cacert-policies/SecurityPolicy.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
                      "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
 <meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
 <title>Security Policy</title>

<style type="text/css">
<!--
P { color: #000000 }
TD P { color: #000000 }
H1 { color: #000000 }
H2 { color: #000000 }
DT { color: #000000 }
DD { color: #000000 }
H3 { color: #000000 }
TH P { color: #000000 }

.q {
	color : green;
	font-weight: bold;
	text-align: center;
	font-style:italic;
}

.error {
	color : red;
	font-weight: bold;
	text-align: center;
	font-style:italic;
}

.change {
	color : blue;
	font-weight: bold;
}
-->
</style>
</head>

<body style="direction: ltr; color: rgb(0, 0, 0);" lang="en-GB">
<h1>Security Policy for CAcert Systems</h1>
<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-wip.png" id="graphics1" alt="CAcert Security Policy Status == wip" align="bottom" border="0" height="33" width="90"></a>
<br>
Creation date: 2009-02-16<br>
Status: <i>work-in-progress</i>
</p>

<h2><a name="1">1.</a> Introduction</h2>

<h3><a name="1.1">1.1.</a> Motivation and Scope </h3>
<p>
This Security Policy sets out required procedures
for the secure operation of the CAcert critical computer systems.
These systems include:
</p>
<ol><li>
     Physical hardware mounting the logical services
   </li><li>
     Webserver + database (core server(s))
   </li><li>
     Signing service (signing server)
   </li><li>
     Support interface
   </li><li>
     Source code (changes and patches) 
</li></ol>

<h4><a name="1.1.1">1.1.1.</a> Effected Personnel </h4>

<p>
These roles and teams are effected:
</p>

<ul><li>
      Hardware Controllers (Oophaga)
    </li><li>
      Direct Hardware Access Systems Administrators
      (as listed in Oophaga Appendix B Access List)
    </li><li>
      Application Administrators
      (online access to critical systems at Unix level)
    </li><li>
      Support Team
      (online access via administration interfaces)
    </li><li>
      Software Development Team
      (approval of application code) 
</li></ul>

<h4><a name="1.1.1">1.1.2.</a> Out of Scope </h4>

<p>
Non-critical systems are not covered by this manual,
but may be guided by it, and impacted where they are
found within the security context.
Architecture is out of scope, see CPS#6.2. 
</p>

<h3><a name="1.2">1.2.</a> Principles </h3>
<p>
Important principles of this Security Policy are:
</p>

<ul><li>
      <i>dual control</i> -- at least two individuals must control a task
    </li><li>
      <i>4 eyes</i> -- at least two individuals must be present during a task,
      one to execute and one to observe.
    </li><li>
      <i>redundancy</i> -- no single individual is the only one authorized
      to perform a task.
    </li><li>
      <i>escrow</i> -- where critical information (backups, passwords)
      is kept with other parties
    </li><li>
      <i>logging</i> -- where events are recorded in a file
    </li><li>
      <i>separation of concerns</i> -- when a core task is split between
      two people from different areas
    </li><li>
      <i>Audit</i> -- where external reviewers do checks on practices and policies 
</li></ul>

<p>
Each task or asset is covered by a variety of protections
deriving from the above principles. 
</p>

<h3><a name="1.3">1.3.</a> Definition of Terms</h3>
<dl>

<dt><i>Systems Administrator</i> </dt>
<dd>
    A Member who manages a critial system, and has access
    to security-sensitive functions or data.
</dd>

</dl>

<h3><a name="1.4">1.4.</a> Version control</h3>

<h4><a name="1.4.1">1.4.1.</a> The Security Policy Document </h4>
<p>
This Security Policy is part of the configuration-control specification
for audit purposes (DRC).
It is under the control of Policy on Policy for version purposes.
</p>

<p>
This policy document says what is done, rather than how to do it.
</p>

<h4><a name="1.4.2">1.4.2.</a> The Security Manual (Practices) Document </h4>

<p>
This Policy explicitly defers detailed security practices to the
<a href="http://wiki.cacert.org/wiki/SecurityManual">Security Manual</a>
("SM"),
The SM says how things are done.
As practices are things that vary from time to time,
including between each event of practice,
the SM is under the direct control of the Systems Administration team.
It is located and version-controlled on the CAcert wiki.
</p>

<h4><a name="1.4.3">1.4.3.</a> The Security Procedures </h4>

<p>
The Systems Administration team may from time to time
explicitly defer single, cohesive components of the
security practices into separate procedures documents.
Each procedure should be managed in a wiki page under
their control, probably at
<a href="http://wiki.cacert.org/wiki/SystemAdministration/Procedures">
SystemAdministration/Procedures</a>.
Each procedure must be referenced explicitly in the Security Manual.
</p>

