|
|
|
@ -48,6 +48,7 @@ a:hover {
|
|
|
|
<body lang="en-GB">
|
|
|
|
<body lang="en-GB">
|
|
|
|
|
|
|
|
|
|
|
|
<ul class="change">
|
|
|
|
<ul class="change">
|
|
|
|
|
|
|
|
<li> 20100424: tidied up 9.4 </li>
|
|
|
|
<li> 20100422: added 9.3.2 notification requirement. </li>
|
|
|
|
<li> 20100422: added 9.3.2 notification requirement. </li>
|
|
|
|
<li> 20100421: reviewed and dropped the BLUE changes that introduced AE, etc. </li>
|
|
|
|
<li> 20100421: reviewed and dropped the BLUE changes that introduced AE, etc. </li>
|
|
|
|
<li> 20100411: rewrote the critical roles to align with ABC requirement, dropped Board. </li>
|
|
|
|
<li> 20100411: rewrote the critical roles to align with ABC requirement, dropped Board. </li>
|
|
|
|
@ -213,7 +214,7 @@ This policy document says what is done, rather than how to do it.
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
This Policy explicitly defers detailed security practices to the
|
|
|
|
This Policy explicitly defers detailed security practices to the
|
|
|
|
<a href="http://wiki.cacert.org/wiki/SecurityManual">Security Manual</a>
|
|
|
|
<a href="http://wiki.cacert.org/SecurityManual">Security Manual</a>
|
|
|
|
("SM").
|
|
|
|
("SM").
|
|
|
|
The SM says how things are done.
|
|
|
|
The SM says how things are done.
|
|
|
|
As practices are things that vary from time to time,
|
|
|
|
As practices are things that vary from time to time,
|
|
|
|
@ -244,7 +245,7 @@ explicitly defer single, cohesive components of the
|
|
|
|
security practices into separate procedures documents.
|
|
|
|
security practices into separate procedures documents.
|
|
|
|
Each procedure should be managed in a wiki page under
|
|
|
|
Each procedure should be managed in a wiki page under
|
|
|
|
their control, probably at
|
|
|
|
their control, probably at
|
|
|
|
<a href="http://wiki.cacert.org/wiki/SystemAdministration/Procedures">
|
|
|
|
<a href="http://wiki.cacert.org/SystemAdministration/Procedures">
|
|
|
|
SystemAdministration/Procedures</a>.
|
|
|
|
SystemAdministration/Procedures</a>.
|
|
|
|
Each procedure must be referenced explicitly in the Security Manual.
|
|
|
|
Each procedure must be referenced explicitly in the Security Manual.
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
@ -1351,12 +1352,11 @@ and becomes your authority to act.
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Components may be outsourced.
|
|
|
|
Components may be outsourced.
|
|
|
|
|
|
|
|
<span class="strike">
|
|
|
|
Team leaders may outsource non-critical components
|
|
|
|
Team leaders may outsource non-critical components
|
|
|
|
on notifying the Board.
|
|
|
|
on notifying the Board.
|
|
|
|
Critical components must be approved by the Board.
|
|
|
|
Critical components must be approved by the Board.
|
|
|
|
</p>
|
|
|
|
</span>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
|
|
|
Any outsourcing arrangements must be documented.
|
|
|
|
Any outsourcing arrangements must be documented.
|
|
|
|
All arrangements must be:
|
|
|
|
All arrangements must be:
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
@ -1386,9 +1386,11 @@ All arrangements must be:
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Contracts should be written with the above in mind.
|
|
|
|
Contracts should be written with the above in mind.
|
|
|
|
|
|
|
|
<span class="change">
|
|
|
|
|
|
|
|
Outsourcing of critical components must be approved by the Board.
|
|
|
|
|
|
|
|
</span>
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id="s9.5">9.5 Confidentiality, Secrecy </h3>
|
|
|
|
<h3 id="s9.5">9.5 Confidentiality, Secrecy </h3>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
|
Ian Grigg
15 years ago