Physical assets and security procedures are generally provided and maintained as set forth in the Memorandum of Understanding between CAcert and Stichting Oophaga Foundation of 10 July 2007, and as amended from time to time. Approval of both boards of CAcert and Oophaga is required for changes to the MoU.
</p>
<p>
The MoU places responsibility for the physical assets (hardware), hosting and for control of access to the hardware with Oophaga.
</p>
<h3><aname="2.1">2.1.</a> Facility </h3>
<p>
CAcert shall host critical servers in a highly secure facility.
There shall be independent verification of the physical and
access security.
</p>
<h3><aname="2.2">2.2.</a> Physical Assets </h3>
<ulclass="q"><li>
Big question here is whether Oophaga falls inside SP/SM or not.
</li><li>
2nd Big Question is whether Oophaga is in SP or in SM.
</li></ul>
<h4><aname="2.2.1">2.2.1.</a> Computers </h4>
<p>
Computers shall be inventoried before being put into service.
Inventory list shall be available to all Systems Administrators.
Units shall have nickname clearly marked on front and rear of chassis.
Machines shall be housed in secured facilities (cages and/or locked racks).
Current and complete diagrams of the physical and logical CAcert network infrastructure shall be maintained by systems administration team leader. These diagrams should include cabling information, physical port configuration details, and expected/allowed data flow directions, as applicable. Diagrams should be revision controlled, and must be updated when any change is made.
</p>
<h5> 3.1.1.1. External connectivity </h5>
<p>
Only such services as are required for normal operation should be visible externally; systems and servers which do not require access to the Internet for their normal operation must not be granted that access.
</p>
<h5> 3.1.1.2. Internal connectivity </h5>
<p>
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by CAcert system administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
All ports on which incoming traffic is expected shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
</p>
<h5> 3.1.2.2. Egress </h5>
<p>
All ports to which outbound traffic is initiated shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
(iang:) this one is covered in DRC-A.5.f. which says: "The security manual describes how computer systems are configured and updated to protect them against hostile intrusion, unauthorized electronic access, and "malware" and how individuals are authorized to perform those tasks."
</p>
<p>
Logs should be examined regularly (by manual or automatic means) for unusual patterns and/or traffic; anomalies should be investigated as they are discovered and should be reported to appropriate personnel in near-real-time (e.g. text message, email) and investigated as soon as possible. Suspicious activity which may indicate an actual system intrusion or compromise should trigger the incident response protocol described in section 5.1.
</p>
<h3><aname="3.2">3.2.</a> Operating System </h3>
<p>
Any operating system used for critical server machines must be available under an OSI-approved open source software license.
</p>
<h4> 3.2.1. Disk Encryption </h4>
<p>
Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
</p>
<h4> 3.2.2. Operating configuration </h4>
<p>
Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint.
</p>
<p>
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators in the wiki.
</p>
<h4> 3.2.3. Patching </h4>
<pclass="q">A.1.i, A.1.k:</p>
<p>
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2).
</p>
<h5> 3.2.3.1. “emergency” patching </h5>
<p>
Application of a patch is deemed an <i>emergency</i>
when a remote exploit for a weakness in the particular piece
of software has become known
(on servers allowing direct local user access,
an emergent local exploit may also be deemed to be an emergency).
Application of patches in this case may occur as soon as possible,
bypassing the normal configuration-change process.
The systems administration team leader must either approve the patch,
instruct remedial action, or refer the case to dispute resolution.
</p>
<p>
<b>
Declaration of an emergency patching situation should not occur with any regularity.
</b>
Emergency patch events must be documented within the regular summaries to Board.
</p>
<h3> 3.3. Application </h3>
<pclass="q">
This section deals with applications written in-house.<br>
CPS 6.6 refers to this section for all info.
</p>
<p>
Software development takes place on various test systems (not a critical system). See §7. Once offered by Software Development (team), system administration team leader has to approve the installation of each release or patch.
</p>
<p>
Any changes made to source code must be referred back to software development.
</p>
<h3> 3.4. Access control </h3>
<p>
General user access to CAcert services shall normally be conducted through a web-based application interface. Features are made available according to Assurance Points and direct permissions.
</p>
<p>
Direct Permissions are managed by the Application to enable special online administrators from the Support Team access to certain functions.
</p>
<p>
Direct command-line access to critical systems shall only be granted to systems administrators designated on the Remote and Virtual Access and Contact List (SSH Access List). Systems administrators who appear on the CAcert _Access_ List in the MoU, Appendix B, are implied to be on the SSH Access List.
</p>
<ulclass="q">
<li> this means that Oophaga have a veto on the administrators who can remote access the data. </li>
<li> yet Oophaga have no view over the data, nor authority. </li>
<li> Probably the list has to be split into two, one in the MoU framework, and another purely managed by CAcert. </li>
</ul>
<h4> 3.4.1. Authorisation </h4>
<p>
The access control lists are:
</p>
<ul><li>
Online support team members,
managed by the Systems Administration team leader.
</li><li>
SSH Access List, maintained by the Systems Administration team leader.
</li></ul>
<p>
Changes to the above lists are approved by the board.
</p>
<h4> 3.4.2. Authentication </h4>
<p>
A strong method of authentication is used and documented.
</p>
<h4> 3.4.3. Removing access </h4>
<p>
Upon resignation from systems administration team, or determination by two members of the OS access list that access is no longer required, an entity's access to CAcert systems may be be temporarily removed. The removal is made permanent when the Board approves the change to the Access List.
</p>
<pclass="q">Maybe easier just to say, on direction of the Arbitrator.</p>
The board is responsible for the CA at the executive level.
</p>
<h3><aname="9.5.2"> 9.5.2. </a> Response to external (legal) inquiry</h3>
<p>
All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP.
</p>
<p>
Only the Arbitrator has the authority to deal with external requests and/or create a procedure. Systems administrators, board members and other key roles do not have the authority to answer legal inquiry. The Arbitrator's ruling may instruct individuals, and becomes your authority to act.
</p>
<h2><aname="10">10.</a> REFERENCES</h2>
<h3><aname="10.1">10.1</a> Contacts </h3>
<p>
Contact information for all key people and teams must be documented.
</p>
<h3><aname="10.2">10.2</a> Documents </h3>
<p>
All incorporated Documents must be documented.
</p>
<h3><aname="10.3">10.3</a> Related Documents </h3>
<p>
Relevant and helpdul Documents should be referenced for convenience.
<ahref="http://validator.w3.org/check?uri=referer"><imgsrc="Images/valid-html401-blue.png"id="graphics2"alt="Valid HTML 4.01"align="right"border="0"height="33"width="90"></a>