Virginia Tech's Internal Auditors were involved with the project from the beginning and were given full access to the project wiki space. When the audit phase began, the auditor assigned to the project met weekly with the project leads to gather information and ensure that project status was well communicated. During initial meetings, we discussed the scope of each IAP section and compliled a list of references, including documentation and technical personnel who would be interviewed. The auditors read the referenced policy documents and interviewed technical personnel who explained their technical controls and, where applicable, how the policies were implemented and enforced in technology and software. Auditors performed vulnerability scans and examined configuration files. The auditors obtained eTokens and observed the procedures for identity proofing, registration, and certificate issuance. Certificates were examined to verify the Object identifier in each certificate that corresponds to a Bronze or Silver credential.
Internal Audit used a modified version of their standard audit template to submit the report to InCommon. The report included:
- Auditor qualifications
- Evidence of iauditor ndependence through direct reporting line to the governing Board of Visitors
- Outline of audit methodology, including
- background on identity assurance
- identification of the departmental services being audited, and a brief description of the VTCA.
- audit objectives (the criteria categories identified by the InCommon Identity Assurance Profiles Bronze and Silver)
- Multifactor alternative