to DRAFT, 11 Ayes counted

git-svn-id: http://svn.cacert.org/CAcert/Policies@1240 14b1bab8-4ef6-0310-b690-991c95c89dfd
pull/1/head
Ian Grigg 15 years ago
parent 6f9720e586
commit 418fd6f8f3

@ -8,10 +8,10 @@
<body lang="en-GB">
<h1>Security Policy for CAcert Systems</h1>
<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-wip.png" alt="CAcert Security Policy Status == wip" border="0"></a>
<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-draft.png" alt="CAcert Security Policy Status == wip" border="0"></a>
<br>
Creation date: 20090216<br>
Status: <i>work-in-progress</i>, to DRAFT 20090327
Status: <b>DRAFT 20090327</b>
</p>
<h2><a name="1">1.</a> INTRODUCTION</h2>
@ -456,11 +456,9 @@ until approved by the Software Assessment Team.
</p>
<p>
<B>
Requests to systems administration for ad hoc queries
over the database for business or similar purposes
must be approved by the Arbitrator.
</B>
</p>
<h3><a name="3.4"> 3.4.</a> Access control </h3>
@ -528,10 +526,7 @@ authorisations on the below access control lists
<p>
All changes
<B>
of personnel
</B>
All changes of personnel
to the above lists are approved by the Board of CAcert.
</p>
@ -612,8 +607,7 @@ and reported in regular summaries to the Board of CAcert.
<h4> <a name="4.2.1">4.2.1.</a> Coverage </h4>
<p>
All sensitive events should be logged
<B> reliably </B>.
All sensitive events should be logged reliably.
Logs should be deleted after an appropriate amount of time
as documented in the Security Manual.
</p>
@ -1187,7 +1181,6 @@ especially of new team members.
<h4> <a name="9.2.1"> 9.2.1. </a> Root Key generation</h4>
<B>
<p>
Root keys are generated only on instruction from the Board.
They must be generated to a fully documented and reviewed procedure.
@ -1203,7 +1196,6 @@ The procedure must include:
<li> Documentation of each step as it happens against the procedure. </li>
<li> Confirmation by each participant over the process and the results. </li>
</ul>
</B>
<h4> <a name="9.2.2"> 9.2.2. </a> Backup and escrow</h4>
@ -1303,20 +1295,16 @@ of open disclosure wherever possible.
See <a href="https://svn.cacert.org/CAcert/principles.html">
Principles</a>.
This is not a statement of politics but a statement of security;
<B>
if a security issue can only be sustained
</B>
under some confidentiality or secrecy, then find another way.
</p>
<p>
In concrete terms,
<B>
confidentiality or secrecy may be maintained only
under a defined method in policy,
or under the oversight of the Arbitrator
(which itself is under DRP).
</B>
The exception itself must not be secret or confidential.
All secrets and confidentials are reviewable under Arbitration,
and may be reversed.

Loading…
Cancel
Save