diff --git a/SecurityPolicy.html b/SecurityPolicy.html index cb478bf..b50ac68 100644 --- a/SecurityPolicy.html +++ b/SecurityPolicy.html @@ -510,9 +510,9 @@ by team or board.
-Primary systems administration tasks shall be conducted under four eyes principle. -These shall include -backup performance verification, +Primary systems administration tasks +shall be conducted under four eyes principle. +These shall include backup performance verification, log inspection, software patch identification and application, account creation and deletion, @@ -520,12 +520,15 @@ and hardware maintenance.
-System administrators must pass a background check and comply with all applicable policies in force. +System administrators must pass a background check +and comply with all applicable policies in force.
-Access to Accounts (root and user via SSH or console) must be strictly controlled. +Access to Accounts +(root and user via SSH or console) +must be strictly controlled. Passwords and passphrases entered into the systems will be kept private to CAcert sysadmins in all cases.
@@ -539,7 +542,7 @@ shall be authorized to access accounts.Assumes above that there is no reason to have access to a Unix-level account on the critical machines unless on the Access List.
-All remote communications for systems administration purposes is encrypted, logged and monitored. @@ -745,6 +748,38 @@ secret, nor the manner in which it is kept confidential.
+Disaster Recovery is the responsibility of the Board of CAcert Inc. +
+ ++Board must develop and maintain documentation on Business Processes. +From this list, Core Processes for business continuity / disaster recovery +purposes must be identified. +
+ ++Board should identify standard process times for all processes, +and must designate Maximum Acceptable Outages +and Recovery Time Objectives for the Core Processes. +
+ ++Board must have a basic plan to recover. +
+ ++Board must maintain a key persons List with all the +contact information needed. +
+ + +