< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
< html >
< head >
< meta http-equiv = "CONTENT-TYPE" content = "text/html; charset=utf-8" >
< title > Security Policy< / title >
< style type = "text/css" >
<!--
P { color: #000000 }
TD P { color: #000000 }
H1 { color: #000000 }
H2 { color: #000000 }
DT { color: #000000 }
DD { color: #000000 }
H3 { color: #000000 }
TH P { color: #000000 }
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
.error {
color : red;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
-->
< / style >
< / head >
< body style = "direction: ltr; color: rgb(0, 0, 0);" lang = "en-GB" >
< h1 > Security Policy for CAcert Systems< / h1 >
< p > < a href = "PolicyOnPolicy.html" > < img src = "Images/cacert-wip.png" id = "graphics1" alt = "CAcert Security Policy Status == wip" align = "bottom" border = "0" height = "33" width = "90" > < / a >
< br >
Creation date: 2009-02-16< br >
Status: < i > work-in-progress< / i >
< / p >
< h2 > < a name = "1" > 1.< / a > INTRODUCTION< / h2 >
< h3 > < a name = "1.1" > 1.1.< / a > Motivation and Scope < / h3 >
< p >
This Security Policy sets out the policy
for the secure operation of the CAcert critical computer systems.
These systems include:
< / p >
< ol > < li >
Physical hardware mounting the logical services
< / li > < li >
Webserver + database (core server(s))
< / li > < li >
Signing service (signing server)
< / li > < li >
Source code (changes and patches)
< / li > < / ol >
< p >
Board may add additional components into the Security Manual.
< / p >
< h4 > < a name = "1.1.1" > 1.1.1.< / a > Effected Personnel < / h4 >
< p >
These roles are directly covered:
< / p >
< ul > < li >
Access Engineers
< / li > < li >
Systems Administrators
< / li > < li >
Support Engineer
< / li > < li >
Software Assessors
< / li > < / ul >
< h4 > < a name = "1.1.1" > 1.1.2.< / a > Out of Scope < / h4 >
< p >
Non-critical systems are not covered by this manual,
but may be guided by it, and impacted where they are
found within the security context.
Architecture is out of scope, see CPS#6.2.
< / p >
< h3 > < a name = "1.2" > 1.2.< / a > Principles < / h3 >
< p >
Important principles of this Security Policy are:
< / p >
< ul > < li >
< i > dual control< / i > -- at least two individuals must control a task
< / li > < li >
< i > four eyes< / i > -- at least two individuals must participate in a task,
one to execute and one to observe.
< / li > < li >
< i > redundancy< / i > -- no single individual is the only one authorized
to perform a task.
< / li > < li >
< i > escrow< / i > -- where critical information (backups, passphrases)
is kept with other parties
< / li > < li >
< i > logging< / i > -- where events are recorded in a file
< / li > < li >
< i > separation of concerns< / i > -- when a core task is split between
two people from different areas
< / li > < li >
< i > Audit< / i > -- where external reviewers do checks on practices and policies
< / li > < li >
< i > Authority< / i > -- every action is authorised by either a policy or by the Arbitrator.
< / li > < / ul >
< p >
Each task or asset is covered by a variety of protections
deriving from the above principles.
< / p >
< h3 > < a name = "1.3" > 1.3.< / a > Definition of Terms< / h3 >
< dl >
< dt > < i > Access Engineer< / i > < / dt >
< dd >
A Member who manages the critical hardware,
including maintenance, access control and physical security.
See § 1.1.
< / dd >
< dt > < i > Software Assessor< / i > < / dt >
< dd >
A Member who reviews patches for security and workability,
signs-off on them, and incorporates them into the repository.
See § 7.
< / dd >
< dt > < i > Support Engineer< / i > < / dt >
< dd >
A Member who mans the support list,
and has access to restricted
data through the online interface.
See § 8.
< / dd >
< dt > < i > Systems Administrator< / i > < / dt >
< dd >
A Member who manages a critical system, and has access
to security-sensitive functions or data.
< / dd >
< / dl >
< h3 > < a name = "1.4" > 1.4.< / a > Documents and Version control< / h3 >
< h4 > < a name = "1.4.1" > 1.4.1.< / a > The Security Policy Document < / h4 >
< p >
This Security Policy is part of the configuration-control specification
for audit purposes (DRC).
It is under the control of Policy on Policy for version purposes.
< / p >
< p align = "center" > These parts are not part of the policy: < span class = "q" > green comments< / span > , < span class = "error" > red errors< / span > .< / p >
< p >
This policy document says what is done, rather than how to do it.
< span class = "change" >
< b > Some sections are empty, which means
"refer to the Manual."< / b >
< / span >
< / p >
< h4 > < a name = "1.4.2" > 1.4.2.< / a > The Security Manual (Practices) Document < / h4 >
< p >
This Policy explicitly defers detailed security practices to the
< a href = "http://wiki.cacert.org/wiki/SecurityManual" > Security Manual< / a >
("SM"),
The SM says how things are done.
As practices are things that vary from time to time,
including between each event of practice,
the SM is under the direct control of the Systems Administration team.
It is located and version-controlled on the CAcert wiki.
< / p >
< p >
Section Headings are the same in both documents.
