The Security Manual must present the different access profiles. At least one Access Engineer must control access in all cases. -At least one systems administrator will be present for +At least one Systems Administrator will be present for logical access. Only the most basic and safest of accesses should be done with -one systems administrator present. +one Systems Administrator present.
@@ -388,7 +388,7 @@ All physical accesses are logged and reported to all.
There must not be a procedure for emergency access. -If, in the judgement of the systems administrator, +If, in the judgement of the Systems Administrator, emergency access is required and gained, in order to avoid a greater harm, independent authorisation before the @@ -412,7 +412,7 @@ codes and devices (keys) are to be authorised and documented.
Current and complete diagrams of the physical and logical CAcert network infrastructure shall be maintained by -systems administration team leader. +Systems Administration team leader. These diagrams should include cabling information, physical port configuration details, expected/allowed data flow directions, @@ -490,7 +490,7 @@ Documentation for installing and configuring servers with the appropriate softwa
-Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2). +Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the Systems Administration team leader, fully documented in the logs and reported by email to the Systems Administration list on completion (see §4.2).
- + Declaration of an emergency patching situation should not occur with any regularity. Emergency patch events must be documented @@ -570,25 +570,25 @@ authorisations on the below access control lists
-Primary systems administration tasks +Primary Systems Administration tasks shall be conducted under four eyes principle. These shall include backup performance verification, software patch application, @@ -755,7 +755,7 @@ For any other purpose than verification of the success of the backup, see next.
The encryption keys must be stored securely by the -CAcert systems administrators. +CAcert Systems Administrators. Paper documentation must be stored with manual backups.
@@ -843,7 +843,7 @@ A full copy should be appended to the documentation of the investigation. Sensitive information may be pushed out into a restricted appendix of the report. -The systems administration team leader is responsible +The Systems Administration team leader is responsible for publication and maintenance. @@ -958,7 +958,7 @@ software assessment team.The production code is maintained in a secure production repository within the critical systems that is run by the -systems administation team. +Systems Administation team. Access is made available to the Application Engineers.
@@ -1000,7 +1000,7 @@ Test status of each patch must be logged. Software assessment team maintains a bug system. Primary communications should go through this system. Management access should be granted to all Software Assessors, -software developers, and systems administrators. +software developers, and Systems Administrators. Bug submission access should be provided to any Member that requests it. @@ -1332,12 +1332,13 @@ the CA at the executive level.All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP. +Board and applicable team leaders must be notified.
Only the Arbitrator has the authority to deal with external requests and/or create a procedure. -Access Engineers, systems administrators, +Access Engineers, Systems Administrators, support engineers, Board members and other key roles do not have the authority to answer legal inquiry.