From 147a3a9e8cc3016a0b3ad715f17c10a878b09c20 Mon Sep 17 00:00:00 2001
From: Ian Grigg
+Board may add additional components into the Security Manual.
+
-There is no procedure for emergency access.
+There must not be a procedure for emergency access.
If, in the judgement of the systems administrator,
emergency access is required and gained,
@@ -369,7 +370,7 @@ in order to avoid a greater harm,
independent authorisation before the
Arbitrator must be sought as soon as possible.
-See DPR.
+See DRP.
1.1.1. Effected Personnel
@@ -361,7 +362,7 @@ All physical accesses are logged and reported to all.
2.3.4. Emergency Access
2.3.5. Physical Security codes & devices
@@ -409,7 +410,10 @@ systems and servers which do not require access
to the Internet for their normal operation
must not be granted that access.
-Any exceptions must be documented in the Security Manual.
+If such access becomes temporarily necessary for an
+authorized administrative task,
+such access may be granted under the procedures of the SM
+and must be reported and logged.
-All ports to which outbound traffic is initiated shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception. +All outbound traffic that is initiated shall be documented; traffic to other destinations must be blocked. Unexpected traffic must be logged as an exception.
-Strong methods of authentication shall be used. +Strong methods of authentication shall be used +wherever possible. All authentication schemes must be documented.
@@ -679,7 +684,8 @@ and reported in regular summaries to the board of CAcert.All sensitive events should be logged. -Logs should be deleted after an appropriate amount of time. +Logs should be deleted after an appropriate amount of time +as documented in the Security Manual.
-Document. See §5.6.
@@ -797,10 +802,6 @@ See §5.6.-Incidents and sources of important events and logging should be documented. -
-The standard of monitoring, alerting and reporting must be documented. @@ -845,7 +846,8 @@ Management starts with the team leader and ends with the Board.
Incidents must be investigated. The investigation must be documented. -Evidence must be secured if the severity is high. +If the severity is high, +evidence must be secured and escalated to Arbitration.
+Support Engineers have these responsibilities: +
+ +
+ +Support may always be contacted by email at +support at cacert dot org. +Other channels may be made available and documented +in Security Manual. + +
+what goes in here? Non-root keys? Strike this section? Or merge it as Root Keys with 9.3, 9.4....
+ +
-Recovery must only be conducted under Board or Arbitrator direction.
+Recovery must only be conducted
+
+under Arbitrator authority.
+
A recovery exercise should be conducted approximately every year.
+
+