Where Sections are empty in one document,
they are expected to be documented in the other.
< span class = "change" >
"Document further in Security Manual" can be implied from
any section heading in the Policy.
< / span >
< / p >
< h4 > < a name = "1.4.3" > 1.4.3.< / a > The Security Procedures < / h4 >
< p >
The team leaders may from time to time
explicitly defer single, cohesive components of the
security practices into separate procedures documents.
Each procedure should be managed in a wiki page under
their control, probably at
< a href = "http://wiki.cacert.org/wiki/SystemAdministration/Procedures" >
SystemAdministration/Procedures< / a > .
Each procedure must be referenced explicitly in the Security Manual.
< / p >
< h2 > < a name = "2" > 2.< / a > PHYSICAL SECURITY< / h2 >
< h3 > < a name = "2.1" > 2.1.< / a > Facility < / h3 >
< p >
CAcert shall host critical servers in a highly secure facility.
There shall be independent verification of the physical and
access security.
< / p >
< h3 > < a name = "2.2" > 2.2.< / a > Physical Assets < / h3 >
< ul class = "q" > < li >
Big change is to place Oophaga INSIDE the SM/SP.
< / li > < li >
2nd Change is to place Oophaga in SP and in SM:
< ul >
< li > role of Access Engineer is in SP.< / li >
< li > detail in the SM.< / li >
< / ul >
< / li > < / ul >
< h4 > < a name = "2.2.1" > 2.2.1.< / a > Computers < / h4 >
< p >
Computers shall be inventoried before being put into service.
Inventory list shall be available to all
Access Engineeers and all Systems Administrators.
List must be subject to change control.
< / p >
< p >
< span class = "change" >
Each unit shall be distinctly and uniquely identified on all visible sides.
< / span >
Machines shall be housed in secured facilities (cages and/or locked racks).
< / p >
< h4 > < a name = "2.2.1.1" > 2.2.1.1< / a > Acquisition < / h4 >
< p >
Acquisition of new equipment that is subject to a
pre-purchase security risk must be done from a
vendor that is regularly and commercially in business.
Precautions must be taken to prevent equipment being
prepared in advance.
< / p >
< h4 > < a name = "2.2.2" > 2.2.2.< / a > Service < / h4 >
< p >
Equipment that is subject to a service security risk
must be retired if service is required.
See also § 2.2.3.3.
< / p >
< h4 > < a name = "2.2.3" > 2.2.3.< / a > Media < / h4 >
< h4 > < a name = "2.2.3.1" > 2.2.3.1< / a > Provisioning < / h4 >
< p >
Storage media (disk drives, tapes, removable media)
are inventoried upon acquisition and tracked in their use.
< / p >
< p >
New storage media (whether disk or removable) shall be
securely wiped and reformatted before use.
< / p >
< h4 > < a name = "2.2.3.2" > 2.2.3.2< / a > Storage < / h4 >
< p >
Removable media shall be securely stored at all times,
including when not in use.
Drives that are kept for reuse are wiped securely before storage.
Reuse can only be within critical systems.
< / p >
< p >
When there is a change to status of media,
a report is made to the log specifying the new status.
< / p >
< h4 > < a name = "2.2.3.3" > 2.2.3.3< / a > Retirement < / h4 >
< p >
Storage media that is exposed to critical data and is
to be retired from service shall be destroyed or otherwise secured.
The following steps are to be taken:
< / p >
< ol > < li >
The media is securely destroyed, < b > or< / b >
< / li > < li >
the media is to be securely erased,
and stored securely.
< / li > < / ol >
< p >
Records of secure erasure and method of final disposal
shall be tracked in the asset inventory.
Where critical data is involved,
two systems administrators must sign-off on each step.
< / p >
< h3 > < a name = "2.3" > 2.3.< / a > Physical Access < / h3 >
< p >
In accordance with the principle of dual control,
at least two persons authorized for access must
be on-site at the same time for physical access to be granted.
< / p >
< h4 > < a name = "2.3.1" > 2.3.1.< / a > Access Authorisation < / h4 >
< p >
Access to physical equipment must be authorised.
< / p >
< h4 > < a name = "2.3.2" > 2.3.2.< / a > Access Profiles < / h4 >
< p >
The Security Manual must present the different access profiles.
At least one Access Engineer must control access in all cases.
At least one systems administrator will be present for
logical access.
Only the most basic and safest of accesses should be done with
one systems administrator present.
< / p >
< p >
< span class = "change" >
There is no inherent authorisation to access the data.
Systems Administrators are authorised to access
the raw data under the control of this policy.
< / span >
All others must not access the raw data.
All are responsible for protecting the data
from access by those not authorised.
< / p >
< h4 > < a name = "2.3.3" > 2.3.3.< / a > Access Logging < / h4 >
< p >
All physical accesses are logged and reported to all.
< / p >
< h4 > < a name = "2.3.4" > 2.3.4.< / a > Emergency Access < / h4 >
< p >
There must not be a procedure for emergency access.
< span class = "change" >
If, in the judgement of the systems administrator,
emergency access is required and gained,
in order to avoid a greater harm,
independent authorisation before the
Arbitrator must be sought as soon as possible.
