diff --git a/SecurityPolicy.html b/SecurityPolicy.html index 96a210b..ed0f437 100644 --- a/SecurityPolicy.html +++ b/SecurityPolicy.html @@ -60,11 +60,12 @@ These systems include: Webserver + database (core server(s))
  • Signing service (signing server) -
  • - Support interface
  • Source code (changes and patches)
    • +

    +Board may add additional components into the Security Manual. +

    1.1.1. Effected Personnel

    @@ -361,7 +362,7 @@ All physical accesses are logged and reported to all.

    2.3.4. Emergency Access

    -There is no procedure for emergency access. +There must not be a procedure for emergency access. If, in the judgement of the systems administrator, emergency access is required and gained, @@ -369,7 +370,7 @@ in order to avoid a greater harm, independent authorisation before the Arbitrator must be sought as soon as possible. -See DPR. +See DRP.

    2.3.5. Physical Security codes & devices

    @@ -409,7 +410,10 @@ systems and servers which do not require access to the Internet for their normal operation must not be granted that access. -Any exceptions must be documented in the Security Manual. +If such access becomes temporarily necessary for an +authorized administrative task, +such access may be granted under the procedures of the SM +and must be reported and logged.

    @@ -431,7 +435,7 @@ All ports on which incoming traffic is expected shall be documented; traffic to
    3.1.2.2. Egress

    -All ports to which outbound traffic is initiated shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception. +All outbound traffic that is initiated shall be documented; traffic to other destinations must be blocked. Unexpected traffic must be logged as an exception.

    3.1.3. Intrusion detection

    @@ -533,7 +537,7 @@ controlled and logged. General access for Members shall be provided via -a dedicated web application. +a dedicated application. General features are made available according to Assurance Points and similar methods controlled in the software system. @@ -562,13 +566,13 @@ authorisations on the below access control lists Access Engineers control of access by personnel to hardware exclusive of all other roles - Boards of CAcert (or designee) + Board of CAcert (or designee) Physical Access List systems administrators hardware-level for installation and recovery exclusive with Access Engineers and Software Assessors - Boards of CAcert (or designee) + Board of CAcert (or designee) SSH Access List systems administrators @@ -598,7 +602,8 @@ All changes to the above lists are approved by the board of CAcert.

    -Strong methods of authentication shall be used. +Strong methods of authentication shall be used +wherever possible. All authentication schemes must be documented.

    @@ -679,7 +684,8 @@ and reported in regular summaries to the board of CAcert.

    All sensitive events should be logged. -Logs should be deleted after an appropriate amount of time. +Logs should be deleted after an appropriate amount of time +as documented in the Security Manual.

    4.2.2. Access and Security

    @@ -786,7 +792,6 @@ See §4.2.1.

    4.4.3. Incident reports

    -Document. See §5.6.

    @@ -797,10 +802,6 @@ See §5.6.

    5.1. Incidents

    -

    -Incidents and sources of important events and logging should be documented. -

    -

    5.2. Detection

    The standard of monitoring, alerting and reporting must be documented. @@ -845,7 +846,8 @@ Management starts with the team leader and ends with the Board.

    Incidents must be investigated. The investigation must be documented. -Evidence must be secured if the severity is high. +If the severity is high, +evidence must be secured and escalated to Arbitration.

    5.5. Response

    @@ -1053,8 +1055,33 @@ policies and practices.

    8.2. Responsibilities

    + +

    +Support Engineers have these responsibilities: +

    + +

    +     +

    8.3. Channels

    +

    + +Support may always be contacted by email at +support at cacert dot org. +Other channels may be made available and documented +in Security Manual. + +

    +

    8.4. Records and Logs