<h2><a target="2">2.</a> Physical Security</h2>



<p>
Physical assets and security procedures are generally provided and maintained as set forth in the Memorandum of Understanding between CAcert and Stichting Oophaga Foundation of 10 July 2007, and as amended from time to time.  Approval of both boards of CAcert and Oophaga is required for changes to the MoU.
</p>

<p>
The MoU places responsibility for the physical assets (hardware), hosting and for control of access to the hardware with Oophaga.
</p>

<h3><a name="2.1">2.1.</a> Facility </h3>

<p>
CAcert shall host critical servers in a highly secure facility.
There shall be independent verification of the physical and
access security.
</p>

<h3><a name="2.2">2.2.</a> Physical Assets </h3>

<ul class="q"><li>
    Big question here is whether Oophaga falls inside SP/SM or not.
  </li><li>
    2nd Big Question is whether Oophaga is in SP or in SM.
</li></ul>

<h4><a name="2.2.1">2.2.1.</a> Computers </h4>
<p>
Computers shall be inventoried before being put into service.
Inventory list shall be available to all Systems Administrators.
Units shall have nickname clearly marked on front and rear of chassis.
Machines shall be housed in secured facilities (cages and/or locked racks).
</p>

<h4><a name="2.2.1.1">2.2.1.1</a> Acquisition </h4>
<p>
Acquisition of new equipment that is subject to a
pre-purchase security risk must be done from a
vendor that is regularly and commercially in business.
Precautions must be taken to prevent equipment being
prepared in advance.
</p>

<p>
Acquisition may be done by CAcert systems administrators
but the ownership and control of the hardware transfers
to Oophaga the moment the equipment is in use.
</p>

<h4><a name="2.2.2">2.2.2.</a> Cables </h4>

<p>
Cabling to all equipment shall be labeled at both ends
with identification of end points.
</p>

<h4><a name="2.2.3">2.2.3.</a> Media </h4>

<h4><a name="2.2.3.1">2.2.3.1</a> Provisioning </h4>

<p>
Storage media (disk drives, tapes, removable media)
are inventoried upon acquisition by Oophaga.
CAcert system administrators will report any changes
in the use or location of the media to Oophaga and to the routine
logging list.
</p>

<p>
New storage media (whether disk or removable) shall be
securely wiped and reformatted before use.
</p>

<h4><a name="2.2.3.2">2.2.3.2</a> Storage </h4>

<p>
Removable media shall be securely stored at all times,
including when not in use. When there is a change to
status of media, a report is made to the log specifying
the new status
(sysadmins present, steps taken, location of storage, etc).
Drives that are kept for reuse are wiped securely before storage.
Reuse can only be within critical systems.
</p>

<h4><a name="2.2.3.3">2.2.3.3</a> Retirement </h4>

<p>
Storage media that is exposed to critical data and is
to be retired from service shall be destroyed or otherwise secured.
The following steps are to be taken:
</p>

<ol><li>
    The media is to be securely erased.
  </li><li>
    One of the following, in order of preference:
      <ol type="a"><li>
         rendered unreadable via physical means that
         destroys the platters and electronics, or,
        </li><li>
         disposed of via a licensed disposal facility, or
        </li><li>
         sealed and stored securely until the data has expired.
         The years of retirement and of expiry should be marked
         by CAcert systems administrator. 
      </li></ol>
</li></ol>

<p>
Records of secure erasure and method of final disposal
shall be tracked in the asset inventory.
Where critical data is involved,
2 system administrators must sign-off on each step.
</p>

<h3><a name="2.3">2.3.</a> Physical Access </h3>

<p>
In accordance with the principle of dual control,
at least two persons authorized for access must
be on-site at the same time for physical access to be granted.
</p>

<h4><a name="2.3.1">2.3.1.</a> Access Authorisation </h4>

<p>
Access to physical equipment must be authorised.
</p>

<h4><a name="2.3.2">2.3.2.</a> Access Profiles </h4>

<p>
The Security Manual must present the different access profiles.
At least one CAcert systems administrator will be present for
logical access to CAcert critical servers.
Only the most basic and safest of accesses should be done with
one CAcert systems administrator present.
Oophaga representatives must not access the data.
</p>

<h4><a name="2.3.3">2.3.3.</a> Access Logging </h4>

<p>
All physical accesses are logged and reported to all.
</p>

<h4><a name="2.3.4">2.3.4.</a> Emergency Access </h4>

<p>
There is no procedure for emergency access.
If emergency access is gained,
this must be reported and justified immediately.
See DPR. 
</p>

<h4><a name="2.3.5">2.3.5.</a> Physical Security codes & devices </h4>

<p>
All personel who are in possession of physical security
codes and devices (keys) are to be authorised and documented.
</p>





<hr>
<h2><a name="end">End</a></h2>
<p>This is the end of the Security Policy.</p>
<p><a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-html401-blue.png" id="graphics2" alt="Valid HTML 4.01" align="bottom" border="0" height="33" width="90"></a>
</p>
</body></html>