added 9.3.2. suggested notifications. fixed inconsistent capitalisation.
git-svn-id: http://svn.cacert.org/CAcert/Policies@1883 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
parent
9ba5d64a9c
commit
e1fb84d652
1 changed files with 21 additions and 20 deletions
|
@ -337,7 +337,7 @@ The following steps are to be taken:
|
|||
Records of secure erasure and method of final disposal
|
||||
shall be tracked in the asset inventory.
|
||||
Where critical data is involved,
|
||||
two systems administrators must sign-off on each step.
|
||||
two Systems Administrators must sign-off on each step.
|
||||
</p>
|
||||
|
||||
<h3 id="s2.3">2.3. Physical Access </h3>
|
||||
|
@ -359,10 +359,10 @@ Access to physical equipment must be authorised.
|
|||
<p>
|
||||
The Security Manual must present the different access profiles.
|
||||
At least one Access Engineer must control access in all cases.
|
||||
At least one systems administrator will be present for
|
||||
At least one Systems Administrator will be present for
|
||||
logical access.
|
||||
Only the most basic and safest of accesses should be done with
|
||||
one systems administrator present.
|
||||
one Systems Administrator present.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
|
@ -388,7 +388,7 @@ All physical accesses are logged and reported to all.
|
|||
|
||||
<p>
|
||||
There must not be a procedure for emergency access.
|
||||
If, in the judgement of the systems administrator,
|
||||
If, in the judgement of the Systems Administrator,
|
||||
emergency access is required and gained,
|
||||
in order to avoid a greater harm,
|
||||
independent authorisation before the
|
||||
|
@ -412,7 +412,7 @@ codes and devices (keys) are to be authorised and documented.
|
|||
<p>
|
||||
Current and complete diagrams of the physical and logical
|
||||
CAcert network infrastructure shall be maintained by
|
||||
systems administration team leader.
|
||||
Systems Administration team leader.
|
||||
These diagrams should include cabling information,
|
||||
physical port configuration details,
|
||||
expected/allowed data flow directions,
|
||||
|
@ -490,7 +490,7 @@ Documentation for installing and configuring servers with the appropriate softwa
|
|||
<h4 id="s3.2.3"> 3.2.3. Patching </h4>
|
||||
|
||||
<p>
|
||||
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2).
|
||||
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the Systems Administration team leader, fully documented in the logs and reported by email to the Systems Administration list on completion (see §4.2).
|
||||
</p>
|
||||
|
||||
<h5 id="s3.2.3.1"> 3.2.3.1. “emergency” patching </h5>
|
||||
|
@ -503,7 +503,7 @@ of software has become known
|
|||
an emergent local exploit may also be deemed to be an emergency).
|
||||
Application of patches in this case may occur as soon as possible,
|
||||
bypassing the normal configuration-change process.
|
||||
The systems administration team leader must either approve the patch
|
||||
The Systems Administration team leader must either approve the patch
|
||||
<span class="change">
|
||||
or
|
||||
</span>
|
||||
|
@ -511,7 +511,7 @@ instruct remedial action, and refer the case to dispute resolution.
|
|||
</p>
|
||||
|
||||
<p>
|
||||
<b> <!-- this comment left in bold deliberatel -->
|
||||
<b> <!-- this comment left in bold deliberately -->
|
||||
Declaration of an emergency patching situation should not occur with any regularity.
