@ -46,12 +46,12 @@ These roles are directly covered:
</li><li>
</li><li>
Systems Administrators
Systems Administrators
</li><li>
</li><li>
Support Engineer
Support Engineers
</li><li>
</li><li>
Software Assessors
Software Assessors
</li></ul>
</li></ul>
<h4><aname="1.1.1">1.1.2.</a> Out of Scope </h4>
<h4><aname="1.1.2">1.1.2.</a> Out of Scope </h4>
<p>
<p>
Non-critical systems are not covered by this manual,
Non-critical systems are not covered by this manual,
@ -189,7 +189,7 @@ access security.
<p>
<p>
Computers shall be inventoried before being put into service.
Computers shall be inventoried before being put into service.
Inventory list shall be available to all
Inventory list shall be available to all
Access Engineeers and all Systems Administrators.
Access Engineers and all Systems Administrators.
List must be subject to change control.
List must be subject to change control.
</p>
</p>
@ -254,7 +254,7 @@ The following steps are to be taken:
<ol><li>
<ol><li>
The media is securely destroyed, <b>or</b>
The media is securely destroyed, <b>or</b>
</li><li>
</li><li>
the media is to be securely erased,
the media is securely erased,
and stored securely.
and stored securely.
</li></ol>
</li></ol>
@ -360,7 +360,7 @@ and must be reported and logged.
<h5> 3.1.1.2. Internal connectivity </h5>
<h5> 3.1.1.2. Internal connectivity </h5>
<p>
<p>
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by system administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by System administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
</p>
</p>
@ -404,7 +404,7 @@ Servers must enable only the operating system functions required to support the
</p>
</p>
<p>
<p>
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators.
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the System Administrators.
</p>
</p>
@ -429,7 +429,7 @@ instruct remedial action, and refer the case to dispute resolution.
</p>
</p>
<p>
<p>
<b>
<b><!-- this comment left in bold deliberatel -->
Declaration of an emergency patching situation should not occur with any regularity.
Declaration of an emergency patching situation should not occur with any regularity.
</b>
</b>
Emergency patch events must be documented
Emergency patch events must be documented
@ -455,6 +455,12 @@ and installation needs to be deferred
until approved by the Software Assessment Team.
until approved by the Software Assessment Team.
</p>
</p>
<p>
Requests to systems administration for ad hoc queries
over the database for business or similar purposes
must be approved by the Arbitrator.
</p>
<h3><aname="3.4"> 3.4.</a> Access control </h3>
<h3><aname="3.4"> 3.4.</a> Access control </h3>
<p>
<p>
@ -494,13 +500,13 @@ authorisations on the below access control lists
<td>Board of CAcert (or designee)</td>
<td>Board of CAcert (or designee)</td>
</tr><tr>
</tr><tr>
<td>Physical Access List</td>
<td>Physical Access List</td>
<td>systems administrators</td>
<td>Systems Administrators</td>
<td>hardware-level for installation and recovery</td>
<td>hardware-level for installation and recovery</td>
<td>exclusive with Access Engineers and Software Assessors</td>
<td>exclusive with Access Engineers and Software Assessors</td>
<td>Board of CAcert (or designee)</td>
<td>Board of CAcert (or designee)</td>
</tr><tr>
</tr><tr>
<td>SSH Access List</td>
<td>SSH Access List</td>
<td>systems administrators</td>
<td>Systems Administrators</td>
<td>Unix / account / shell level</td>
<td>Unix / account / shell level</td>
<td> includes by default all on Physical Access List </td>
<td> includes by default all on Physical Access List </td>
<td>systems administration team leader</td>
<td>systems administration team leader</td>
@ -512,7 +518,7 @@ authorisations on the below access control lists
<td>systems administration team leader</td>
<td>systems administration team leader</td>
</tr><tr>
</tr><tr>
<td>Repository Access List</td>
<td>Repository Access List</td>
<td>software assessors</td>
<td>Software Assessors</td>
<td>change the source code repository</td>
<td>change the source code repository</td>
<td>exclusive with Access Engineers and systems administrators</td>
<td>exclusive with Access Engineers and systems administrators</td>
<td>software assessment team leader</td>
<td>software assessment team leader</td>
@ -520,7 +526,11 @@ authorisations on the below access control lists
<p>
<p>
All changes to the above lists are approved by the board of CAcert.
All changes
<B>
of personnel
</B>
to the above lists are approved by the Board of CAcert.