diff --git a/SecurityPolicy.html b/SecurityPolicy.html index 9b69ed1..cf7b90d 100644 --- a/SecurityPolicy.html +++ b/SecurityPolicy.html @@ -10,8 +10,8 @@
-Creation date: 2009-02-16
-Status: work-in-progress
+Creation date: 20090216
+Status: work-in-progress, to DRAFT 20090327
These roles are directly covered: @@ -46,12 +46,12 @@ These roles are directly covered:
Non-critical systems are not covered by this manual, @@ -189,7 +189,7 @@ access security.
Computers shall be inventoried before being put into service. Inventory list shall be available to all -Access Engineeers and all Systems Administrators. +Access Engineers and all Systems Administrators. List must be subject to change control.
@@ -254,7 +254,7 @@ The following steps are to be taken:-System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by system administration team leader and then must be reflected in the appropriate infrastructure diagram(s). +System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by System administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
@@ -404,7 +404,7 @@ Servers must enable only the operating system functions required to support the-Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators. +Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the System Administrators.
@@ -429,7 +429,7 @@ instruct remedial action, and refer the case to dispute resolution.- + Declaration of an emergency patching situation should not occur with any regularity. Emergency patch events must be documented @@ -455,6 +455,12 @@ and installation needs to be deferred until approved by the Software Assessment Team.
++Requests to systems administration for ad hoc queries +over the database for business or similar purposes +must be approved by the Arbitrator. +
+@@ -494,13 +500,13 @@ authorisations on the below access control lists
-All changes to the above lists are approved by the board of CAcert. +All changes + +of personnel + +to the above lists are approved by the Board of CAcert.
-Only system administrators designated on the Access Lists +Only System Administrators designated on the Access Lists in §3.4.2 are authorized to access accounts, unless specifically directed by the Arbitrator.
@@ -590,7 +600,7 @@ Response times should be documented for Disaster Recovery planning. See §6All changes made to system configuration must be recorded -and reported in regular summaries to the board of CAcert. +and reported in regular summaries to the Board of CAcert.
-All sensitive events should be logged. +All sensitive events should be logged + reliably . Logs should be deleted after an appropriate amount of time as documented in the Security Manual.
@@ -668,7 +679,7 @@ Off-site backups must be dual-encrypted using divergent methods.-Two CAcert system administrators must be +Two CAcert System Administrators must be present for verification of a backup. Four eyes principle must be maintained when the key and backup are together. For any other purpose than verification of the success of the backup, see next. @@ -882,7 +893,7 @@ Test status of each patch must be logged.
Software assessment team maintains a bug system. Primary communications should go through this system. -Management access should be granted to all software assessors, +Management access should be granted to all Software Assessors, software developers, and systems administrators. Bug submission access should be provided to any Member that requests it. @@ -896,7 +907,7 @@ coordinates with systems administration (team leader) to offer the upgrade. Upgrade format is to be negotiated, but systems administration naturally has the last word. -Software assessors are not to have access +Software Assessors are not to have access to the critical systems, providing a dual control at the teams level.
@@ -907,7 +918,7 @@ application source code in the version control system is necessary to deploy the application, detailed installation instructions should also be maintained in the version control system and offered to the -system administrators. +System Administrators.@@ -1005,9 +1016,9 @@ or Case Managers.
-Root keys should be generated on a machine built securely -for that purpose only and cleaned/wiped/destroyed immediately afterwards. +Root keys are generated only on instruction from the Board. +They must be generated to a fully documented and reviewed procedure. +The procedure must include:
+@@ -1206,7 +1230,7 @@ Recovery must only be conducted under Arbitrator authority.
-The board is responsible to the Community to manage +The Board is responsible to the Community to manage the CA at the executive level.
@@ -1220,7 +1244,7 @@ All external inquiries of security import are filed as disputes and placed befor Only the Arbitrator has the authority to deal with external requests and/or create a procedure. Access Engineers, systems administrators, -board members and other key roles +Board members and other key roles do not have the authority to answer legal inquiry. The Arbitrator's ruling may instruct individuals, and becomes your authority to act. @@ -1231,8 +1255,8 @@ and becomes your authority to act.Components may be outsourced. Team leaders may outsource non-critical components -on notifying the board. -Critical components must be approved by the board. +on notifying the Board. +Critical components must be approved by the Board.
@@ -1277,15 +1301,20 @@ of open disclosure wherever possible. See Principles. This is not a statement of politics but a statement of security; -if a subject can only sustain under some -confidentiality or secrecy, then find another way. + +if a security issue can only be sustained + +under some confidentiality or secrecy, then find another way.
In concrete terms, -only under a defined exception under policy, -or under the oversight of the Arbitrator, -may confidentiality or secrecy be maintained. + +confidentiality or secrecy may be maintained only +under a defined method in policy, +or under the oversight of the Arbitrator +(which itself is under DRP). + The exception itself must not be secret or confidential. All secrets and confidentials are reviewable under Arbitration, and may be reversed.