diff --git a/SecurityPolicy.html b/SecurityPolicy.html new file mode 100644 index 0000000..3a8b73f --- /dev/null +++ b/SecurityPolicy.html @@ -0,0 +1,156 @@ + +
+
+
+Creation date: 2009-02-16
+Status: work-in-progress
+
+This Security Manual sets out required procedures for the secure operation of the CAcert critical computer systems. These systems include: +
+Non-critical systems are not covered by this manual, +but may be guided by it, and impacted where they are +found within the security context. +Architecture is out of scope, see CPS#6.2. +
+ ++Important principles of this Security Manual are: + +
+Each task or asset is covered by a variety of protections +deriving from the above principles. +
+ ++This Security Policy is part of the configuration-control specification +for audit purposes (DRC). +It is under the control of Policy on Policy for version purposes. +
+ ++This policy document says what is done, rather than how to do it. +
+ ++This Policy explicitly defers detailed security practices to the +Security Manual +("SM"), +The SM says how things are done. +As practices are things that vary from time to time, +including between each event of practice, +the SM is under the direct control of the Systems Administration team. +It is located and version-controlled on the CAcert wiki. +
+ ++The Systems Administration team may from time to time +explicitly defer single, cohesive components of the +security practices into separate procedures documents. +Each procedure should be managed in a wiki page under +their control, probably at + +SystemAdministrationProcedures. +Each procedure must be referenced explicitly in the Security Manual. +
+ + +This is the end of the Security Policy.
+ + +