk existing PO9

considering the level of encryption
implementation status.
Identify acceptable risk and determine
if any residual risk exceeds the
acceptable level

Review the decision process for AI3

selection of symmetrical (private
key) usage

Review the tools selection process PO3

relative to compatibility with
existing technologies

Acquisition, Implementation,

4
 Completed Auto. COBIT
Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference

Maintenance of Encryption

Review the acquisition process by AI3

which the encryption either has been
or will be obtained, and determine
validity to needs requirements

Review the implementation AI1

procedures for encryption tools

Determine access controls over keys DS5

during the acquisition/development
process

Review the change control processes AI3

over infrastructure software
(encryption tools)

Review the inventory of systems, AI3

applications and operating systems
using (or to use) this encryption
technique

Assess effectiveness of the encryption DS5

output compliance to external
regulations and organizational
policies

Key Management

Determine the access over keys is DS5

appropriate

Review the processes by which keys DS5

are/will be disseminated, maintained
and cancelled

Review the key’s expiration process DS5

Miscellaneous

Review control around meta-data over DS5

5
 Completed Auto. COBIT
Test Results, Remarks,
Audit Step By/Date
W/P Ref.
Tool Reference

keys, key management, encryption

processes and related infrastructure
resources

6
Internal Control Questionnaire
Symmetrical (Private) Key Encryption
Response
Question No. Question Description
YES NO N/A
General

Have all items from prior audits been M1, M2

cleared?
Do business objectives clearly PO1
define e-commerce requirements of
the organization?
Is there an information architecture PO3
model that reflects current business
needs?
Does the information architecture PO2
model support e-commerce data
requirements?
Are sufficient policies in place and PO6
communicated to define
data/information as an asset?

Either by policy or precedent, is PO1,

information required to have the PO11,
following characteristics: DS11
- Efficiency?
- Effectiveness?
- Integrity?
- Availability?
- Confidentiality?
- Compliance?
- Reliability?

Is there a risk measure performed on PO9

an organizational need for
encryption?
Has a concept of acceptable risk PO9
been adopted?

Is there a compliance “watch” M1

function?

Does the current hardware PO3

7
 Response
Question No. Question Description
YES NO N/A
infrastructure support the e-
commerce
plan?
Does the current software PO2
infrastructure support the e-
commerce data requirements?
If the current infrastructure does not PO3
support the e-commerce plan, are
there sufficient hardware and
software planning initiatives that will
provide the appropriate support to
obtain the necessary tools and will
not present unacceptable risk?
Planning

Is there an IT security function DS5

involved in security tool
recommendations?

Are there detailed procedures for DS1

private key management? DS5
DS13
Do they include: DS5
- Generation?
- Dissemination?
- Implementation?
- Expiration?

Do the current or planned encryption DS5

tools work with existing
infrastructure?
Acquisition, Implementation,
Maintenance of Encryption

Do current tools meet all PO1

requirements? DS5

Do all systems that require DS5

encryption use it?

8
 Response
Question No. Question Description
YES NO N/A
Do infrastructure programs AI6
(encryption) follow established DS5
change control procedures?
Are encryption practices compliant PO8
with all applicable regulatory DS5
entities?
Key Management

Are appropriate controls in place DS5

over encryption keys?