re-org of 9.4

git-svn-id: http://svn.cacert.org/CAcert/Policies@1886 14b1bab8-4ef6-0310-b690-991c95c89dfd

SecurityPolicy.html

@@ -48,6 +48,7 @@ a:hover {
 <body lang="en-GB">
 
 <ul class="change">
+<li> 20100424: tidied up 9.4 </li>
 <li> 20100422: added 9.3.2 notification requirement. </li>
 <li> 20100421: reviewed and dropped the BLUE changes that introduced AE, etc. </li>
 <li> 20100411: rewrote the critical roles to align with ABC requirement, dropped Board. </li>
@@ -213,7 +214,7 @@ This policy document says what is done, rather than how to do it.
 
 <p>
 This Policy explicitly defers detailed security practices to the
-<a href="http://wiki.cacert.org/wiki/SecurityManual">Security Manual</a>
+<a href="http://wiki.cacert.org/SecurityManual">Security Manual</a>
 ("SM").
 The SM says how things are done.
 As practices are things that vary from time to time,
@@ -244,7 +245,7 @@ explicitly defer single, cohesive components of the
 security practices into separate procedures documents.
 Each procedure should be managed in a wiki page under
 their control, probably at
-<a href="http://wiki.cacert.org/wiki/SystemAdministration/Procedures">
+<a href="http://wiki.cacert.org/SystemAdministration/Procedures">
 SystemAdministration/Procedures</a>.
 Each procedure must be referenced explicitly in the Security Manual.
 </p>
@@ -1351,12 +1352,11 @@ and becomes your authority to act.
 
 <p>
 Components may be outsourced.
+<span class="strike">
 Team leaders may outsource non-critical components
 on notifying the Board.
 Critical components must be approved by the Board.
-</p>
-
-<p>
+</span>
 Any outsourcing arrangements must be documented.
 All arrangements must be:
 </p>
@@ -1386,9 +1386,11 @@ All arrangements must be:
 
 <p>
 Contracts should be written with the above in mind.
+<span class="change">
+Outsourcing of critical components must be approved by the Board.
+</span>
 </p>
 
-
 <h3 id="s9.5">9.5 Confidentiality, Secrecy </h3>
 
 <p>