On Monday, February 15, 2021 at 3:07:12 PM UTC-8, Jeff Ward wrote: > On Monday, February 15, 2021 at 4:11:15 PM UTC-6, Ryan Sleevi wrote: > > Apologies for belaboring the point, but I think we might be talking past > > eachother. > > > > You originally stated “The only place I am aware that lists the audit > > partner in a comparable world is the signing audit partner on public > > company audits in the US, which is available on the SEC website.” I gave > > two separate examples of such, and you responded to one (FPKI) by saying > > the report was not public (even when it is made available publicly), and > > the other I didn’t see a response to. > > > > This might feel like nit-picking, but I think this is a rather serious > > point to work through, because I don’t think you’re fully communicating > > what you judge to be a “comparable world”, as it appears you are dismissing > > these examples. > > > > I can think of several possible dimensions you might be thinking are > > relevant, but rather than assume, I’m hoping you can expand with a few > > simple questions. Some admittedly seem basic, but I don’t want to take > > anything for granted here. > > > > 1) Are you/the WTTF familiar with these audit schemes? > > > > 2) Are you aware of schemes that require disclosing the relevant skills and > > experience of the audit team to the client? (E.g. as done by BSI C5 audits > > under ISAE 3000) > > > > 3) Are you aware of such reports naming multiple parties for the use of the > > report (e.g. as done by FPKI audits) > > > > 4) Are you aware of schemes in which a supplier requires a vendor to be > > audited, and ensures that the customer of supplier are able to access such > > audits as part of their reliance upon supplier? (Note, this doesn’t have to > > be limited to ISMS systems) > > > > I’m trying to understand what, given the prevalence of these practices, > > makes these instances *not* a comparable world, since it seems that helps > > move closer to solutions. > Ryan, I hope you are not suggesting I am dodging you points. That would be > absurd. Let me use different words as comparable world seems to be tripping > you up. You are not providing a general/public distribution example to make > your point so it is baseless. You are using a restricted opinion from EY and > neither Ryan Sleevi nor Google are listed as the two intended users. The > closest I have seen to support your desire to name individual auditors is in > public company audit reports, which are housed on the SEC website. To be > clear, of your two examples, one is an opinion, which is restricted, and the > other represents the guidelines. Perhaps you have seen a public/general > distribution report from your second opinion as I do not see it in this > thread. I am aware, as mentioned previously, of the Federal PKI program > desiring to know more about team members, but that is not listed in a > non-restricted report, in a public/general distribution format.
I can click on the URL and read it. This seems to be the very definition of public, even if the audit report says it is not for reliance upon by the general public. I fully appreciate that this may be a technicality in the world of auditing, but it is very confusing to those of us who are less familiar. > Jeff _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
