Creation date: 2009-02-16
Status: work-in-progress
Creation date: 2009-02-16
Status: work-in-progress
This Security Policy sets out the policy for the secure operation of the CAcert critical computer systems. These computer systems include:
These roles and teams are effected:
Non-critical systems are not covered by this manual, but may be guided by it, and impacted where they are found within the security context. Architecture is out of scope, see CPS#6.2.
Important principles of this Security Policy are:
Each task or asset is covered by a variety of protections deriving from the above principles.
This Security Policy is part of the configuration-control specification for audit purposes (DRC). It is under the control of Policy on Policy for version purposes.
This policy document says what is done, rather than how to do it.
This Policy explicitly defers detailed security practices to the Security Manual ("SM"), The SM says how things are done. As practices are things that vary from time to time, including between each event of practice, the SM is under the direct control of the Systems Administration team. It is located and version-controlled on the CAcert wiki.
Section Headings are the same in both documents. Where Section Headings are empty in one document, they are expected to be documented in the other.
The team leaders may from time to time explicitly defer single, cohesive components of the security practices into separate procedures documents. Each procedure should be managed in a wiki page under their control, probably at SystemAdministration/Procedures. Each procedure must be referenced explicitly in the Security Manual.
CAcert shall host critical servers in a highly secure facility. There shall be independent verification of the physical and access security.
Computers shall be inventoried before being put into service. Inventory list shall be available to all Access Engineeers and all Systems Administrators. List must be subject to change control.
Units shall have nickname clearly marked on front and rear of chassis. Machines shall be housed in secured facilities (cages and/or locked racks).
Acquisition of new equipment that is subject to a pre-purchase security risk must be done from a vendor that is regularly and commercially in business. Precautions must be taken to prevent equipment being prepared in advance.
Cabling to all equipment shall be labeled at both ends with identification of end points.
Storage media (disk drives, tapes, removable media) are inventoried upon acquisition and tracked in their use.
New storage media (whether disk or removable) shall be securely wiped and reformatted before use.
Removable media shall be securely stored at all times, including when not in use. Drives that are kept for reuse are wiped securely before storage. Reuse can only be within critical systems.
When there is a change to status of media, a report is made to the log specifying the new status.
Storage media that is exposed to critical data and is to be retired from service shall be destroyed or otherwise secured. The following steps are to be taken:
Records of secure erasure and method of final disposal shall be tracked in the asset inventory. Where critical data is involved, 2 system administrators must sign-off on each step.
In accordance with the principle of dual control, at least two persons authorized for access must be on-site at the same time for physical access to be granted.
Access to physical equipment must be authorised.
The Security Manual must present the different access profiles. At least one CAcert systems administrator will be present for logical access to CAcert critical servers. Only the most basic and safest of accesses should be done with one CAcert systems administrator present.
Only Systems Administrators are authorised to access the data. All others must not access the data. All are responsible for protecting the data from access by those not authorised.All physical accesses are logged and reported to all.
There is no procedure for emergency access. If emergency access is gained, this must be reported and justified immediately. See DPR.
All personel who are in possession of physical security codes and devices (keys) are to be authorised and documented.
Current and complete diagrams of the physical and logical CAcert network infrastructure shall be maintained by systems administration team leader. These diagrams should include cabling information, physical port configuration details, and expected/allowed data flow directions, as applicable. Diagrams should be revision controlled, and must be updated when any change is made.
Only such services as are required for normal operation should be visible externally; systems and servers which do not require access to the Internet for their normal operation must not be granted that access.
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by CAcert system administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
All ports on which incoming traffic is expected shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
All ports to which outbound traffic is initiated shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
Logs should be examined regularly (by manual or automatic means) for unusual patterns and/or traffic; anomalies should be investigated as they are discovered and should be reported to appropriate personnel in near-real-time (e.g. text message, email) and investigated as soon as possible. Suspicious activity which may indicate an actual system intrusion or compromise should trigger the incident response protocol described in section 5.1.
Any operating system used for critical server machines must be available under an OSI-approved open source software license.
Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint.
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators in the wiki.