< / span >
See DRP.
< / p >
< h4 > < a name = "2.3.5" > 2.3.5.< / a > Physical Security codes & devices < / h4 >
< p >
All personel who are in possession of physical security
codes and devices (keys) are to be authorised and documented.
< / p >
< h2 > < a name = "3" > 3.< / a > LOGICAL SECURITY< / h2 >
< h3 > < a name = "3.1" > 3.1.< / a > Network < / h3 >
< h4 > < a name = "3.1.1" > 3.1.1.< / a > Infrastructure < / h4 >
< p >
Current and complete diagrams of the physical and logical
CAcert network infrastructure shall be maintained by
systems administration team leader.
These diagrams should include cabling information,
physical port configuration details,
expected/allowed data flow directions,
< span class = "change" >
and any further pertinent information,
< / span >
as applicable.
Diagrams should be revision controlled,
and must be updated when any change is made.
< / p >
< h5 > 3.1.1.1. External connectivity < / h5 >
< p >
Only such services as are required for normal operation
should be visible externally;
systems and servers which do not require access
to the Internet for their normal operation
must not be granted that access.
< span class = "change" >
If such access becomes temporarily necessary for an
authorized administrative task,
such access may be granted under the procedures of the SM
and must be reported and logged.
< / span >
< / p >
< h5 > 3.1.1.2. Internal connectivity < / h5 >
< p >
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by system administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
< / p >
< h4 > < a name = "3.1.2" > 3.1.2.< / a > Operating Configuration < / h4 >
< h5 > 3.1.2.1. Ingress < / h5 >
< p >
All ports on which incoming traffic is expected shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
< / p >
< h5 > 3.1.2.2. Egress < / h5 >
< p >
All outbound traffic that is initiated shall be documented; traffic to other destinations must be blocked. Unexpected traffic must be logged as an exception.
< / p >
< h4 > < a name = "3.1.3" > 3.1.3.< / a > Intrusion detection < / h4 >
< p >
Logs should be examined regularly (by manual or automatic means) for unusual patterns and/or traffic; anomalies should be investigated as they are discovered and should be reported to appropriate personnel in near-real-time (e.g. text message, email) and investigated as soon as possible. Suspicious activity which may indicate an actual system intrusion or compromise should trigger the incident response protocol described in section 5.1.
< / p >
< h3 > < a name = "3.2" > 3.2.< / a > Operating System < / h3 >
< p >
Any operating system used for critical server machines must be available under an OSI-approved open source software license.
< / p >
< h4 > < a name = "3.2.1" > 3.2.1.< / a > Disk Encryption < / h4 >
< p >
Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
< / p >
< h4 > < a name = "3.2.2" > 3.2.2.< / a > Operating configuration < / h4 >
< p >
Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint.
< / p >
< p >
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators.
< / p >
< h4 > < a name = "3.2.3" > 3.2.3.< / a > Patching < / h4 >
< p class = "q" > A.1.i, A.1.k:< / p >
< p >
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see § 4.2).
< / p >
< h5 > < a name = "3.2.3.1" > 3.2.3.1.< / a > “emergency” patching < / h5 >
< p >
Application of a patch is deemed an < i > emergency< / i >
when a remote exploit for a weakness in the particular piece
of software has become known
(on servers allowing direct local user access,
an emergent local exploit may also be deemed to be an emergency).
Application of patches in this case may occur as soon as possible,
bypassing the normal configuration-change process.
The systems administration team leader must either approve the patch,
instruct remedial action,
< span class = "change" >
and
< / span >
refer the case to dispute resolution.
< / p >
< p >
< b >
Declaration of an emergency patching situation should not occur with any regularity.
< / b >
Emergency patch events must be documented
within the regular summaries
< span class = "change" >
by the team leader to Board
independent of filed disputes.
< / span >
< / p >
< h3 > < a name = "3.3" > 3.3.< / a > Application < / h3 >
< p >
Software assessment takes place on various test systems
(not a critical system). See § 7.
Once offered by Software Assessment (team),
system administration team leader has to
approve the installation of each release or patch.
< / p >
< p >
Any changes made to source code must be referred
back to software assessment team
< span class = "change" >
and installation needs to be deferred
until approved by the Software Assessment Team.
< / span >
< / p >
< h3 > < a name = "3.4" > 3.4.< / a > Access control < / h3 >
< p >
< span class = "change" >
All access to critical data and services shall be
controlled and logged.
< / span >
< h4 > < a name = "3.4.1" > 3.4.1.< / a > Application Access < / h4 >
< span class = "change" >
General access for Members shall be provided via
a dedicated application.
General features are made available according to
Assurance Points and similar methods controlled in
the software system.
