cacert/cacert-policies
9
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

more xhtml

Browse source 
git-svn-id: http://svn.cacert.org/CAcert/Policies@1880 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
Ian Grigg 2010-04-21 13:41:17 +00:00
parent c125e3b856
commit 1acb425079
1 changed files with 23 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
SecurityPolicy.html
View file

@ -35,6 +35,7 @@ th {
font-weight: bold; font-weight: bold;
} }
.strike { .strike {
color : blue;
text-decoration:line-through; text-decoration:line-through;
} }
a:hover { a:hover {
@ -49,19 +50,19 @@ a:hover {
<ul class="change"> <ul class="change">
<li> 20100421: reviewed and dropped the BLUE changes that introduced AE, etc. </li> <li> 20100421: reviewed and dropped the BLUE changes that introduced AE, etc. </li>
<li> 20100411: rewrote the critical roles to align with ABC requirement, dropped Board. </li> <li> 20100411: rewrote the critical roles to align with ABC requirement, dropped Board. </li>
<li> <big><u>20100404: status changes to WIP</u></big><br /> <li> <big>20100404: status changes to WIP</big><br />
<span class="q"> Security Policy is no longer binding, as of 20100404</span> </li> <span class="q"> Security Policy is no longer binding, as of 20100404</span> </li>
<li> 20901213: addition of WIP changes </li> <li> 20901213: addition of WIP changes </li>
<li> 20090327: status change to DRAFT <a href="http://wiki.cacert.org/PolicyDecisions#p20090327">p20090327</a>. </li> <li> 20090327: status change to DRAFT <a href="http://wiki.cacert.org/PolicyDecisions#p20090327">p20090327</a>. </li>
</ul> </ul>
<p> <p>
WIP Changes are all marked in <span class="change">BLUE</span> or <span class="change"><s>struck-out</s>.</span> WIP Changes are all marked in <span class="change">BLUE</span> or <span class="strike">struck-out</span>.
Explanatory comments in <span class="q">GREEN</span> are not part of text.<br /> Explanatory comments in <span class="q">GREEN</span> are not part of text.<br />
</p> </p>
<p class="q"> Start of Policy</p> <p class="q"> Start of Policy</p>
<hr> <hr />
<h1>Security Policy for CAcert Systems</h1> <h1>Security Policy for CAcert Systems</h1>
<!-- Absolute URL because the policies are located absolutely. --> <!-- Absolute URL because the policies are located absolutely. -->
@ -70,12 +71,12 @@ Explanatory comments in <span class="q">GREEN</span> are not part of text.<br />
Editor: iang<br /> Editor: iang<br />
Status: <b>WIP <a href="https://community.cacert.org/board/motions.php?motion=m20100327.2">m20100327.2</a></b> as of 20100404 00:00:02 UTC<br /><br /> Status: <b>WIP <a href="https://community.cacert.org/board/motions.php?motion=m20100327.2">m20100327.2</a></b> as of 20100404 00:00:02 UTC<br /><br />
</td><td align="right"> </td><td align="right">
<a href="http://www.cacert.org/policy/PolicyOnPolicy.php"><img align="right" src="Images/cacert-wip.png" alt="Security Policy Status == WIP" border="0"></a> <a href="http://www.cacert.org/policy/PolicyOnPolicy.php"><img src="Images/cacert-wip.png" alt="Security Policy Status == WIP" style="border-width:0" /></a>
</td></table> </td></table>
<h2><a name="1">1.</a> INTRODUCTION</h2> <h2 id="1">1. INTRODUCTION</h2>
<h3><a name="1.1">1.1.</a> Motivation and Scope </h3> <h3 id="s1.1">1.1. Motivation and Scope </h3>
<p> <p>
This Security Policy sets out the policy This Security Policy sets out the policy
for the secure operation of the CAcert critical computer systems. for the secure operation of the CAcert critical computer systems.
@ -217,8 +218,10 @@ The SM says how things are done.
As practices are things that vary from time to time, As practices are things that vary from time to time,
including between each event of practice, including between each event of practice,
the SM is under the direct control of the the SM is under the direct control of the
<span class="strike">
Systems Administration team
</span>
<span class="change"> <span class="change">
<s>Systems Administration team</s>
applicable team leaders. applicable team leaders.
</span> </span>
It is located and version-controlled on the CAcert wiki. It is located and version-controlled on the CAcert wiki.
@ -393,7 +396,7 @@ Arbitrator must be sought as soon as possible.
See DRP. See DRP.
</p> </p>
<h4><a name="2.3.5">2.3.5.</a> Physical Security codes & devices </h4> <h4><a name="2.3.5">2.3.5.</a> Physical Security codes &amp; devices </h4>
<p> <p>
All personel who are in possession of physical security All personel who are in possession of physical security
@ -550,7 +553,7 @@ authorisations on the below access control lists
(see &sect;1.1.1): (see &sect;1.1.1):
</p> </p>
