Section 20IAC3-2-4. Digital signature certification authorities  

   (a) The state board of accounts shall maintain an approved list of certification authorities authorized to issue certificates for digitally signed communication with the state and shall make the list available to persons wishing to deal electronically with the state.

  (b) The Intelenet system shall only accept certificates from certification authorities that appear on the approved list of certification authorities.

  (c) The state board of accounts shall place a certification authority on the approved list of certification authorities after the certification authority provides the state board of accounts with either of the following:

(1) A copy of an unqualified performance audit performed in accordance with standards set in the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (SAS 70) to ensure that the certification authority's practices and policies are consistent with the requirements of the certification authority's certification practice statement and section 2 of this rule. A certification authority that has been in operation for:

(A) one (1) year or less shall undergo an SAS 70 Type One audit, A Report of Policies and Procedures Placed in Operation, receiving an unqualified opinion; or

(B) longer than one (1) year shall undergo an SAS 70 Type Two audit, A Report of Policies and Procedures Placed in Operation and Test of Operating Effectiveness, receiving an unqualified opinion.

(2) Proof of accreditation by an accreditation body, acceptable to the state board of accounts whose requirements for accreditation are consistent with section 2 of this rule.

  (d) To remain on the approved list of certification authorities, a certification authority shall annually provide to the state board of accounts proof of compliance with the following:

(1) A new audit of the type described in subsection (c)(1)(A) or a new or renewed accreditation of the type described in subsection (c)(1)(B).

(2) The bond requirements described in subsection (f).

  (e) A certification authority may be removed from the approved list of certification authorities if:

(1) the certification authority fails to provide current proof of accreditation to the state board of accounts annually;

(2) the certification authority fails to receive an annual unqualified SAS 70 performance audit;

(3) the state board of accounts is informed that a certification authority has had its accreditation revoked by an accreditation body that meets the criteria of subsection (c)(2); or

(4) the certification authority fails to meet the requirements in subsection (f).

  (f) The certification authority shall furnish the state board of accounts annually with proof of a fidelity and surety bond underwritten by an insurer approved by the state, maintained currently in force, in an amount not less than fifty thousand dollars ($50,000) per year.

  (g) The certification authority shall be registered to do business in the state. (State Board of Accounts; 20 IAC 3-2-4; filed Jun 1, 1998, 3:33 p.m.: 21 IR 3640; errata filed Sep 23, 1998, 10:31 a.m.: 22 IR 462; readopted filed Nov 21, 2005, 9:15 a.m.: 29 IR 1381; readopted filed Nov 22, 2011, 2:19 p.m.: 20111221-IR-020110584RFA) NOTE: Expiration postponed by Executive Order #04-31, December 29, 2004.