< / span >
< p class = "q" > what about web-api interfaces? Excluded? < / p >
< h4 > < a name = "3.4.2" > 3.4.2.< / a > Special Authorisation < / h4 >
< p >
< span class = "change" >
Additional or special access is granted according to the
authorisations on the below access control lists
< / span >
(see § 1.1.1):
< / p >
< table align = "center" border = "1" > < tr >
< td > List Name< / td >
< td > Who< / td >
< td > Purpose of access< / td >
< td > Relationship< / td >
< td > Manager < / td >
< / tr > < tr >
< td > Physical Control List< / td >
< td > Access Engineers< / td >
< td > control of access by personnel to hardware< / td >
< td > exclusive of all other roles < / td >
< td > Board of CAcert (or designee)< / td >
< / tr > < tr >
< td > Physical Access List< / td >
< td > systems administrators< / td >
< td > hardware-level for installation and recovery< / td >
< td > exclusive with Access Engineers and Software Assessors< / td >
< td > Board of CAcert (or designee)< / td >
< / tr > < tr >
< td > SSH Access List< / td >
< td > systems administrators< / td >
< td > Unix / account / shell level< / td >
< td > includes by default all on Physical Access List < / td >
< td > systems administration team leader< / td >
< / tr > < tr >
< td > Support Access List< / td >
< td > Support Engineer< / td >
< td > support features in the web application< / td >
< td > includes by default all systems administrators < / td >
< td > systems administration team leader< / td >
< / tr > < tr >
< td > Repository Access List< / td >
< td > software assessors< / td >
< td > change the source code repository< / td >
< td > exclusive with Access Engineers and systems administrators< / td >
< td > software assessment team leader< / td >
< / tr > < / table >
< p >
All changes to the above lists are approved by the board of CAcert.
< / p >
< h4 > < a name = "3.4.3" > 3.4.3.< / a > Authentication < / h4 >
< p >
< span class = "change" >
Strong methods of authentication shall be used
wherever possible.
All authentication schemes must be documented.
< / span >
< / p >
< h4 > < a name = "3.4.4" > 3.4.4.< / a > Removing access < / h4 >
< p >
Follow-up actions to termination must be documented.
See § 9.1.7.
< / p >
< h2 > < a name = "4" > 4.< / a > OPERATIONAL SECURITY < / h2 >
< h3 > < a name = "4.1" > 4.1.< / a > System administration < / h3 >
< p >
Primary systems administration tasks
shall be conducted under four eyes principle.
These shall include backup performance verification,
software patch application,
account creation and deletion,
and hardware maintenance.
< / p >
< h4 > < a name = "4.1.1" > 4.1.1.< / a > Privileged accounts and passphrases < / h4 >
< p >
Access to Accounts
(root and user via SSH or console)
must be strictly controlled.
Passphrases and SSH private keys used for entering into the systems
will be kept private
to CAcert sysadmins in all cases.
< / p >
< h5 > < a name = "4.1.1.1" > 4.1.1.1.< / a > Authorized users < / h5 >
< p >
Only system administrators designated on the
Access Lists
in § 3.4.2
are authorized to access accounts,
< span class = "change" >
unless specifically directed by the Arbitrator.
< / span >
< / p >
< h5 > < a name = "4.1.1.2" > 4.1.1.2.< / a > Access to Systems< / h5 >
< p >
All access is secured, logged and monitored.
< / p >
< h5 > < a name = "4.1.1.3" > 4.1.1.3.< / a > Changing < / h5 >
< p >
The procedure for changing passphrases and SSH keys < span class = "change" > shall< / span > be documented.
< / p >
< h4 > < a name = "4.1.2" > 4.1.2.< / a > Required staff response time < / h4 >
< p >
Response times should be documented for Disaster Recovery planning. See § 6.
< / p >
< h4 > < a name = "4.1.3" > 4.1.3.< / a > Change management procedures < / h4 >
< p >
All changes made to system configuration must be recorded
< span class = "change" >
and reported in regular summaries to the board of CAcert.
< / span >
< / p >
< h4 > < a name = "4.1.4" > 4.1.4.< / a > Outsourcing < / h4 >
< h3 > < a name = "4.2" > 4.2.< / a > Logging < / h3 >
< h4 > < a name = "4.2.1" > 4.2.1.< / a > Coverage < / h4 >
< p >
All sensitive events should be logged.
Logs should be deleted after an appropriate amount of time
as documented in the Security Manual.
< / p >
< h4 > < a name = "4.2.2" > 4.2.2.< / a > Access and Security < / h4 >
< p >
Access to logs must be restricted.
The security of the logs should be documented.
The records retention should be documented.
< / p >
< h4 > < a name = "4.2.3" > 4.2.3.< / a > Automated logs < / h4 >
< p >
Logging should be automated,
and use should be made of appropriate system-provided automated tools.
Automated logs should be reviewed periodically;
suspicious events should be flagged and investigated in a timely fashion.
< / p >
< h4 > < a name = "4.2.4" > 4.2.4.< / a > Operational (manual) logs < / h4 >
< p >
Configuration changes, no matter how small, must be logged.
< / p >
< p >
All physical visits must be logged and a
report provided by the accessor and by
the Access Engineer.
< / p >
< h3 > < a name = "4.3" > 4.3.< / a > Backup < / h3 >
< p >
The procedure for all backups must be documented,
according to the following sub-headings.
< / p >
< h4 > < a name = "4.3.1" > 4.3.1.< / a > Type < / h4 >
< p >
Backups must be taken for operational
and for disaster recovery purposes.
Operational backups may be online and local.
Disaster recovery backups must be offline and remote.
