From a30a60d192e9c9874fc37ec95855655703dd1cd8 Mon Sep 17 00:00:00 2001
From: Ian Grigg
-Board may add additional components into the Security Manual.
+Board
+The Committee of CAcert, Inc. (hereafter, "Board")
+may add additional components into the Security Manual.
New storage media (whether disk or removable) shall be
-securely wiped and reformatted before use.
+securely
+wiped
+erased
+and reformatted before use.
Removable media shall be securely stored at all times,
including when not in use.
-Drives that are kept for reuse are wiped securely before storage.
+Drives that are kept for reuse are
+wiped
+erased
+ securely before storage.
Reuse can only be within critical systems.
-All changes of personnel
-to the above lists are approved by the Board of CAcert.
+All changes of personnel to the above lists are
+subject to Board approval.
+approved by the Board of CAcert.
-Board must maintain a key persons List with all the
+Board must maintain a Key Persons List with all the
contact information needed.
See §10.1.
The list shall be accessible even if CAcert's
@@ -906,7 +916,9 @@ for the security and maintenance of the code.
The source code is under CCS.
-Additions to the team are approved by Board.
+Additions to the team are
+subject to Board approval.
+approved by the Board.
See §3.4.2.
The software interface gives features to Support Engineer.
Access to the special features is under tight control.
-Additions to the team are approved by Board,
+Additions to the team are
+subject to Board approval,
+approved by the Board,
and the software features are under CCS.
See §3.4.2.
+
1.1.1. Covered Personnel
@@ -304,7 +307,10 @@ are inventoried upon acquisition and tracked in their use.
2.2.3.2 Storage
@@ -312,7 +318,10 @@ securely wiped and reformatted before use.
3.4.3. Authentication
@@ -886,7 +896,7 @@ Board must have a basic plan to recover.
6.4. Key Persons List
@@ -1285,14 +1305,17 @@ especially of new team members.
-Root keys are generated only on instruction from the Board. +Root keys are generated only on instruction from the Board. They must be generated to a fully documented and reviewed procedure. The procedure must include:
-The Board is responsible to the Community to manage +the Board is responsible to the Community to manage the CA at the executive level.
@@ -1355,8 +1378,8 @@ and becomes your authority to act. Components may be outsourced. Team leaders may outsource non-critical components -on notifying the Board. -Critical components must be approved by the Board. +on notifying the Board. +Critical components must be approved by the Board. Any outsourcing arrangements must be documented. All arrangements must be: @@ -1388,7 +1411,7 @@ All arrangements must be:Contracts should be written with the above in mind. -Outsourcing of critical components must be approved by the Board. +Outsourcing of critical components must be approved by the Board.