many changes suggested by policy group now incorporated,

ready for DRAFT, should take out some <B> sections. git-svn-id: http://svn.cacert.org/CAcert/Policies@1237 14b1bab8-4ef6-0310-b690-991c95c89dfd
16 years ago · 081c250ebe
parent 129a4ca022
commit 081c250ebe
1 changed files with 67 additions and 38 deletions
--- a/SecurityPolicy.html
+++ b/SecurityPolicy.html
@ -10,8 +10,8 @@
 <h1>Security Policy for CAcert Systems</h1>
 <p><a href="PolicyOnPolicy.html"><img src="Images/cacert-wip.png" alt="CAcert Security Policy Status == wip" border="0"></a>
 <br>
-Creation date: 2009-02-16<br>
-Status: <i>work-in-progress</i>
+Creation date: 20090216<br>
+Status: <i>work-in-progress</i>, to DRAFT 20090327
 </p>

 <h2><a name="1">1.</a> INTRODUCTION</h2>
@ -35,7 +35,7 @@ These systems include:
 Board may add additional components into the Security Manual.
 </p>

-<h4><a name="1.1.1">1.1.1.</a> Effected Personnel </h4>
+<h4><a name="1.1.1">1.1.1.</a> Covered Personnel </h4>

 <p>
 These roles are directly covered:
@ -46,12 +46,12 @@ These roles are directly covered:
    </li><li>
      Systems Administrators
    </li><li>
-      Support Engineer
+      Support Engineers
    </li><li>
      Software Assessors
 </li></ul>

-<h4><a name="1.1.1">1.1.2.</a> Out of Scope </h4>
+<h4><a name="1.1.2">1.1.2.</a> Out of Scope </h4>

 <p>
 Non-critical systems are not covered by this manual,
@ -189,7 +189,7 @@ access security.
 <p>
 Computers shall be inventoried before being put into service.
 Inventory list shall be available to all
-Access Engineeers and all Systems Administrators.
+Access Engineers and all Systems Administrators.
 List must be subject to change control.
 </p>

@ -254,7 +254,7 @@ The following steps are to be taken:
 <ol><li>
    The media is securely destroyed, <b>or</b>
  </li><li>
-    the media is to be securely erased,
+    the media is securely erased,
    and stored securely.
 </li></ol>

@ -360,7 +360,7 @@ and must be reported and logged.
 <h5> 3.1.1.2. Internal connectivity </h5>

 <p>
-System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by system administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
+System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by System administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
 </p>


@ -404,7 +404,7 @@ Servers must enable only the operating system functions required to support the
 </p>

 <p>
-Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators.
+Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the System Administrators.
 </p>


@ -429,7 +429,7 @@ instruct remedial action, and refer the case to dispute resolution.
 </p>

 <p>
-<b>
+<b> <!-- this comment left in bold deliberatel -->
 Declaration of an emergency patching situation should not occur with any regularity.
 </b>
 Emergency patch events must be documented
@ -455,6 +455,12 @@ and installation needs to be deferred
 until approved by the Software Assessment Team.
 </p>

+<p>
+Requests to systems administration for ad hoc queries
+over the database for business or similar purposes
+must be approved by the Arbitrator.
+</p>
+
 <h3><a name="3.4"> 3.4.</a> Access control </h3>

 <p>
@ -494,13 +500,13 @@ authorisations on the below access control lists
  <td>Board of CAcert (or designee)</td>
 </tr><tr>
  <td>Physical Access List</td>
-  <td>systems administrators</td>
+  <td>Systems Administrators</td>
  <td>hardware-level for installation and recovery</td>
  <td>exclusive with Access Engineers and Software Assessors</td>
  <td>Board of CAcert (or designee)</td>
 </tr><tr>
  <td>SSH Access List</td>
-  <td>systems administrators</td>
+  <td>Systems Administrators</td>
  <td>Unix / account / shell level</td>
  <td> includes by default all on Physical Access List </td>
  <td>systems administration team leader</td>
@ -512,7 +518,7 @@ authorisations on the below access control lists
  <td>systems administration team leader</td>
 </tr><tr>
  <td>Repository Access List</td>
-  <td>software assessors</td>
+  <td>Software Assessors</td>
  <td>change the source code repository</td>
  <td>exclusive with Access Engineers and systems administrators</td>
  <td>software assessment team leader</td>
@ -520,7 +526,11 @@ authorisations on the below access control lists


 <p>
-All changes to the above lists are approved by the board of CAcert.
+All changes
+<B>
+of personnel
+</B>
+to the above lists are approved by the Board of CAcert.
 </p>

 <h4><a name="3.4.3"> 3.4.3.</a> Authentication </h4>
@ -566,7 +576,7 @@ to CAcert sysadmins in all cases.

 <h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5>
 <p>
-Only system administrators designated on the Access Lists
+Only System Administrators designated on the Access Lists
 in &sect;3.4.2 are authorized to access accounts,
 unless specifically directed by the Arbitrator.
 </p>
@ -590,7 +600,7 @@ Response times should be documented for Disaster Recovery planning.  See &sect;6
 <h4> <a name="4.1.3">4.1.3.</a> Change management procedures </h4>
 <p>
 All changes made to system configuration must be recorded
-and reported in regular summaries to the board of CAcert.
+and reported in regular summaries to the Board of CAcert.
 </p>

 <h4> <a name="4.1.4">4.1.4.</a> Outsourcing </h4>
@ -600,7 +610,8 @@ and reported in regular summaries to the board of CAcert.
 <h4> <a name="4.2.1">4.2.1.</a> Coverage </h4>

 <p>
-All sensitive events should be logged.
+All sensitive events should be logged
+<B> reliably </B>.
 Logs should be deleted after an appropriate amount of time
 as documented in the Security Manual.
 </p>
@ -668,7 +679,7 @@ Off-site backups must be dual-encrypted using divergent methods.