< / p >
< h4 > < a name = "4.3.2" > 4.3.2.< / a > Frequency < / h4 >
< h4 > < a name = "4.3.3" > 4.3.3.< / a > Storage < / h4 >
< p >
Backups must be protected to the same level as the critical systems themselves.
Disaster recovery backups may be distributed.
< / p >
< h4 > < a name = "4.3.4" > 4.3.4.< / a > Retention period and Re-use < / h4 >
< p >
< span class = "change" >
See § 2.2.3.
< / span >
< / p >
< h4 > < a name = "4.3.5" > 4.3.5.< / a > Encryption < / h4 >
< p >
Backups must be encrypted and must only be transmitted via secured channels.
Off-site backups must be dual-encrypted using divergent methods.
< / p >
< h4 > < a name = "4.3.6" > 4.3.6.< / a > Verifying Backups < / h4 >
< p >
Two CAcert system administrators must be
present for verification of a backup.
Four eyes principle must be maintained when the key and backup are together.
For any other purpose than verification of the success of the backup, see next.
< / p >
< h4 > < a name = "4.3.7" > 4.3.7.< / a > Key Management < / h4 >
< p >
The encryption keys must be stored securely by the
CAcert systems administrators.
Paper documentation must be stored with manual backups.
< / p >
< h4 > < a name = "4.3.8" > 4.3.8.< / a > Reading Backups < / h4 >
< p >
Conditions and procedures for examining the backups
must be documented,
and must be under Arbitrator control for purposes
other than verification and recovery.
< / p >
< h3 > < a name = "4.4" > 4.4.< / a > Data retention < / h3 >
< h4 > < a name = "4.4.1" > 4.4.1.< / a > User data < / h4 >
< p >
Termination of user data is under direction of the Arbitrator.
See CCA.
< / p >
< h4 > < a name = "4.4.2" > 4.4.2.< / a > System logs < / h4 >
< p >
< span class = "change" >
See § 4.2.1.
< / span >
< / p >
< h4 > < a name = "4.4.3" > 4.4.3.< / a > Incident reports < / h4 >
< p >
See § 5.6.
< / p >
< h2 > < a name = "5" > 5.< / a > INCIDENT RESPONSE< / h2 >
< h3 > < a name = "5.1" > 5.1.< / a > Incidents < / h3 >
< h3 > < a name = "5.2" > 5.2.< / a > Detection < / h3 >
< p >
The standard of monitoring, alerting and reporting must be documented.
< / p >
< h3 > < a name = "5.3" > 5.3.< / a > Immediate Action < / h3 >
< h4 > < a name = "5.2.1" > 5.2.1.< / a > Severity and Priority < / h4 >
< p >
On discovery of an incident,
an initial assessment of severity and priority must be made.
< / p >
< h4 > < a name = "5.2.2" > 5.2.2.< / a > Communications < / h4 >
< p >
An initial report should be
< span class = "change" >
circulated.
< s >
sent to systems administrators
and wider interested parties.
< / s >
< / span >
< / p >
< p >
A communications forum should be established for direct
support of high priority or high severity incidents.
< / p >
< h4 > < a name = "5.2.3" > 5.2.3.< / a > < span class = "change" > Escalation < / span > < / h4 >
< p >
A process of escalation should be established
< span class = "change" >
for oversight and management purposes,
proportional to severity and priority.
Oversight starts with four eyes and ends with the Arbitrator.
Management starts with the team leader and ends with the Board.
< / span >
< / p >
< h3 > < a name = "5.4" > 5.4.< / a > Investigation < / h3 >
< p >
Incidents must be investigated.
The investigation must be documented.
If the severity is high,
evidence must be secured and escalated to Arbitration.
< / p >
< h3 > < a name = "5.5" > 5.5.< / a > Response < / h3 >
< h3 > < a name = "5.6" > 5.6.< / a > Report < / h3 >
< p >
Incident reports < span class = "change" > shall< / span > be be published.
The Incident Report is written on closing the investigation.
A full copy should be appended to the
documentation of the investigation.
Sensitive information may be pushed out into
a restricted appendix of the report.
The systems administration team leader is responsible
for publication and maintenance.
< / p >
< p >
Incidents are not normally kept secret nor confidential,
and progress information should be published as soon as
possible.
The knowledge of the existence of the event must not be kept
secret, nor the manner and methods be kept confidential.
< span class = "change" >
See § 9.7.
< / span >
< / p >
< h2 > < a name = "6" > 6.< / a > DISASTER RECOVERY< / h2 >
< p >
Disaster Recovery is the responsibility of the Board of CAcert Inc.
< / p >
< h3 > < a name = "6.1" > 6.1. < / a > Business Processes < / h3 >
< p >
Board must develop and maintain documentation on Business Processes.
From this list, Core Processes for business continuity / disaster recovery
purposes must be identified.
< / p >
< h3 > < a name = "6.2" > 6.2. < / a > Recovery Times < / h3 >
< p >
Board should identify standard process times for all processes,
and must designate Maximum Acceptable Outages
and Recovery Time Objectives for the Core Processes.
< / p >
< h3 > < a name = "6.3" > 6.3. < / a > Plan < / h3 >
< p >
Board must have a basic plan to recover.
