diff --git a/SecurityPolicy.html b/SecurityPolicy.html
index dcfdc01..b51d64e 100644
--- a/SecurityPolicy.html
+++ b/SecurityPolicy.html
@@ -15,6 +15,25 @@ DT { color: #000000 }
DD { color: #000000 }
H3 { color: #000000 }
TH P { color: #000000 }
+
+.q {
+ color : green;
+ font-weight: bold;
+ text-align: center;
+ font-style:italic;
+}
+
+.error {
+ color : red;
+ font-weight: bold;
+ text-align: center;
+ font-style:italic;
+}
+
+.change {
+ color : blue;
+ font-weight: bold;
+}
-->
@@ -27,7 +46,7 @@ Creation date: 2009-02-16
Status: work-in-progress
@@ -154,11 +173,180 @@ security practices into separate procedures documents. Each procedure should be managed in a wiki page under their control, probably at -SystemAdministrationProcedures. +SystemAdministration/Procedures. Each procedure must be referenced explicitly in the Security Manual.
++Physical assets and security procedures are generally provided and maintained as set forth in the Memorandum of Understanding between CAcert and Stichting Oophaga Foundation of 10 July 2007, and as amended from time to time. Approval of both boards of CAcert and Oophaga is required for changes to the MoU. +
+ ++The MoU places responsibility for the physical assets (hardware), hosting and for control of access to the hardware with Oophaga. +
+ ++CAcert shall host critical servers in a highly secure facility. +There shall be independent verification of the physical and +access security. +
+ ++Computers shall be inventoried before being put into service. +Inventory list shall be available to all Systems Administrators. +Units shall have nickname clearly marked on front and rear of chassis. +Machines shall be housed in secured facilities (cages and/or locked racks). +
+ ++Acquisition of new equipment that is subject to a +pre-purchase security risk must be done from a +vendor that is regularly and commercially in business. +Precautions must be taken to prevent equipment being +prepared in advance. +
+ ++Acquisition may be done by CAcert systems administrators +but the ownership and control of the hardware transfers +to Oophaga the moment the equipment is in use. +
+ ++Cabling to all equipment shall be labeled at both ends +with identification of end points. +
+ ++Storage media (disk drives, tapes, removable media) +are inventoried upon acquisition by Oophaga. +CAcert system administrators will report any changes +in the use or location of the media to Oophaga and to the routine +logging list. +
+ ++New storage media (whether disk or removable) shall be +securely wiped and reformatted before use. +
+ ++Removable media shall be securely stored at all times, +including when not in use. When there is a change to +status of media, a report is made to the log specifying +the new status +(sysadmins present, steps taken, location of storage, etc). +Drives that are kept for reuse are wiped securely before storage. +Reuse can only be within critical systems. +
+ ++Storage media that is exposed to critical data and is +to be retired from service shall be destroyed or otherwise secured. +The following steps are to be taken: +
+ ++Records of secure erasure and method of final disposal +shall be tracked in the asset inventory. +Where critical data is involved, +2 system administrators must sign-off on each step. +
+ ++In accordance with the principle of dual control, +at least two persons authorized for access must +be on-site at the same time for physical access to be granted. +
+ ++Access to physical equipment must be authorised. +
+ ++The Security Manual must present the different access profiles. +At least one CAcert systems administrator will be present for +logical access to CAcert critical servers. +Only the most basic and safest of accesses should be done with +one CAcert systems administrator present. +Oophaga representatives must not access the data. +
+ ++All physical accesses are logged and reported to all. +
+ ++There is no procedure for emergency access. +If emergency access is gained, +this must be reported and justified immediately. +See DPR. +
+ ++All personel who are in possession of physical security +codes and devices (keys) are to be authorised and documented. +
+ + + + +This is the end of the Security Policy.