 <h4> <a name="4.3.6">4.3.6.</a> Verifying Backups </h4>
 <p>
-Two CAcert system administrators must be
+Two CAcert System Administrators must be
 present for verification of a backup.
 Four eyes principle must be maintained when the key and backup are together.
 For any other purpose than verification of the success of the backup, see next.
@ -882,7 +893,7 @@ Test status of each patch must be logged.
 <p>
 Software assessment team maintains a bug system.
 Primary communications should go through this system.
-Management access should be granted to all software assessors,
+Management access should be granted to all Software Assessors,
 software developers, and systems administrators.
 Bug submission access should be provided to
 any Member that requests it.
@ -896,7 +907,7 @@ coordinates with systems administration (team leader)
 to offer the upgrade.
 Upgrade format is to be negotiated,
 but systems administration naturally has the last word.
-Software assessors are not to have access
+Software Assessors are not to have access
 to the critical systems, providing a dual control
 at the teams level.
 </p>
@ -907,7 +918,7 @@ application source code in the version control system
 is necessary to deploy the application,
 detailed installation instructions should also be
 maintained in the version control system and offered to the
-system administrators.
+System Administrators.
 </p>

 <p>
@ -1005,9 +1016,9 @@ or Case Managers.
 <ul>
    <li> Access Engineer: responsible for controlling access to hardware, and maintaining hardware. </li>
    <li> System administrator: responsible for maintaining core services and integrity. </li>
-    <li> Software assessor: maintain the code base and confirm security ("sign-off") of patches and releases.</li>
+    <li> Software Assessor: maintain the code base and confirm security ("sign-off") of patches and releases.</li>
    <li> Support Engineer: human interface with users.</li>
-    <li> Team leaders: coordinate with teams, report to board.</li>
+    <li> Team leaders: coordinate with teams, report to Board.</li>
    <li> All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.</li>
    <li> Board: authorise new individuals and accesses. Coordinate overall. </li>
 </ul>
@ -1071,10 +1082,10 @@ The background check should be done on all of:
 </p>

 <ul>
-    <li> systems administrator </li>
-    <li> access engineeers </li>
-    <li> software assessor </li>
-    <li> support engineer </li>
+    <li> Systems Administrator </li>
+    <li> Access Engineers </li>
+    <li> Software Assessor </li>
+    <li> Support Engineer </li>
    <li> Board </li>
 </ul>

@ -1174,11 +1185,24 @@ especially of new team members.

 <h4> <a name="9.2.1"> 9.2.1. </a> Root Key generation</h4>

+<B>
 <p>
-Root keys should be generated on a machine built securely
-for that purpose only and cleaned/wiped/destroyed immediately afterwards.
+Root keys are generated only on instruction from the Board.
+They must be generated to a fully documented and reviewed procedure.
+The procedure must include:
 </p>

+<ul>
+   <li> Use of hardware built securely for the purpose
+        only and cleaned/wiped/destroyed immediately afterwards. </li>
+   <li> Dual control over all phases, including by Board. </li>
+   <li> Strong collection of primary entropy, separated from use of entropy. </li>
+   <li> Test cycles of the process on the day. </li>
+   <li> Documentation of each step as it happens against the procedure. </li>
+   <li> Confirmation by each participant over the process and the results.  </li>
+</ul>
+</B>
+
 <h4> <a name="9.2.2"> 9.2.2. </a> Backup and escrow</h4>

 <p>
@ -1206,7 +1230,7 @@ Recovery must only be conducted under Arbitrator authority.
 <h4> <a name="9.3.1"> 9.3.1. </a> Responsibility</h4>

 <p>
-The board is responsible to the Community to manage
+The Board is responsible to the Community to manage
 the CA at the executive level.
 </p>

@ -1220,7 +1244,7 @@ All external inquiries of security import are filed as disputes and placed befor
 Only the Arbitrator has the authority
 to deal with external requests and/or create a procedure.
 Access Engineers, systems administrators,
-board members and other key roles
+Board members and other key roles
 do not have the authority to answer legal inquiry.
 The Arbitrator's ruling may instruct individuals,
 and becomes your authority to act. 
@ -1231,8 +1255,8 @@ and becomes your authority to act.
 <p>
 Components may be outsourced.
 Team leaders may outsource non-critical components
-on notifying the board.
-Critical components must be approved by the board.
+on notifying the Board.
+Critical components must be approved by the Board.
 <p>

 <p>
@ -1277,15 +1301,20 @@ of open disclosure wherever possible.
 See <a href="https://svn.cacert.org/CAcert/principles.html">
 Principles</a>.
 This is not a statement of politics but a statement of security;
-if a subject can only sustain under some
-confidentiality or secrecy, then find another way.
+<B>
+if a security issue can only be sustained
+</B>
+under some confidentiality or secrecy, then find another way.
 </p>

 <p>
 In concrete terms,
-only under a defined exception under policy,
-or under the oversight of the Arbitrator,
-may confidentiality or secrecy be maintained.
+<B>
+confidentiality or secrecy may be maintained only
+under a defined method in policy,
+or under the oversight of the Arbitrator
+(which itself is under DRP).
+</B>
 The exception itself must not be secret or confidential.
 All secrets and confidentials are reviewable under Arbitration,
 and may be reversed.