< / p >
< h3 > < a name = "6.4" > 6.4. < / a > Key Persons List < / h3 >
< p >
Board must maintain a key persons List with all the
contact information needed.
See § 10.1.
< span class = "change" >
The list shall be accessible even if CAcert's
infrastructure is not available.
< / span >
< / p >
< h2 > < a name = "7" > 7.< / a > SOFTWARE ASSESSMENT< / h2 >
< p class = "q" >
Change name of this to Software Assessment.
< / p >
< p >
Software assessment team is responsible
for the security of the code.
< / p >
< h3 > < a name = "7.1" > 7.1. < / a > Authority < / h3 >
< p >
The source code is under CCS.
Additions to the team are approved by Board.
See § 3.4.2.
< / p >
< h3 > < a name = "7.2" > 7.2. < / a > Tasks < / h3 >
< p >
The primary tasks are:
< / p >
< ol > < li >
Keep the code secure in its operation,
< / li > < li >
Fix security bugs, including incidents,
< / li > < li >
Audit, Verify and sign-off proposed patches,
< / li > < li >
Guide Systems Administration team in inserting patches,
< / li > < li >
Provide guidance for architecture,
< / li > < / ol >
< p >
Software assessment is not primarily tasked to write the code.
In principle, anyone can submit code changes for approval.
< / p >
< h3 > < a name = "7.3" > 7.3. < / a > Repository < / h3 >
< p >
The application code and patches are maintained
in a central repository that is run by the
software assessment team.
< / p >
< h3 > < a name = "7.4" > 7.4. < / a > Review < / h3 >
< p >
At the minimum,
patches are signed off by the team leader
or his designated reviewer.
Each software change should be reviewed
by a person other than the author.
Author and signers-off must be logged.
The riskier the source is, the more reviews have to be done.
< / p >
< h3 > < a name = "7.5" > 7.5. < / a > Test and Bugs < / h3 >
< p >
Software assessment team maintains a test system.
Each patch should be built and tested.
Test status of each patch must be logged.
< / p >
< p >
Software assessment team maintains a bug system.
Primary communications should go through this system.
Management access should be granted to all software assessors,
software developers, and systems administrators.
Bug submission access should be provided to
any Member that requests it.
< / p >
< h3 > < a name = "7.6" > 7.6. < / a > Handover < / h3 >
< p >
Once signed off, software assessment (team leader)
coordinates with systems administration (team leader)
to offer the upgrade.
Upgrade format is to be negotiated,
but systems administration naturally has the last word.
Software assessors are not to have access
to the critical systems, providing a dual control
at the teams level.
< / p >
< p >
If compilation and/or other processing of the
application source code in the version control system
is necessary to deploy the application,
detailed installation instructions should also be
maintained in the version control system and offered to the
system administrators.
< / p >
< p >
Systems administrators copy the patches securely
from the software assessment repository
onto the critical machine.
See § 3.3.
< / p >
< h2 > < a name = "8" > 8.< / a > SUPPORT< / h2 >
< h3 > < a name = "8.1" > 8.1. < / a > Authority < / h3 >
< p >
The software interface gives features to Support Engineer.
Access to the special features is under tight control.
Additions to the team are approved by Board,
and the software features are under CCS.
< span class = "change" >
See § 3.4.2.
< / span >
< / p >
< p >
Support Engineers do not have any inherent authority
to take any action,
and they have have to get authority on a case-by-case basis.
The authority required in each case must be guided
by this policy or the Security Manual or other clearly
applicable document.
If the Member's authority is not in doubt,
the Member can give that authority.
If not, the Arbitrator's authority must be sought.
< / p >
< p >
Support Engineers are responsible to follow the
policies and practices.
< / p >
< h3 > < a name = "8.2" > 8.2. < / a > Responsibilities < / h3 >
< span class = "change" >
< p >
Support Engineers have these responsibilities:
< p >
< ul > < li >
Account Recovery, as documented in the Security Manual.
< / li > < li >
Respond to general requests for information or explanation by Members.
Support Engineers cannot make a binding statement.
Responses must be based on policies and practices.
< / li > < li >
Tasks and responsibilities as specified in other policies, such as DRP.
< / li > < / ul >
< / span >
< h3 > < a name = "8.3" > 8.3. < / a > Channels < / h3 >
< p >
< span class = "change" >
Support may always be contacted by email at
support at cacert dot org.
Other channels may be made available and documented
in Security Manual.
< / span >
< / p >
< h3 > < a name = "8.4" > 8.4. < / a > Records and Logs < / h3 >
< ul >
< li > use of restricted interfaces must be logged. < / li >
< li > all support channels should be logged. < / li >
< li > private requests for support should be referred to proper channels and logged there (e.g., by CCs) < / li >
< / ul >
< h3 > < a name = "8.5" > 8.5. < / a > Arbitration < / h3 >
< span class = "change" >
Support Engineers refer questions requiring authority
to Arbitration, and may also be called upon to act as
default Case Managers.
See DRP and
< a href = "https://svn.cacert.org/CAcert/Arbitration/arbitration_case_manager.html" > Case Manager's Handbook.< / a >
Support Engineers should be familiar with
these topics, even if not listed as Arbitrators
or Case Managers.
