Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thursday, February 11, 2021 at 12:41:44 PM UTC-6, Ben Wilson wrote: > All, > > I've modified the proposed change to MRSP section 3.2 so that it would now > insert a middle paragraph that would read: > > "A Qualified Auditor MUST have relevant IT Security experience, or have > audited a

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Apologies for belaboring the point, but I think we might be talking past eachother. You originally stated “The only place I am aware that lists the audit partner in a comparable world is the signing audit partner on public company audits in the US, which is available on the SEC website.” I gave

Re: Policy 2.7.1: MRSP Issue #207: Require audit statements to provide information about which CA Locations were audited

The current proposed draft of changes is at https://github.com/BenWilson-Mozilla/pkipolicy/commit/443b4c5d5155942a216322480f3a6a273ea2 Right now, I'm considering having subsection of MRSP section 3.1.4 say, "the CA locations that were or were not audited" - with a hyperlink to

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 1:57:11 PM UTC-6, Ryan Sleevi wrote: > On Mon, Feb 15, 2021 at 2:03 PM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > I wanted to clarify a couple of points. Firms must be independent to do > > audit/assurance work. If

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 4:11:15 PM UTC-6, Ryan Sleevi wrote: > Apologies for belaboring the point, but I think we might be talking past > eachother. > > You originally stated “The only place I am aware that lists the audit > partner in a comparable world is the signing audit partner on

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Mon, Feb 15, 2021 at 2:03 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I wanted to clarify a couple of points. Firms must be independent to do > audit/assurance work. If independence is impaired, for example, by one > person in the firm performing

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Mon, Feb 15, 2021 at 6:07 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan, I hope you are not suggesting I am dodging you points. That would > be absurd. Let me use different words as comparable world seems to be > tripping you up. I'm not trying

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 3:07:12 PM UTC-8, Jeff Ward wrote: > On Monday, February 15, 2021 at 4:11:15 PM UTC-6, Ryan Sleevi wrote: > > Apologies for belaboring the point, but I think we might be talking past > > eachother. > > > > You originally stated “The only place I am aware that

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

On Friday, February 12, 2021 at 10:27:11 AM UTC-6, Ben Wilson wrote: > I'm fine with that suggestion. > On Fri, Feb 12, 2021 at 5:06 AM malcol...--- via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > On Thursday, 11 February 2021 at 21:14:13 UTC, Ben Wilson wrote: > > >