Dropped / Confirmed BLUE changes where they introduced the Application Engineer.

Tightened up the Management by applicable team leaders, especially in 3.4
(this moves management of lists to t/l but changing the list is still Board).
Left in place the BLUE changes over the software repository management,
and referred some of that question to the SM.


git-svn-id: http://svn.cacert.org/CAcert/Policies@1875 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
Ian Grigg 2010-04-21 12:25:41 +00:00
parent fe0b2a2af0
commit 74694e234a

View file

@ -191,8 +191,8 @@ deriving from the above principles.
<h4><a name="1.4.1">1.4.1.</a> The Security Policy Document </h4> <h4><a name="1.4.1">1.4.1.</a> The Security Policy Document </h4>
<p> <p>
This Security Policy is part of the configuration-control specification This Security Policy is part of the Configuration-Control Specification
for audit purposes (DRC). for audit purposes (DRC-A.1).
It is under the control of Policy on Policy for version purposes. It is under the control of Policy on Policy for version purposes.
</p> </p>
@ -210,7 +210,11 @@ This Policy explicitly defers detailed security practices to the
The SM says how things are done. The SM says how things are done.
As practices are things that vary from time to time, As practices are things that vary from time to time,
including between each event of practice, including between each event of practice,
the SM is under the direct control of the Systems Administration team. the SM is under the direct control of the
<span class="change">
<s>Systems Administration team</s>
applicable team leaders.
</span>
It is located and version-controlled on the CAcert wiki. It is located and version-controlled on the CAcert wiki.
</p> </p>
@ -354,7 +358,11 @@ one systems administrator present.
<p> <p>
There is no inherent authorisation to access the data. There is no inherent authorisation to access the data.
Systems Administrators are authorised to access Systems Administrators
<span class="change">
and Application Engineers
</span>
are authorised to access
the raw data under the control of this policy. the raw data under the control of this policy.
All others must not access the raw data. All others must not access the raw data.
All are responsible for protecting the data All are responsible for protecting the data
@ -486,7 +494,10 @@ of software has become known
an emergent local exploit may also be deemed to be an emergency). an emergent local exploit may also be deemed to be an emergency).
Application of patches in this case may occur as soon as possible, Application of patches in this case may occur as soon as possible,
bypassing the normal configuration-change process. bypassing the normal configuration-change process.
The systems administration team leader must either approve the patch, The systems administration team leader must either approve the patch
<span class="change">
or
</span>
instruct remedial action, and refer the case to dispute resolution. instruct remedial action, and refer the case to dispute resolution.
</p> </p>
@ -502,44 +513,12 @@ independent of filed disputes.
<h3><a name="3.3"> 3.3.</a> Application </h3> <h3><a name="3.3"> 3.3.</a> Application </h3>
<p class="change"> <p>
Systems administration is to provide a limited environment Systems administration is to provide a limited environment
to Applications Engineers in order to install and maintain to Applications Engineers in order to install and maintain
the application. the application.
</p> </p>
<ul class="q">
<li> insert SSH / non-unix in SM? </li>
<li> move all below to &sect;7 </li>
</ul>
<p>
<s>
Software assessment takes place on various test systems
(not a critical system). See &sect;7.
Once offered by Software Assessment (team),
system administration team leader has to
approve the installation of each release or patch.
</s>
</p>
<p>
<s>
Any changes made to source code must be referred
back to software assessment team
and installation needs to be deferred
until approved by the Software Assessment Team.
</s>
</p>
<p>
<s>
Requests to systems administration for ad hoc queries
over the database for business or similar purposes
must be approved by the Arbitrator.
</s>
</p>
<h3><a name="3.4"> 3.4.</a> Access control </h3> <h3><a name="3.4"> 3.4.</a> Access control </h3>
<p> <p>
@ -576,31 +555,31 @@ authorisations on the below access control lists
<td>Access Engineers</td> <td>Access Engineers</td>
<td>control of access by personnel to hardware</td> <td>control of access by personnel to hardware</td>
<td>exclusive of all other roles </td> <td>exclusive of all other roles </td>
<td>Board of CAcert (or designee)</td> <td><span class="change">Access team leader <s>Board of CAcert (or designee)</s></span></td>
</tr><tr> </tr><tr>
<td>Physical Access List</td> <td>Physical Access List</td>
<td>Systems Administrators</td> <td>Systems Administrators</td>
<td>hardware-level for installation and recovery</td> <td>hardware-level for installation and recovery</td>
<td>exclusive with Access Engineers and Software Assessors</td> <td>exclusive with Access Engineers and Software Assessors</td>
<td>Board of CAcert (or designee)</td> <td><span class="change">systems administration team leader <s>Board of CAcert (or designee)</s></span></td>
</tr><tr> </tr><tr>
<td>SSH Access List</td> <td>SSH Access List</td>
<td>Systems Administrators</td> <td>Systems Administrators <span class="change">and Application Engineers </span></td>
<td>Unix / account / shell level</td> <td>Unix / account / shell level</td>
<td> includes by default all on Physical Access List </td> <td> includes by default all on Physical Access List </td>
<td>systems administration team leader</td> <td>systems administration team leader</td>
</tr><tr>
<td>Repository Access List</td>
<td>Application Engineers</td>
<td>change the source code repository and install patches to application</td>
<td>exclusive with Access Engineers and systems administrators</td>
<td>software assessment team leader</td>
</tr><tr> </tr><tr>
<td>Support Access List</td> <td>Support Access List</td>
<td>Support Engineer</td> <td>Support Engineer</td>
<td>support features in the web application</td> <td>support features in the web application</td>
<td> includes by default all systems administrators </td> <td> includes by default all <span class="change">Application Engineers <s>systems administrators</s> </span> </td>