< / span >
< h3 > < a name = "8.6" > 8.6. < / a > References < / h3 >
< h2 > < a name = "9" > 9.< / a > ADMINISTRATIVE< / h2 >
< h3 > < a name = "9.1" > 9.1. < / a > Staffing< / h3 >
< h4 > < a name = "9.1.1" > 9.1.1. < / a > Roles and responsibilities< / h4 >
< ul >
< li > Access Engineer: responsible for controlling access to hardware, and maintaining hardware. < / li >
< li > System administrator: responsible for maintaining core services and integrity. < / li >
< li > Software assessor: maintain the code base and confirm security ("sign-off") of patches and releases.< / li >
< li > Support Engineer: human interface with users.< / li >
< li > Team leaders: coordinate with teams, report to board.< / li >
< li > All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.< / li >
< li > Board: authorise new individuals and accesses. Coordinate overall. < / li >
< / ul >
< h4 > < a name = "9.1.2" > 9.1.2. < / a > Staffing levels< / h4 >
< p >
Each team should have a minimum of two members available at any time.
Individuals should not be active
in more than one team at any one time,
but are expected to observe the other teams.
See § 3.4.2 for exclusivities.
< / p >
< p >
One individual in each team is designated team leader
and reports to Board.
< / p >
< h4 > < a name = "9.1.3" > 9.1.3. < / a > Process of new Team Members< / h4 >
< p >
New team members need:
< / p >
< ul >
< li > Recommendation by team leader < / li >
< li > Independent background check < / li >
< li > Authorisation by Board < / li >
< / ul >
< p >
The team supports the process of adding new team members.
< / p >
< h4 > < a name = "9.1.4" > 9.1.4. < / a > Background Check Procedures< / h4 >
< p >
Background checks are carried out with full seriousness.
Background checks must be conducted under the direction of the Arbitrator,
with a separate Case Manager to provide four eyes.
< / p >
< h4 > < a name = "9.1.4.1" > 9.1.4.1. < / a > Scope < / h4 >
< p >
An investigation should include examination of:
< / p >
< ul >
< li > realm-specific knowledge < / li >
< li > realm-specific understanding of good security practice < / li >
< li > history of activity within Community < / li >
< li > reputation and standing within Community < / li >
< li > provided references < / li >
< li > conflicts of interest < / li >
< / ul >
< h4 > < a name = "9.1.4.2" > 9.1.4.2. < / a > Coverage < / h4 >
< p >
A background check is to be done for all critical roles.
The background check should be done on all of:
< / p >
< ul >
< li > systems administrator < / li >
< li > access engineeers < / li >
< li > software assessor < / li >
< li > support engineer < / li >
< li > Board < / li >
< / ul >
< h4 > < a name = "9.1.4.3" > 9.1.4.3. < / a > Documentation < / h4 >
< p >
The process of the background check should be documented as a procedure.
< / p >
< p >
Documentation of each individual check should be preserved
and should be reviewable under any future Arbitration.
It must include:
< / p >
< ul >
< li > Agreement with appropriate policies, etc. < / li >
< li > Contact information. See § 10.1. < / li >
< / ul >
< h4 > < a name = "9.1.4.4" > 9.1.4.4. < / a > Privacy for Critical Roles< / h4 >
< p >
The following privacy considerations exist:
< / p >
< ul >
< li > procedure and ruling (recommendation) should be public < / li >
< li > interview, documents should not be public, < / li >
< li > summary of evidence should be in the ruling. < / li >
< li > Arbitrator can rule on the escrow questions of evidence < / li >
< li > contact information goes into the contact addressbook < / li >
< / ul >
< p >
CAcert trusted roles give up some privacy for the privacy of others.
< / p >
< h4 > < a name = "9.1.5" > 9.1.5. < / a > Authorisation < / h4 >
< p >
Individuals and access (both) must be authorised by the Board.
Only the Board may approve new individuals or any access to the systems.
Each Individual should be proposed to the Board,
with the relevant supporting information as above.
< / p >
< p >
The Board should deliberate directly and in full.
Board members who are also active in the area should recuse from the vote,
but should support the deliberations.
Deliberations and decisions should be documented.
All conflicts of interest should be examined.
< / p >
< h4 > < a name = "9.1.6" > 9.1.6. < / a > Security< / h4 >
< p >
It is the responsibility of all individuals to observe and report on security issues.
All of CAcert observes all where possible.
It is the responsibility of each individual to resolve it satisfactorily,
or to ensure that it is reported fully.
< / p >
< p >
Only information subject to a specific and documented exception
may be kept secret or confidential.
The exception itself must not be secret or confidential.
All secrets and confidentials are reviewable under Arbitration,
and may be reversed.
< / p >
< h4 > < a name = "9.1.7" > 9.1.7. < / a > Termination of staff< / h4 >
< p >
Termination of access may be for resignation, Arbitration ruling,
or decision of Board or team leader.
On termination (for any reason), access and information must be secured.
See § 3.4.4.
< / p >
< p >
The provisions on Arbitration survive any termination
by persons fulfilling a critical role.
That is, even after a person has left a critical role,
they are still bound by the DRP (COD7),
and the Arbitrator may reinstate any provision
of this agreement or bind the person to a ruling.
