← Autoridad de Certificacion Firmaprofesional cases
Bugzilla #1612929
CCADB Compliance
Firmaprofesional: 2019 audit Finding #2 - 6.4 Facility, management, and operational controls
RESOLVED
FIXED
Autoridad de Certificacion Firmaprofesional
AI Summary
The case addresses an audit finding related to Firmaprofesional's management and operational controls. The audit revealed that auditors lacked sufficient access to review logs, which was a non-conformity noted prior to the eIDAS audit in March 2019. Firmaprofesional has since taken steps to rectify this by creating an auditor role with read-only access to logs in their CA software, EJBCA. They are also implementing a centralized log management system using Elastic Stack to enhance security and compliance. The issue has been resolved, and the CA continues to issue certificates without impact from this finding.
Chronology
- Non Conformity registered in JIRA and action plan established.
- Issue presented to steering committee; project initiated for centralized log management.
- Auditor role created in EJBCA.
- Audit role delivered to personnel.
- Remediation confirmed complete.
Participants
chemalogo@isigma.es
ryan.sleevi@gmail.com
wthayer@fastly.com
External References
Similar Local Cases
IdenTrust: Missing Thumbprints for Intermediate CA certificates In Some Annual Audit Reports
Add some Firmaprofesional SubCAs to OneCRL
Firmaprofesional: 2022 - CPS without correct explanation about difference between OCSP and CRL
Firmaprofesional: 2021 Audit Report Finding 3 out of 3
Firmaprofesional: Delayed initial incident reporting for Bug 2016475 (72-hour preliminary and 14-day full report timing)
Firmaprofesional: Failure to Respond to April 2023 Survey
SSL.com: Intermediate certificate not listed in audit reports
Microsoft PKI Services: Incomplete Logical Access Review Audit Evidence