From e66491d7cb3ed872706587281b72c1371dc51907 Mon Sep 17 00:00:00 2001
From: Ian Grigg <iang@cacert.org>
Date: Wed, 4 Mar 2009 21:22:38 +0000
Subject: [PATCH] added Sections 7, 8

git-svn-id: http://svn.cacert.org/CAcert/Policies@1193 14b1bab8-4ef6-0310-b690-991c95c89dfd
---
 SecurityPolicy.html | 141 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 136 insertions(+), 5 deletions(-)

diff --git a/SecurityPolicy.html b/SecurityPolicy.html
index b50ac68..0b38808 100644
--- a/SecurityPolicy.html
+++ b/SecurityPolicy.html
@@ -186,6 +186,12 @@ the SM is under the direct control of the Systems Administration team.
 It is located and version-controlled on the CAcert wiki.
 </p>
 
+<p>
+Section Headings are the same in both documents.
+Where Section Headings are empty in one document,
+they are expected to be documented in the other.
+</p>
+
 <h4><a name="1.4.3">1.4.3.</a> The Security Procedures </h4>
 
 <p>
@@ -624,7 +630,6 @@ Operational backups may be online and local.
 </p>
 
 <h4> <a name="4.3.2">4.3.2.</a> Frequency </h4>
-<p>Document.</p>
 
 <h4> <a name="4.3.3">4.3.3.</a> Storage </h4>
 <p>
@@ -633,7 +638,6 @@ Offline backups should be distributed.
 </p>
 
 <h4> <a name="4.3.4">4.3.4.</a> Retention period and Re-use </h4>
-<p>Document.</p>
 
 <h4> <a name="4.3.5">4.3.5.</a> Encryption </h4>
 <p>
@@ -673,7 +677,6 @@ See CCA.
 </p>
 
 <h4> <a name="4.4.2">4.4.2.</a> System logs </h4>
-<p>Document.</p>
 
 <h4> <a name="4.4.3">4.4.3.</a> Incident reports </h4>
 <p>
@@ -682,7 +685,6 @@ Access to incident reports is restricted.
 </p>
 
 <h3> <a name="4.5">4.5.</a> Cycling </h3>
-<p>Document.</p>
 
 
 
@@ -731,7 +733,7 @@ Evidence must be secured if the severity is high.
 </p>
 
 <h3> <a name="5.5">5.5.</a> Response </h3>
-<p>Document.</p>
+
 <h3> <a name="5.6">5.6.</a> Report </h3>
 <p>
 A report should be appended to the documentation of the investigation,
@@ -781,9 +783,138 @@ contact information needed.
 
 
 <h2><a name="7">7.</a> SOFTWARE DEVELOPMENT</h2>
+
+<p>
+Software development team is responsible
+for the security of the code.
+</p>
+
+<h3> <a name="7.1"> 7.1. </a> Authority </h3>
+
+<p>
+The source code is under CCS.
+Additions to the team are approved by Board
+</p>
+
+<h3> <a name="7.2"> 7.2. </a> Tasks </h3>
+<p>
+The primary tasks are:
+</p>
+<ol><li>
+    Keep the code secure,
+  </li><li>
+    Fix security bugs, including incidents,
+  </li><li>
+    Audit, Verify and sign-off proposed patches,
+  </li><li>
+    Assist Systems Administration team in inserting patches,
+  </li><li>
+    Provide guidance for architecture,
+</li></ol>
+
+<p>
+Software Development is not primarily tasked to write the code.
+In principle, anyone can submit code changes for approval.
+</p>
+
+
+<h3> <a name="7.3"> 7.3. </a> Repository </h3>
+
+<p>
+The application code and patches are maintained in a
+central version control system by the
+software development team.
+</p>
+
+<p>
+The integrity of the central version control system
+is crucial for the integrity of the applications running
+on the critical systems.
+</p>
+
+<h3> <a name="7.4"> 7.4. </a> Review </h3>
+
+<p>
+Patches are signed off by the team leader
+or his designated reviewer.
+Each software change should be reviewed
+by a person other than the author.
+Author and sign-off must be logged.
+</p>
+
+<h3> <a name="7.5"> 7.5. </a> Test and Bugs </h3>
+
+<p>
+Software Development team maintains a test system.
+Each patch should be built and tested.
+Test status of each patch must be logged.
+</p>
+
+<p>
+Software Development team maintains a bug system.
+Primary communications should go through this system.
+Access should be granted to all software developers,
+systems administrators, and patch contributors.
+Access may be granted to other Members.
+</p>
+
+<h3> <a name="7.6"> 7.6. </a> Handover </h3>
+
+<p>
+Once signed off, software development (team leader)
+coordinates with systems administration (team leader)
+to offer the patch.
+Software development people are not to have access
+to the critical systems, providing a dual control
+at the teams level.
+</p>
+
+<p>
+If compilation and/or other processing of the
+application source code in the version control system
+is necessary to deploy the application,
+detailed installation instructions should also be
+maintained in the version control system and offered to the
+system administrators.
+</p>
+
+<p>
+Systems administrators copy the patches securely
+from the repository onto the critical machine.
+See &sect;3.3.
+</p>
+
+
 <h2><a name="8">8.</a> SUPPORT</h2>
 
 
+<h3> <a name="8.1"> 8.1. </a> Authority </h3>
+<p>
+The access interface is under CCS.
+Additions to the team are approved by Board
+</p>
+
+<h3> <a name="8.2"> 8.2. </a> Responsibilities </h3>
+
+<h3> <a name="8.3"> 8.3. </a> Channels </h3>
+
+<h3> <a name="8.4"> 8.4. </a> Interface </h3>
+<p>
+Access to Member's private information is restricted.
+Support staff may be authorised by the Board
+to access any additional, restricted interfaces.
+Each such special access is managed by the team leader.
+</p>
+
+<h3> <a name="8.5"> 8.5. </a> Records and Logs </h3>
+<ul>
+  <li> use of restricted interfaces must be logged. </li>
+  <li> all support channels should be logged. </li>
+  <li> private requests for support should be referred to proper channels and logged there (e.g., by CCs)  </li>
+</ul>
+
+<h3> <a name="8.6"> 8.6. </a> Arbitration </h3>
+
 
 
 <h2><a name=Documents"9">9.</a> ADMINISTRATIVE</h2></h3>