< / p >
< h4 > < a name = "9.1.8" > 9.1.8. < / a > HR and Training< / h4 >
< p >
It is the responsibility of the team leaders
to coordinate technical testing and training,
especially of new team members.
< / p >
< span class = "change" >
< h3 > < a name = "9.2" > 9.2. < / a > < s > Key changeover < / s > < / h3 >
< / span >
< h3 > < a name = "9.3" > 9.3. < / a > Key generation/transfer< / h3 >
< h4 > < a name = "9.3.1" > 9.3.1. < / a > Root Key generation< / h4 >
< p >
Root keys should be generated on a machine built securely
for that purpose only and cleaned/wiped/destroyed immediately afterwards.
< / p >
< h4 > < a name = "9.3.2" > 9.3.2. < / a > Backup and escrow< / h4 >
< p >
Root keys must be kept on reliable removable media used for that purpose only.
Private Keys must be encrypted and should be dual-encrypted.
Passphrase must be strong and must be separately escrowed from media.
Dual control must be maintained.
< / p >
< p >
The top-level root must be escrowed under Board control.
Subroots may be escrowed by either Board or Systems Administration Team.
< / p >
< h4 > < a name = "9.3.3" > 9.3.3. < / a > Recovery< / h4 >
< p >
Recovery must only be conducted
< span class = "change" >
under Arbitrator authority.
< s >
A recovery exercise should be conducted approximately every year.
< / s >
< / span >
< / p >
< h3 > < a name = "9.4" > 9.4. < / a > < span class = "change" > < s > Root certificate changes < / s > < / span > < / h3 >
< h4 > < a name = "9.4.1" > 9.4.1. < / a > Creation< / h4 >
< p > Document.< / p >
< h4 > < a name = "9.4.2" > 9.4.2. < / a > Revocation< / h4 >
< p > Document.< / p >
< h4 > < a name = "9.4.3" > 9.4.3. < / a > Public notification< / h4 >
< p >
Board has responsibility for formal advisory to the public.
< / p >
< h3 > < a name = "9.5" > 9.5. < / a > Legal< / h3 >
< h4 > < a name = "9.5.1" > 9.5.1. < / a > Responsibility< / h4 >
< p >
The board is responsible for the CA at the executive level.
< / p >
< h4 > < a name = "9.5.2" > 9.5.2. < / a > Response to external (legal) inquiry< / h4 >
< p >
All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP.
< / p >
< p >
Only the Arbitrator has the authority
to deal with external requests and/or create a procedure.
Access Engineers, systems administrators,
board members and other key roles
do not have the authority to answer legal inquiry.
The Arbitrator's ruling may instruct individuals,
and becomes your authority to act.
< / p >
< h3 > < a name = "9.6" > 9.6.< / a > Outsourcing < / h3 >
< p class = "change" >
Components may be outsourced.
Team leaders may outsource non-critical components
on notifying the board.
Critical components must be approved by the board.
< p >
< p >
Any outsourcing arrangements must be documented.
All arrangements must be:
< / p >
< ul class = "change" > < li >
with Members of CAcert that are
< ul > < li >
Assurers, as individuals, or
< / li > < li >
Assured Organisations, in which
all involved personnel are Assurers,
< / li > < / ul >
< / li > < li >
< / li > < li >
with Members that have the requisite knowledge
and in good contact with the team leader(s),
< / li > < li >
subject to audit,
< / li > < li >
transparent and no barrier to security,
< / li > < li >
under this Policy and the Security Manual,
< / li > < li >
fully under Arbitration and DRP for the purposes of Security, and
< / li > < li >
under the spirit of the Community and within the Principles of CAcert.
< / li > < / ul >
< p >
Contracts should be written with the above in mind.
< / p >
< h3 > < a name = "9.7" > 9.7< / a > Confidentiality, Secrecy < / h3 >
< p class = "change" >
CAcert is an open organisation and adopts a principle
of open disclosure wherever possible.
See < a href = "https://svn.cacert.org/CAcert/principles.html" >
Principles< / a > .
This is not a statement of politics but a statement of security;
if a subject can only sustain under some
confidentiality or secrecy, then find another way.
< / p >
< p class = "change" >
In concrete terms,
only under a defined exception under policy,
or under the oversight of the Arbitrator,
may confidentiality or secrecy be maintained.
All should strive to reduce or remove any such
restriction.
< / p >
< h2 > < a name = "10" > 10.< / a > REFERENCES< / h2 >
< h3 > < a name = "10.1" > 10.1< / a > Contacts < / h3 >
< p >
Contact information for all key people and teams must be documented.
< / p >
< h3 > < a name = "10.2" > 10.2< / a > Documents < / h3 >
< p >
All incorporated Documents must be documented.
< / p >
< h3 > < a name = "10.3" > 10.3< / a > Related Documents < / h3 >
< p >
Relevant and helpful Documents should be referenced for convenience.
< / p >
< hr >
< a href = "http://validator.w3.org/check?uri=referer" > < img src = "Images/valid-html401-blue.png" id = "graphics2" alt = "Valid HTML 4.01" align = "right" border = "0" height = "33" width = "90" > < / a >
< p > This is the end of the Security Policy.< / p >
< / body > < / html >