<td>systems administration team leader</td> <td><span class="change"><s>systems administration</s> support</span> team leader</td>
</tr><tr>
<td>Repository Access List</td>
<td><span class="change">Application Engineers</span><s>Software Assessors</s></td>
<td>change the source code repository <span class="change">and install patches to application</change></td>
<td>exclusive with Access Engineers and systems administrators</td>
<td>software assessment team leader</td>
</tr></table> </tr></table>
@ -648,14 +627,14 @@ must be strictly controlled.
Passphrases and SSH private keys used for entering into the systems Passphrases and SSH private keys used for entering into the systems
will be kept private will be kept private
to CAcert sysadmins to CAcert sysadmins
<span class="change">and Application Engineers</span> and Application Engineers
in all cases. in all cases.
</p> </p>
<h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5> <h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5>
<p> <p>
Only System Administrators Only System Administrators
<span class="change">and Application Engineers</span> and Application Engineers
designated on the Access Lists designated on the Access Lists
in &sect;3.4.2 are authorized to access accounts, in &sect;3.4.2 are authorized to access accounts,
unless specifically directed by the Arbitrator. unless specifically directed by the Arbitrator.
@ -908,7 +887,7 @@ infrastructure is not available.
<p> <p>
Software assessment team is responsible Software assessment team is responsible
for the security <span class="change">and maintenance</span> of the code. for the security and maintenance of the code.
</p> </p>
<h3> <a name="7.1"> 7.1. </a> Authority </h3> <h3> <a name="7.1"> 7.1. </a> Authority </h3>
@ -921,7 +900,7 @@ See &sect;3.4.2.
<h3> <a name="7.2"> 7.2. </a> Tasks </h3> <h3> <a name="7.2"> 7.2. </a> Tasks </h3>
<p> <p>
The primary tasks <span class="change">for Software Assessors</span> are: The primary tasks for Software Assessors are:
</p> </p>
<ol><li> <ol><li>
Keep the code secure in its operation, Keep the code secure in its operation,
@ -929,8 +908,6 @@ The primary tasks <span class="change">for Software Assessors</span> are:
Fix security bugs, including incidents, Fix security bugs, including incidents,
</li><li> </li><li>
Audit, Verify and sign-off proposed patches, Audit, Verify and sign-off proposed patches,
</li><li>
<s>Guide Systems Administration team in inserting patches,</s>
</li><li> </li><li>
Provide guidance for architecture, Provide guidance for architecture,
</li></ol> </li></ol>
@ -940,10 +917,10 @@ Software assessment is not primarily tasked to write the code.
In principle, anyone can submit code changes for approval. In principle, anyone can submit code changes for approval.
</p> </p>
<p class="change"> <p>
The primary tasks for Application Engineers are: The primary tasks for Application Engineers are:
</p> </p>
<ol class="change"><li> <ol><li>
Installing signed-off patches, Installing signed-off patches,
</li><li> </li><li>
Verifying correct running, Verifying correct running,
@ -1022,9 +999,10 @@ any Member that requests it.
<h3> <a name="7.6"> 7.6. </a> <s>Handover</s> <span class="change">Production</span> </h3> <h3> <a name="7.6"> 7.6. </a> <s>Handover</s> <span class="change">Production</span> </h3>
<p class="change"> <p class="change">
Application Engineers are roles within Software Assessment The Application Engineer is a role within Software Assessment
team that are approved to install into production the team that is approved to install into production the
patches that are signed off. patches that are signed off.
<s>
Once signed off, the Application Engineer Once signed off, the Application Engineer
commits the patch from the development repository commits the patch from the development repository
to the production repository, to the production repository,
@ -1033,6 +1011,7 @@ into the running code.
The Application Engineer is responsible for basic The Application Engineer is responsible for basic
testing of functionality and emergency fixes, testing of functionality and emergency fixes,
which then must be back-installed into the repositories. which then must be back-installed into the repositories.
</s>
</p> </p>
<p class="change"> <p class="change">
@ -1040,36 +1019,6 @@ Requests to Application Engineers for ad hoc queries over the database for busin
</p> </p>
<p> <p>
<s>
Once signed off,
software assessment (team leader)
coordinates with systems administration (team leader)
to offer the upgrade.
Upgrade format is to be negotiated,
but systems administration naturally has the last word.
Software Assessors are not to have access
to the critical systems, providing a dual control
at the teams level.
</s>
</p>
<p>
<s>
If compilation and/or other processing of the
application source code in the version control system
is necessary to deploy the application,
detailed installation instructions should also be
maintained in the version control system and offered to the
System Administrators.
</s>
</p>
<p>
<s>
Systems administrators copy the patches securely
from the software assessment repository
onto the critical machine.
</s>
See &sect;3.3. See &sect;3.3.
</p> </p>
@ -1380,7 +1329,7 @@ All external inquiries of security import are filed as disputes and placed befor
Only the Arbitrator has the authority Only the Arbitrator has the authority
to deal with external requests and/or create a procedure. to deal with external requests and/or create a procedure.
Access Engineers, systems administrators, Access Engineers, systems administrators,
<span class="change">support engineers</span>, support engineers,
Board members and other key roles Board members and other key roles
do not have the authority to answer legal inquiry. do not have the authority to answer legal inquiry.
The Arbitrator's ruling may instruct individuals, The Arbitrator's ruling may instruct individuals,
@ -1409,7 +1358,6 @@ All arrangements must be:
Assured Organisations, in which Assured Organisations, in which
all involved personnel are Assurers, all involved personnel are Assurers,
</li></ul> </li></ul>
</li><li>
</li><li> </li><li>
with Members that have the requisite knowledge with Members that have the requisite knowledge
and in good contact with the team leader(s), and in good contact with the team leader(s),