<table align="center" border="1"> <tr> <center><table border="1"> <tr>
<td>List Name</td> <td>List Name</td>
<td>Who</td> <td>Who</td>
<td>Purpose of access</td> <td>Purpose of access</td>
@ -561,13 +564,13 @@ authorisations on the below access control lists
<td>Access Engineers</td> <td>Access Engineers</td>
<td>control of access by personnel to hardware</td> <td>control of access by personnel to hardware</td>
<td>exclusive of all other roles </td> <td>exclusive of all other roles </td>
<td><span class="change">Access team leader <s>Board of CAcert (or designee)</s></span></td> <td><span class="change">Access team leader</span> <span class="strike">Board of CAcert (or designee)</span></td>
</tr><tr> </tr><tr>
<td>Physical Access List</td> <td>Physical Access List</td>
<td>Systems Administrators</td> <td>Systems Administrators</td>
<td>hardware-level for installation and recovery</td> <td>hardware-level for installation and recovery</td>
<td>exclusive with Access Engineers and Software Assessors</td> <td>exclusive with Access Engineers and Software Assessors</td>
<td><span class="change">systems administration team leader <s>Board of CAcert (or designee)</s></span></td> <td><span class="change">systems administration team leader</span> <span class="strike">Board of CAcert (or designee)</span></td>
</tr><tr> </tr><tr>
<td>SSH Access List</td> <td>SSH Access List</td>
<td>Systems Administrators <span class="change">and Application Engineers </span></td> <td>Systems Administrators <span class="change">and Application Engineers </span></td>
@ -584,9 +587,9 @@ authorisations on the below access control lists
<td>Support Access List</td> <td>Support Access List</td>
<td>Support Engineer</td> <td>Support Engineer</td>
<td>support features in the web application</td> <td>support features in the web application</td>
<td> includes by default all <span class="change">Application Engineers <s>systems administrators</s> </span> </td> <td> includes by default all <span class="change">Application Engineers</span> <span class="strike">systems administrators </span> </td>
<td><span class="change"><s>systems administration</s> support</span> team leader</td> <td><span class="strike">systems administration</span> <span class="change">support</span> team leader</td>
</tr></table> </tr></table></center>
<p> <p>
@ -1002,13 +1005,13 @@ Bug submission access should be provided to
any Member that requests it. any Member that requests it.
</p> </p>
<h3> <a name="7.6"> 7.6. </a> <s>Handover</s> <span class="change">Production</span> </h3> <h3> <a name="7.6"> 7.6. </a> <span class="strike">Handover</span> <span class="change">Production</span> </h3>
<p class="change"> <p class="change">
The Application Engineer is a role within Software Assessment The Application Engineer is a role within Software Assessment
team that is approved to install into production the team that is approved to install into production the
patches that are signed off. patches that are signed off.
<s> <span class="strike">
Once signed off, the Application Engineer Once signed off, the Application Engineer
commits the patch from the development repository commits the patch from the development repository
to the production repository, to the production repository,
@ -1017,7 +1020,7 @@ into the running code.
The Application Engineer is responsible for basic The Application Engineer is responsible for basic
testing of functionality and emergency fixes, testing of functionality and emergency fixes,
which then must be back-installed into the repositories. which then must be back-installed into the repositories.
</s> </span>
</p> </p>
<p class="change"> <p class="change">
@ -1349,7 +1352,7 @@ Components may be outsourced.
Team leaders may outsource non-critical components Team leaders may outsource non-critical components
on notifying the Board. on notifying the Board.
Critical components must be approved by the Board. Critical components must be approved by the Board.
<p> </p>
<p> <p>
Any outsourcing arrangements must be documented. Any outsourcing arrangements must be documented.
@ -1429,7 +1432,7 @@ Relevant and helpful Documents should be referenced for convenience.
<hr> <hr />
<a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-html401-blue.png" id="graphics2" alt="Valid HTML 4.01" align="right" border="0" height="33" width="90"></a> <a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-html401-blue.png" id="graphics2" alt="Valid HTML 4.01" border="0" style="float: right; border-width: 0" height="33" width="90" /></a>
<p class="q">This is the end of the Security Policy.</p> <p class="q">This is the end of the Security Policy.</p>
</body></html> </body></html>