diff --git a/SecurityPolicy.html b/SecurityPolicy.html index 0714553..ba16ce7 100644 --- a/SecurityPolicy.html +++ b/SecurityPolicy.html @@ -691,6 +691,268 @@ Access to incident reports is restricted. + +
+Each team should have a minimum of 2 members available at any time. +Individuals should be active in only one team at any one time, +but may be observers on any number of teams. +
+ ++One individual in each team is designated leader and reports to Board. +
+ ++New team members need: +
+ ++The team supports the process of adding new team members. +
+ ++Background checks are carried out with full seriousness. +Background checks must be conducted under the direction of the Arbitrator, +with a separate Case Manager to provide four eyes. +
+ ++An investigation should include examination of: +
+ ++A background check is to be done for all critical roles. +The background check should be done on all of: +
+ ++The process of the background check should be documented as a procedure. +
+ ++Documentation of each individual check should be preserved +and should be reviewable under any future Arbitration. +It must include: +
+ ++The following privacy considerations exist: +
+ ++CAcert trusted roles give up some privacy for the privacy of others. +
+ ++Individuals and access (both) must be authorised by the Board. +Only the Board may approve new individuals or any access to the systems. +Each Individual should be proposed to the Board, +with the relevant supporting information as above. +
+ ++The Board should deliberate directly and in full. +Board members who are also active in the area should recuse from the vote, +but should support the deliberations. +Deliberations and decisions should be documented. +All conflicts of interest should be examined. +
+ ++It is the responsibility of all individuals to observe and report on security issues. +All of CAcert observes all where possible. +It is the responsibility of each individual to resolve it satisfactorily, +or to ensure that it is reported fully. +
+ ++Only information subject to a specific and documented exception +may be kept secret or confidential. +The exception itself must not be secret or confidential. +All secrets and confidentials are reviewable under Arbitration, +and may be reversed. +
+ ++Termination of access may be for resignation, Arbitration ruling, +or decision of Board or team leader. +On termination (for any reason), access and information must be secured. +
+ ++It is the responsibility of the team leaders +to coordinate technical testing and training, +especially of new team members. +
+ +what goes in here? Non-root keys?
+ ++Root keys should be generated on a machine built securely +for that purpose only and cleaned/wiped/destroyed immediately afterwards. +
+ ++Root keys must be kept on reliable removable media used for that purpose only. +Private Keys must be encrypted and should be dual-encrypted. +Passphrase must be strong and must be separately escrowed from media. +Dual control must be maintained. +
+ ++The top-level root must be escrowed under Board control. +Subroots may be escrowed by either Board or Systems Administration Team. +
+ ++Recovery must only be conducted under Board or Arbitrator direction. +A recovery exercise should be conducted approximately every year. +
+ +Document.
+ +Document.
+ ++Board has responsibility for formal advisory to the public. +
+ ++The board is responsible for the CA at the executive level. +
+ ++All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP. +
+ ++Only the Arbitrator has the authority to deal with external requests and/or create a procedure. Systems administrators, board members and other key roles do not have the authority to answer legal inquiry. The Arbitrator's ruling may instruct individuals, and becomes your authority to act. +
+ + + + ++Contact information for all key people and teams must be documented. +
+ ++All incorporated Documents must be documented. +
+ ++Relevant and helpdul Documents should be referenced for convenience. +
+ + + +This is the end of the Security Policy.