From b44b84a96a59a032e18d63f3f995ee36080089ca Mon Sep 17 00:00:00 2001 From: Ian Grigg Date: Thu, 31 Dec 2009 20:02:37 +0000 Subject: [PATCH] another attempt git-svn-id: http://svn.cacert.org/CAcert/Policies@1741 14b1bab8-4ef6-0310-b690-991c95c89dfd --- ConfigurationControlSpecification.html | 283 +++++++++++++++++++++++++ 1 file changed, 283 insertions(+) create mode 100644 ConfigurationControlSpecification.html diff --git a/ConfigurationControlSpecification.html b/ConfigurationControlSpecification.html new file mode 100644 index 0000000..fbc5b94 --- /dev/null +++ b/ConfigurationControlSpecification.html @@ -0,0 +1,283 @@ + + + + + Configuration Controlled Specification - work-in-progress + + + + + + +

Configuration Control Specification

+ + +Configuration Control Specification Status == work-in-progress

+Creation date: 20091214
+Status: WIP

+ + + +

1 Introduction

+ + + +

+The Configuration Control Specification (CCS) controls and tracks those documents, processes and assets which are critical to the business, security and governance of the CAcert operations. +

+ +

+This document is the procedure for CCS. +This document itself is a component of the CCS. +All other documentation and process specified within +is derivative and is ruled by the CCS. +

+ +

2 Documents

+ + + +

2.1 Controlled Document List

+ +

+This CCS creates a list of Primary or "root" documents: +

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CAcert Official Document number. Abbrev. Name Location Since Comments
COD1 PoP Policy On Policy http://www.cacert.org/policy/PolicyOnPolicy.php p20070822.... covers all documents
COD2 CCS Configuration Control Specification http://www.cacert.org/policy/ConfigurationControlSpecification.php 2010..... this document
COD6 CPS Certification Practice Statement http://www.cacert.org/policy/CertificationPracticeStatement.php p200903xx.... includes Certificate Policies
COD5 PP Privacy Policy http://www.cacert.org/ 20060629 out of date
5 SP Security Policy http://www.cacert.org/policy/SecurityPolicy.php p20090327 .
6 CCA CAcert Community Agreement http://www.cacert.org/policy/CAcertCommunityAgreement.php p20070822... Subscriber Agreement
COD4 NRP-DaL Non-Related Persons -- Disclaimer and Licence http://www.cacert.org/policy/NRPDisclaimerAndLicence.php m20070918.1 Relying Party Agreement
7 3pv-DaL 3rd Party Vendor -- Disclaimer and Licence http://www.cacert.org/policy/3pvDisclaimerAndLicence.php p2010... Distributor Agreement
COD7 DRP Dispute Resolution Policy http://www.cacert.org/policy/DisputeResolutionPolicy.php m20070919.3 .
9 AP Assurance Policy http://www.cacert.org/policy/DisputeResolutionPolicy.php p2010... .
+
+ +

+Primary Documents may authorise other secondary documents +under the same process (PoP). +Document Officer manages a controlled documents list +containing numbers, locations and versions of all controlled documents. +

+ +

2.2 Change

+ + +

+Overall responsibility for change to documents resides with the policy mailgroup, as specified in Policy on Policy. CAcert Inc., board maintains a veto on new policies while in DRAFT. Fully approved documents (POLICY status) are published on the CAcert website at http://www.cacert.org/policy/ in plain HTML format. +

+ +

+Pre-approval work (DRAFT status) and working documents (work-in-progress status) are made available on publically-accessible version management systems (Subversion: http://svn.cacert.org/CAcert/Policies . wiki: http://wiki.cacert.org/wiki/PolicyDrafts ). +

+ +

2.3 Control

+ +

+CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2. +

+ +

3 Hardware

+ + + +

3.1 Controlled Hardware List

+ +

+Critical systems are defined by Security Policy. +

+ +

3.2 Change

+ +

See Security Policy.

+ +

3.3 Control

+ +

+Control of Hardware is the ultimate responsibility of the Board of CAcert Inc. +The responsibility for acts with hardware is delegated +to Access Engineers and Systems Administrators as per +Security Policy. +The ownership responsibility is delegated by agreement to Oophaga. +

+ + +

4 Software

+ +

4.1 Controlled Software List

+ +

+Critical software is defined by Security Policy. +

+ +

4.2 Change

+ +

See Security Policy.

+ +

4.3 Control

+ +

+CAcert owns or requires full control over its code +by means of an approved free and open licence. +Such code must be identified and managed by Software Assessment. +

+ +

+Developers transfer full rights to CAcert +(in a similar fashion to documents), +or organise their contributions under a +proper free and open source code regime, +as approved by Board. +Where code is published +(beyond scope of this document) +care must be taken not to infringe licence conditions. +For example, mingling issues with GPL. +

+ +

+The Software Assessment Team Leader +maintains a registry of assignments +of title or full licence, +and a registry of software under approved open source licences. +

+ + + +

5 Logs

+ + + +

5.1 Controlled Logs List

+ +

+Logs are defined by Security Policy. +

+ +

5.2 Changes

+ +

Changes to Hardware and Software are logged according to Security Policy.

+ +

5.3 Archive

+ +

See Security Policy.

+ +