Critical roles are covered. @@ -112,7 +112,7 @@ These roles are defined as: Software Assessors (including Application Engineers) -
Non-critical systems are not covered by this manual, @@ -121,7 +121,7 @@ found within the security context. Architecture is out of scope, see CPS#6.2.
-Important principles of this Security Policy are:
@@ -153,7 +153,7 @@ Each task or asset is covered by a variety of protections deriving from the above principles. -This Security Policy is part of the Configuration-Control Specification for audit purposes (DRC-A.1). @@ -208,7 +208,7 @@ This policy document says what is done, rather than how to do it. Some sections are empty, which means "refer to the Manual."
-This Policy explicitly defers detailed security practices to the @@ -235,7 +235,7 @@ they are expected to be documented in the other. any section heading in the Policy.
-The team leaders may from time to time @@ -248,9 +248,9 @@ SystemAdministration/Procedures. Each procedure must be referenced explicitly in the Security Manual.
-CAcert shall host critical servers in a highly secure facility. @@ -258,9 +258,9 @@ There shall be independent verification of the physical and access security.
-Computers shall be inventoried before being put into service. Inventory list shall be available to all @@ -273,7 +273,7 @@ Each unit shall be distinctly and uniquely identified on all visible sides. Machines shall be housed in secured facilities (cages and/or locked racks).
-Acquisition of new equipment that is subject to a pre-purchase security risk must be done from a @@ -282,7 +282,7 @@ Precautions must be taken to prevent equipment being prepared in advance.
-Equipment that is subject to a service security risk @@ -290,9 +290,9 @@ must be retired if service is required. See also §2.2.3.3.
-Storage media (disk drives, tapes, removable media) @@ -304,7 +304,7 @@ New storage media (whether disk or removable) shall be securely wiped and reformatted before use.
-Removable media shall be securely stored at all times, @@ -318,7 +318,7 @@ When there is a change to status of media, a report is made to the log specifying the new status.
-Storage media that is exposed to critical data and is @@ -340,7 +340,7 @@ Where critical data is involved, two systems administrators must sign-off on each step.
-In accordance with the principle of dual control, @@ -348,13 +348,13 @@ at least two persons authorized for access must be on-site at the same time for physical access to be granted.
-Access to physical equipment must be authorised.
-The Security Manual must present the different access profiles. @@ -378,13 +378,13 @@ All are responsible for protecting the data from access by those not authorised.
-All physical accesses are logged and reported to all.
-There must not be a procedure for emergency access. @@ -396,7 +396,7 @@ Arbitrator must be sought as soon as possible. See DRP.
-All personel who are in possession of physical security @@ -404,10 +404,10 @@ codes and devices (keys) are to be authorised and documented.
-Current and complete diagrams of the physical and logical @@ -422,7 +422,7 @@ Diagrams should be revision controlled, and must be updated when any change is made.
-Only such services as are required for normal operation @@ -436,47 +436,47 @@ such access may be granted under the procedures of the SM and must be reported and logged.
-System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by System administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
-All ports on which incoming traffic is expected shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
-All outbound traffic that is initiated shall be documented; traffic to other destinations must be blocked. Unexpected traffic must be logged as an exception.
-Logs should be examined regularly (by manual or automatic means) for unusual patterns and/or traffic; anomalies should be investigated as they are discovered and should be reported to appropriate personnel in near-real-time (e.g. text message, email) and investigated as soon as possible. Suspicious activity which may indicate an actual system intrusion or compromise should trigger the incident response protocol described in section 5.1.
-Any operating system used for critical server machines must be available under an OSI-approved open source software license.
-Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
-Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint. @@ -487,13 +487,13 @@ Documentation for installing and configuring servers with the appropriate softwa
-Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2).
-Application of a patch is deemed an emergency @@ -520,7 +520,7 @@ by the team leader to Board independent of filed disputes.
-Systems administration is to provide a limited environment @@ -528,14 +528,14 @@ to Applications Engineers in order to install and maintain the application.
-All access to critical data and services shall be controlled and logged.
