08 Mar “Digital Assurance: Certificate and Key Audit according to eIDAS, LSEC, and ETSI”
The audit of cloud certificate and key repositories is a critical component in the digital signing ecosystem, especially for organizations that perform remote document signing. By complying with regulations such as eIDAS, LSEC, and ETSI standards, entities can ensure the validity and legality of their digital operations. This article explores the main standards and summarizes their key compliance controls from the perspective of an auditor responsible for these audits.
eIDAS Regulation
The eIDAS (Electronic Identification, Authentication, and Trust Services) regulation is a European Union framework that sets a common ground for electronic trust services, including electronic signatures. This regulation promotes interoperability and security in electronic transactions across EU borders.
Key compliance controls under eIDAS:
- Identity Authentication: Verify the signer’s identity through secure procedures compliant with eIDAS.
- Data Protection: Ensure the protection of personal data according to the GDPR, closely linked with eIDAS.
- Integrity and Confidentiality: Guarantee the integrity and confidentiality of certificates and keys through the use of secure cloud storage technologies.
- Signature Validation: Validation processes that confirm the legality of the electronic signature.
LSEC Regulation
The Law of Electronic Trust Services (LSEC) is a specific regulation in certain countries that complements and, in some cases, expands eIDAS requirements for local service providers. LSEC focuses on the detailed regulation of electronic trust services, including the creation, verification, and validation of electronic signatures.
Key compliance controls under LSEC:
- Certification and Accreditation: Service providers must be properly certified and accredited by national authorities.
- Regular Audits: Conduct regular audits to ensure ongoing compliance with the regulation.
- Activity Logging: Maintain detailed records of all operations performed with certificates and keys.
ETSI Standards
ETSI (European Telecommunications Standards Institute) standards provide detailed technical specifications to implement electronic trust services compliant with eIDAS. These standards cover various aspects, from hardware security to operational procedures.
Key compliance controls under ETSI standards:
- Physical and Logical Security: Implement physical and logical security measures to protect data and critical infrastructures.
- Key Management: Secure processes for the generation, storage, distribution, and destruction of cryptographic keys.
- Audit and Traceability: Audit systems that ensure complete traceability of all actions performed with keys and certificates.
Auditor’s Perspective
From an auditor’s perspective, reviewing compliance with these regulations and standards focuses on verifying the effective implementation of key controls. This involves a series of structured steps:
- Document Review: Evaluation of policies and procedures related to the management of certificates and keys.
- Technical Inspection: Verification of the technological infrastructure and security systems implemented to protect data.
- Interviews with Key Personnel: Discussions with personnel responsible for managing electronic trust services to understand operational processes.
- Compliance Testing: Conducting tests to assess the effectiveness of the implemented controls.
Conclusion
The audit of cloud repositories for certificates and keys for remote document signing is essential to ensure the security and legality of digital operations. Compliance with regulations and standards like eIDAS, LSEC, and ETSI standards not only facilitates interoperability and trust in the digital realm internationally but also ensures the protection of personal data and the integrity of electronic transactions. The adoption of these legal and technical frameworks by organizations implies a strong commitment to security, reliability, and respect for the privacy of end-users.