1.1 The application process deals with the process to apply for accreditation with the South African Accreditation Authority (SAAA) as an accredited authentication service provider. If the application is found to comply with all requirements, the SAAA will involve the evaluator to complete the evaluation process. The evaluator acts on behalf of the SAAA as a technically competent authority to ensure the applicant’s compliance with the ECT Act and the Regulations. This will include inspection of the applicant’s facility. After the evaluation the SAAA will make its decision known to the applicant.
Refer to the diagram “SAAA – Process Diagram”.
1.2 Terms and Definitions
1.2.1 Applicant – means a document submitted by Authentication Service Provider for accreditation.
1.2.2 Evaluator – refer to any expert consultant engaged by the SAAA to monitor, inspect or evaluate an authentication service provider or its authentication products or services resulting in and used to support an electronic signature, to ensure compliance with Chapter VI of the ECT Act and the regulations;
1.2.3 SAAA – South African Accreditation Authority
1.2.4 WebTrust – means the principles and criteria of the WebTrust program for Certification Authorities developed by American Institute of Certified Public Accountant, Inc. And the Canadian Institute of chartered Accountants
1.2.5 SANS 21188 – means SANS 21188:2006, Public key infrastructure for financial services – Practices and policy framework, a South African National Standard adopted by South African Bureau of Standards on 13 October 2006;
2. Application Process Description
2.1 The SAAA will appoint a panel of auditors who can perform an independent audit of the applicant’s security, technology and procedures according to a recognised audit methodology1
2.2 The SAAA will prepare a website to publish the accreditation requirements, the panel of auditors, the application form and the application process.
2.3 The applicant will download the application form and the application process from the SAAA website.
2.4 Prior to the application, the applicant will select an auditor from the panel of auditors appointed by the SAAA, to do an audit of the applicant’s procedures, technology, people and facility by following the WebTrust methodology and referencing the relevant standard, SANS 21188. Appointed auditors;
2.4.1 Auditors appointed the SAAA:
- - KPMG
2.5 The applicant will be responsible for the payment of the audit fee to the auditor.
2.6 The auditor will sign a non-disclosure agreement (NDA) concerning the confidentiality of the applicant’s business with the applicant, but the agreement must acknowledge the auditor’s responsibility to report fully to the SAAA.
2.7 The audit performed by the auditor should establish:
- if the applicant complies with all legal requirements (in the ECT Act and the Regulations),
- if the applicant’s operations complies with its Certificate Practice Statement (CPS) disclosures [including RA operations and systems],
- if the applicant complies with relevant standards as prescribed, and
- how the applicant addressed risks identified during the information security risk analysis.
2.8 On completion of the audit, the audit report and any comments or actions will be given to the applicant. A sealed copy of the audit report and comments will also be given to the applicant for submission to the SAAA.
2.9 The applicant will submit the following to the offices of the SAAA in person (by hand-delivery)
- a complete, detailed audit report and comments (in an envelope sealed by the auditor),
- a completed application form,
- proof of payment of the application fee,
- a signed NDA,
- other prescribed information.
2.10 On receipt of the application, the SAAA will send a letter acknowledging receipt of the application to the applicant (by registered mail).
2.11 The SAAA will check the application and the other information submitted for completeness.
1 ECT Act section 36(1)(c)
2 Accreditation Regulations regulation 6(1).
3 Accreditation Regulations regulation 6(1).
4 Accreditation Regulations regulation 6(1).
5 Accreditation Regulations regulation 8(1).
6 Accreditation Regulations regulation 7(a)-(m).
- If all information was received, the SAAA will inform the applicant (by registered mail) that the application was complete and that the evaluation will commence. The SAAA will announce to the applicant details of the evaluator who will evaluate, inspect and monitor the applicant’s operations and facility.
- If the application or the information received was not complete, the SAAA will inform the applicant (by registered mail) of the fact that the application was incomplete. The SAAA will also provide details of incomplete of missing information.
2.12 The SAAA will provide the audit report and comments to the evaluator. The evaluator will perform the evaluation process as described separately. See SAAA – Evaluation Process.
2.13 After the evaluator has completed the evaluation, an evaluation report and recommendation will be delivered to the SAAA.
2.14 The SAAA will study the evaluator’s report and the recommendation and then make the final accreditation decision. The SAAA will then either
- issue a certificate and a letter to allow the applicant to operate (without any limitations or restrictions) or
- issue a certificate and letter to inform the applicant that authorises it to operate but with certain limitations or restrictions or
- inform the applicant by letter (sent by registered mail) that the application was unsuccessful, providing reasons for the decision. The letter will make reference to the applicant’s rights to make representations within 30 days if it wants to remedy the circumstances that lead to the SAAA’s decision and apply for re-evaluation.
2.15 If the application was unsuccessful, the SAAA will grant 30 days for the applicant to comply.
2.16 If the application was successful, the name of the applicant, its details and the date of its accreditation will be recorded on the public database of the SAAA and accessible on the SAAA website.The SAAA will instruct the applicant to send its public key to the SA Root Certification Authority (CA) that will sign it as an accredited CA and make available the signed public key certificate. The Root CA will list the signed certificate in its public repository (database).
2.2 Frequency of audits
2.2.1 The audit will be done once on application for accreditation and annually thereafter. The audit report must be submitted to the SAAA.
3. Evaluation Process Description
3.1 The SAAA will appoint an evaluator to perform evaluations of the applicant’s technology, procedures and facility on behalf of the SAAA.
7 Accreditation Regulations regulation 12(3).
8 Accreditation Regulations regulation 11.
9 Accreditation Regulations regulation 10(2).
10 Accreditation Regulations regulation 9(2).
3.2 The SAAA will require the evaluator to sign a non-disclosure agreement (NDA) with the SAAA to ensure confidentiality of the applicant’s information submitted to the evaluator.
3.3 The SAAA will provide the evaluator with all relevant information needed to perform the evaluation, including the detailed audit report.
3.4 The audit report will contain details of the audit methodology used to check if the applicant’s systems are secure, if keys match, if the certificate complies with the requirements in the ECT Act and if the procedures used are as stated in the applicant’s certificate practice statement (CPS).
3.5 The evaluator will perform an onsite inspection at the applicant’s facility to validate the security, technology and procedures used by the applicant. The evaluator will get details of the technology and procedures used in the auditors report and the applicant’s CPS.
3.6 The evaluator will in particular focus on:
- compliance with requirements of the ECT Act and the Regulations;
- inspection of the detailed audit report and audit comments; and
- inspection of the facility to review security, technology and processes.
3.7 On completion of the evaluation, the evaluator will send the evaluation report with a recommendation to the SAAA.
3.2 Frequency of evaluation
2.2.1 The evaluation will be done once on application for accreditation and once very year thereafter following the annual audit.