-General access for Members shall be provided via @@ -545,7 +545,7 @@ Assurance Points and similar methods controlled in the software system.
-Additional or special access is granted according to the @@ -597,7 +597,7 @@ All changes of personnel to the above lists are approved by the Board of CAcert.
-Strong methods of authentication shall be used @@ -605,7 +605,7 @@ wherever possible. All authentication schemes must be documented.
-Follow-up actions to termination must be documented. @@ -615,9 +615,9 @@ See §9.1.7. -
Primary systems administration tasks @@ -628,7 +628,7 @@ account creation and deletion, and hardware maintenance.
-Access to Accounts (root and user via SSH or console) @@ -640,7 +640,7 @@ and Application Engineers in all cases.
-Only System Administrators and Application Engineers @@ -649,33 +649,33 @@ in §3.4.2 are authorized to access accounts, unless specifically directed by the Arbitrator.
-All access is secured, logged and monitored.
-The procedure for changing passphrases and SSH keys shall be documented.
-Response times should be documented for Disaster Recovery planning. See §6.
-All changes made to system configuration must be recorded and reported in regular summaries to the Board of CAcert.
-All sensitive events should be logged reliably. @@ -683,7 +683,7 @@ Logs should be deleted after an appropriate amount of time as documented in the Security Manual.
-Access to logs must be restricted. @@ -691,7 +691,7 @@ The security of the logs should be documented. The records retention should be documented.
-Logging should be automated, and use should be made of appropriate system-provided automated tools. @@ -699,7 +699,7 @@ Automated logs should be reviewed periodically; suspicious events should be flagged and investigated in a timely fashion.
-Configuration changes, no matter how small, must be logged.
@@ -710,14 +710,14 @@ report provided by the accessor and by the Access Engineer. -The procedure for all backups must be documented, according to the following sub-headings.
-Backups must be taken for operational and for disaster recovery purposes. @@ -725,26 +725,26 @@ Operational backups may be online and local. Disaster recovery backups must be offline and remote.
-Backups must be protected to the same level as the critical systems themselves. Disaster recovery backups may be distributed.
-See §2.2.3.
-Backups must be encrypted and must only be transmitted via secured channels. Off-site backups must be dual-encrypted using divergent methods.
-Two CAcert System Administrators must be present for verification of a backup. @@ -752,14 +752,14 @@ Four eyes principle must be maintained when the key and backup are together. For any other purpose than verification of the success of the backup, see next.
-The encryption keys must be stored securely by the CAcert systems administrators. Paper documentation must be stored with manual backups.
-Conditions and procedures for examining the backups must be documented, @@ -767,21 +767,21 @@ and must be under Arbitrator control for purposes other than verification and recovery.
-Termination of user data is under direction of the Arbitrator. See CCA.
-See §4.2.1.
-See §5.6.
@@ -789,23 +789,23 @@ See §5.6. -The standard of monitoring, alerting and reporting must be documented.
-On discovery of an incident, an initial assessment of severity and priority must be made.
-An initial report should be circulated.
@@ -815,7 +815,7 @@ A communications forum should be established for direct support of high priority or high severity incidents. -A process of escalation should be established for oversight and management purposes, @@ -824,7 +824,7 @@ Oversight starts with four eyes and ends with the Arbitrator. Management starts with the team leader and ends with the Board.
-Incidents must be investigated. The investigation must be documented. @@ -832,9 +832,9 @@ If the severity is high, evidence must be secured and escalated to Arbitration.
-Incident reports shall be be published. @@ -856,32 +856,32 @@ secret, nor the manner and methods be kept confidential. See §9.5.
-Disaster Recovery is the responsibility of the Board of CAcert Inc.
-Board must develop and maintain documentation on Business Processes. From this list, Core Processes for business continuity / disaster recovery purposes must be identified.
-Board should identify standard process times for all processes, and must designate Maximum Acceptable Outages and Recovery Time Objectives for the Core Processes.
-Board must have a basic plan to recover.