|
||||
</b>
|
||||
Emergency patch events must be documented
|
||||
|
@ -570,25 +570,25 @@ authorisations on the below access control lists
|
|||
<td>Systems Administrators</td>
|
||||
<td>hardware-level for installation and recovery</td>
|
||||
<td>exclusive with Access Engineers and Software Assessors</td>
|
||||
<td><span class="change">systems administration team leader</span> <span class="strike">Board of CAcert (or designee)</span></td>
|
||||
<td><span class="change">Systems Administration team leader</span> <span class="strike">Board of CAcert (or designee)</span></td>
|
||||
</tr><tr>
|
||||
<td>SSH Access List</td>
|
||||
<td>Systems Administrators <span class="change">and Application Engineers </span></td>
|
||||
<td>Unix / account / shell level</td>
|
||||
<td> includes by default all on Physical Access List </td>
|
||||
<td>systems administration team leader</td>
|
||||
<td>Systems Administration team leader</td>
|
||||
</tr><tr>
|
||||
<td>Repository Access List</td>
|
||||
<td>Application Engineers</td>
|
||||
<td>change the source code repository and install patches to application</td>
|
||||
<td>exclusive with Access Engineers and systems administrators</td>
|
||||
<td>exclusive with Access Engineers and Systems Administrators</td>
|
||||
<td>software assessment team leader</td>
|
||||
</tr><tr>
|
||||
<td>Support Access List</td>
|
||||
<td>Support Engineer</td>
|
||||
<td>support features in the web application</td>
|
||||
<td> includes by default all <span class="change">Application Engineers</span> <span class="strike">systems administrators </span> </td>
|
||||
<td><span class="strike">systems administration</span> <span class="change">support</span> team leader</td>
|
||||
<td> includes by default all <span class="change">Application Engineers</span> <span class="strike">Systems Administrators </span> </td>
|
||||
<td><span class="strike">Systems Administration</span> <span class="change">support</span> team leader</td>
|
||||
</tr></table>
|
||||
|
||||
|
||||
|
@ -620,7 +620,7 @@ See §9.1.7.
|
|||
<h3 id="s4.1">4.1. System administration </h3>
|
||||
|
||||
<p>
|
||||
Primary systems administration tasks
|
||||
Primary Systems Administration tasks
|
||||
shall be conducted under four eyes principle.
|
||||
These shall include backup performance verification,
|
||||
software patch application,
|
||||
|
@ -755,7 +755,7 @@ For any other purpose than verification of the success of the backup, see next.
|
|||
<h4 id="s4.3.7">4.3.7. Key Management </h4>
|
||||
<p>
|
||||
The encryption keys must be stored securely by the
|
||||
CAcert systems administrators.
|
||||
CAcert Systems Administrators.
|
||||
Paper documentation must be stored with manual backups.
|
||||
</p>
|
||||
|
||||
|
@ -843,7 +843,7 @@ A full copy should be appended to the
|
|||
documentation of the investigation.
|
||||
Sensitive information may be pushed out into
|
||||
a restricted appendix of the report.
|
||||
The systems administration team leader is responsible
|
||||
The Systems Administration team leader is responsible
|
||||
for publication and maintenance.
|
||||
</p>
|
||||
|
||||
|
@ -958,7 +958,7 @@ software assessment team.
|
|||
|
||||
|
||||
<ul class="q">
|
||||
<li> is this something that can be and is being run by systems administration team? </li>
|
||||
<li> is this something that can be and is being run by Systems Administration team? </li>
|
||||
<li> Or are their two, the test one and the critical one? </li>
|
||||
<li> Like this: </li>
|
||||
</ul>
|
||||
|
@ -972,7 +972,7 @@ software assessment team.
|
|||
<p class="change">
|
||||
The production code is maintained in a secure production repository
|
||||
within the critical systems that is run by the
|
||||
systems administation team.
|
||||
Systems Administation team.
|
||||
Access is made available to the Application Engineers.
|
||||
</p>
|
||||
|
||||
|
@ -1000,7 +1000,7 @@ Test status of each patch must be logged.
|
|||
Software assessment team maintains a bug system.
|
||||
Primary communications should go through this system.
|
||||
Management access should be granted to all Software Assessors,
|
||||
software developers, and systems administrators.
|
||||
software developers, and Systems Administrators.
|
||||
Bug submission access should be provided to
|
||||
any Member that requests it.
|
||||
</p>
|
||||
|
@ -1332,12 +1332,13 @@ the CA at the executive level.
|
|||
|
||||
<p>
|
||||
All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP.
|
||||
<span class="change">Board and applicable team leaders must be notified</span>.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Only the Arbitrator has the authority
|
||||
to deal with external requests and/or create a procedure.
|
||||
Access Engineers, systems administrators,
|
||||
Access Engineers, Systems Administrators,
|
||||
support engineers,
|
||||
Board members and other key roles
|
||||
do not have the authority to answer legal inquiry.
|
||||
|
|
Loading…
Reference in a new issue