meeting PD, Wytze. added outsourcing, review of SD provisions
git-svn-id: http://svn.cacert.org/CAcert/Policies@1195 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
parent
209542acc6
commit
da157c5a81
1 changed files with 55 additions and 8 deletions
|
@ -248,8 +248,11 @@ prepared in advance.
|
|||
</p>
|
||||
|
||||
<h4><a name="2.2.2">2.2.2.</a> Cables </h4>
|
||||
<p class="error">
|
||||
Drop 2.2.2.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
<p class="q">
|
||||
Cabling to all equipment shall be labeled at both ends
|
||||
with identification of end points.
|
||||
</p>
|
||||
|
@ -292,9 +295,10 @@ The following steps are to be taken:
|
|||
</p>
|
||||
|
||||
<ol><li>
|
||||
The media is to be securely erased, <b>and</b>
|
||||
The media is securely destroyed, <b>or</b>
|
||||
</li><li>
|
||||
The media is securely destroyed.
|
||||
the media is to be securely erased,
|
||||
and stored securely.
|
||||
</li></ol>
|
||||
|
||||
<p>
|
||||
|
@ -561,6 +565,16 @@ Passwords must be kept secure.
|
|||
The procedure for changing passwords should be documented.
|
||||
</p>
|
||||
|
||||
<h5> <a name="4.1.1.4">4.1.1.4.</a> Outsourcing </h5>
|
||||
|
||||
<p>
|
||||
Systems administration team leader may outsource non-critical
|
||||
components such as DNS servers.
|
||||
Outsourcing should be to Members who are Assurers,
|
||||
who have the appropriate technical knowledge,
|
||||
and are in good contact with team leader.
|
||||
</p>
|
||||
|
||||
<h4> <a name="4.1.2">4.1.2.</a> Required staff response time </h4>
|
||||
<p>
|
||||
Response times should be documented.
|
||||
|
@ -576,6 +590,12 @@ All changes made to system configuration must be recorded.
|
|||
<h4> <a name="4.2.1">4.2.1.</a> Coverage </h4>
|
||||
|
||||
<p>
|
||||
All sensitive events should be logged.
|
||||
Logs should be deleted after an appropriate amount of time.
|
||||
</p>
|
||||
|
||||
<p class="q">
|
||||
'''Move to SM:'''
|
||||
Logs shall be maintained for:
|
||||
</p>
|
||||
|
||||
|
@ -583,7 +603,7 @@ Logs shall be maintained for:
|
|||
<li> anomalous network traffic, </li>
|
||||
<li> system activities and events, </li>
|
||||
<li> application (certificate, web, mail, and database) events, </li>
|
||||
<li> "Comms Module" requests for certificate signing on both the cryptographic module (signing server) and the main online server, </li>
|
||||
<li> '''make generic''': "Comms Module" requests for certificate signing on both the cryptographic module (signing server) and the main online server, </li>
|
||||
<li> login and root access, </li>
|
||||
<li> configuration changes. </li>
|
||||
</ul>
|
||||
|
@ -784,6 +804,10 @@ contact information needed.
|
|||
|
||||
<h2><a name="7">7.</a> SOFTWARE DEVELOPMENT</h2>
|
||||
|
||||
<p class="q">
|
||||
Change name of this to Software Assessment.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Software development team is responsible
|
||||
for the security of the code.
|
||||
|
@ -860,7 +884,9 @@ any Member that requests it.
|
|||
<p>
|
||||
Once signed off, software development (team leader)
|
||||
coordinates with systems administration (team leader)
|
||||
to offer the patch.
|
||||
to offer the upgrade.
|
||||
Upgrade format is to be negotiated,
|
||||
but systems administration naturally has the last word.
|
||||
Software development people are not to have access
|
||||
to the critical systems, providing a dual control
|
||||
at the teams level.
|
||||
|
@ -877,7 +903,7 @@ system administrators.
|
|||
|
||||
<p>
|
||||
Systems administrators copy the patches securely
|
||||
from the repository onto the critical machine.
|
||||
from the software development onto the critical machine.
|
||||
See §3.3.
|
||||
</p>
|
||||
|
||||
|
@ -887,8 +913,29 @@ See §3.3.
|
|||
|
||||
<h3> <a name="8.1"> 8.1. </a> Authority </h3>
|
||||
<p>
|
||||
The access interface is under CCS.
|
||||
Additions to the team are approved by Board
|
||||
The software interface gives features to Support personnel.
|
||||
Access to the special features is under tight control.
|
||||
Additions to the team are approved by Board,
|
||||
and the software features are under CCS.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Support personnel do not have any inherent authority
|
||||
to take any action,
|
||||
and they have have to get authority on a case-by-case
|
||||
basis.
|
||||
The authority required in each case must be guided
|
||||
by this policy or the Security Manual or other clear
|
||||
applicable document.
|
||||
If the Member's authority is not in doubt,
|
||||
the Member can give that authority.
|
||||
|
||||
The Arbitrator's authority must be sought.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Support personnel are responsible to follow the
|
||||
policies and practices.
|
||||
</p>
|
||||
|
||||
<h3> <a name="8.2"> 8.2. </a> Responsibilities </h3>
|
||||
|
|
Loading…
Reference in a new issue