-Board must maintain a key persons List with all the contact information needed. @@ -892,14 +892,14 @@ infrastructure is not available. -
Software assessment team is responsible for the security and maintenance of the code.
-The source code is under CCS. @@ -907,7 +907,7 @@ Additions to the team are approved by Board. See §3.4.2.
-The primary tasks for Software Assessors are:
@@ -948,7 +948,7 @@ The primary tasks for Application Engineers are: -The application code and patches are maintained @@ -976,7 +976,7 @@ systems administation team. Access is made available to the Application Engineers.
-At the minimum, @@ -988,7 +988,7 @@ Author and signers-off must be logged. The riskier the source is, the more reviews have to be done.
-Software assessment team maintains a test system. @@ -1005,7 +1005,7 @@ Bug submission access should be provided to any Member that requests it.
-The Application Engineer is a role within Software Assessment @@ -1032,10 +1032,10 @@ See §3.3.
-The software interface gives features to Support Engineer. Access to the special features is under tight control. @@ -1061,7 +1061,7 @@ Support Engineers are responsible to follow the policies and practices.
-Support Engineers have these responsibilities: @@ -1077,7 +1077,7 @@ Support Engineers have these responsibilities: Tasks and responsibilities as specified in other policies, such as DRP. -
Support may always be contacted by email at @@ -1086,7 +1086,7 @@ Other channels may be made available and documented in Security Manual.
-Support Engineers refer questions requiring authority to Arbitration, and may also be called upon to act as @@ -1106,15 +1106,15 @@ these topics, even if not listed as Arbitrators or Case Managers.
-Each team should have a minimum of two members available at any time. @@ -1142,7 +1142,7 @@ One individual in each team is designated team leader and reports to Board.
-New team members need: @@ -1158,7 +1158,7 @@ New team members need: The team supports the process of adding new team members.
-The Arbitrated Background Check ("ABC") must be conducted under the direction of the Arbitrator, @@ -1166,7 +1166,7 @@ with a separate Case Manager to provide four eyes. ABCs are carried out with full seriousness.
-An investigation within ABC should include examination of:
@@ -1180,12 +1180,12 @@ An investigation within ABC should include examination of:ABC is to be done on every individual in a critical role.
-The process of the ABC should be documented as a procedure. @@ -1202,7 +1202,7 @@ It must include:
The following privacy considerations exist: @@ -1220,7 +1220,7 @@ The following privacy considerations exist: CAcert trusted roles give up some privacy for the privacy of others.
-Individuals and access (both) must be authorised by the Board. @@ -1237,7 +1237,7 @@ Deliberations and decisions should be documented. All conflicts of interest should be examined.
-It is the responsibility of all individuals to @@ -1251,7 +1251,7 @@ or to ensure that it is reported fully. See §9.5.
-Termination of access may be for resignation, Arbitration ruling, @@ -1269,7 +1269,7 @@ and the Arbitrator may reinstate any provision of this agreement or bind the person to a ruling.
-It is the responsibility of the team leaders @@ -1277,9 +1277,9 @@ to coordinate technical testing and training, especially of new team members.
-Root keys are generated only on instruction from the Board. @@ -1297,7 +1297,7 @@ The procedure must include:
Root keys must be kept on reliable removable media used for that purpose only. @@ -1311,24 +1311,24 @@ The top-level root must be escrowed under Board control. Subroots may be escrowed by either Board or Systems Administration Team.
-Recovery must only be conducted under Arbitrator authority.
-The Board is responsible to the Community to manage the CA at the executive level.
-All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP. @@ -1345,7 +1345,7 @@ The Arbitrator's ruling may instruct individuals, and becomes your authority to act.
-Components may be outsourced. @@ -1387,7 +1387,7 @@ Contracts should be written with the above in mind.
-CAcert is an open organisation and adopts a principle @@ -1412,19 +1412,19 @@ All should strive to reduce or remove any such restriction.
-Contact information for all key people and teams must be documented.
-All incorporated Documents must be documented.
-Relevant and helpful Documents should be referenced for convenience.