A.1.i, A.1.k:
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2).
Application of a patch is deemed an emergency when a remote exploit for a weakness in the particular piece of software has become known (on servers allowing direct local user access, an emergent local exploit may also be deemed to be an emergency). Application of patches in this case may occur as soon as possible, bypassing the normal configuration-change process. The systems administration team leader must either approve the patch, instruct remedial action, or refer the case to dispute resolution.
Declaration of an emergency patching situation should not occur with any regularity. Emergency patch events must be documented within the regular summaries to Board.
Software development takes place on various test systems (not a critical system). See §7. Once offered by Software Development (team), system administration team leader has to approve the installation of each release or patch.
Any changes made to source code must be referred back to software development.
General user access to CAcert services shall normally be conducted through a web-based application interface. Features are made available according to Assurance Points and direct permissions.
Direct Permissions are managed by the Application to enable special online administrators from the Support Team access to certain functions.
The access control lists are:
All changes to the above lists are approved by the board of CAcert.
A strong method of authentication is used and documented.
Termination actions must be documented, including resignation, arbitration, or determination by team or board.
Primary systems administration tasks shall be conducted under four eyes principle. These shall include backup performance verification, log inspection, software patch identification and application, account creation and deletion, and hardware maintenance.
System administrators must pass a background check and comply with all applicable policies in force.
Access to Accounts (root and user via SSH or console) must be strictly controlled. Passwords and passphrases entered into the systems will be kept private to CAcert sysadmins in all cases.
Only system administrators designated on the Access List shall be authorized to access accounts.
Assumes above that there is no reason to have access to a Unix-level account on the critical machines unless on the Access List.
All remote communications for systems administration purposes is encrypted, logged and monitored.
Passwords must be kept secure. The procedure for changing passwords should be documented.
Response times should be documented.
All changes made to system configuration must be recorded.
Logs shall be maintained for:
Access to logs must be restricted. The security of the logs should be documented. The records retention should be documented.
Logging should be automated, and use should be made of appropriate system-provided automated tools. Automated logs should be reviewed periodically; suspicious events should be flagged and investigated in a timely fashion.
Configuration changes, no matter how small, must be logged. Access to this log shall be restricted.
All physical visits will be logged and a report provided by the accessor.
The procedure for all backups must be documented, according to the following sub-headings.
Backups must be taken for operational and for disaster recovery purposes ("offline"). Disaster recovery backups must be offline and remote. Operational backups may be online and local.
Backups must be protected to the same level as the critical systems themselves. Offline backups should be distributed.
Backups must be encrypted and must only be transmitted via secured channels. Off-site backups must be dual-encrypted using divergent methods.
Two CAcert system administrators must be present for verification of a backup. Four eyes principle must be maintained when the key and backup are together. For any other purpose than verification of the success of the backup, see next.
The encryption keys must be stored securely by the CAcert systems administrators. Paper documentation must be stored with manual backups.
Conditions and procedures for examining the backups for purposes other than for verification must be documented and must be under Arbitrator control.
Termination of user data is under direction of the Arbitrator. See CCA.
The systems administration team leader is to maintain incident reports securely. Access to incident reports is restricted.
Incidents and sources of important events and logging should be documented.
The standard of monitoring, alerting and reporting must be documented.
On discovery of an incident, an initial assessment of severity and priority must be made.
An initial report should be sent to systems administrators and wider interested parties.
A communications forum should be established for direct support of high priority or high severity incidents.
A process of escalation of oversight should be eastablished.
Incidents must be investigated. The investigation must be documented. Evidence must be secured if the severity is high.
A report should be appended to the documentation of the investigation, and distributed in the act of closing the investigation.
Incidents are not normally kept secret or confidential. Ony under a defined exception under policy, or under the oversight of the Arbitrator, may confidentiality be maintained. The knowledge of the existence of the event must not be kept secret, nor the manner in which it is kept confidential.
Disaster Recovery is the responsibility of the Board of CAcert Inc.
Board must develop and maintain documentation on Business Processes. From this list, Core Processes for business continuity / disaster recovery purposes must be identified.
Board should identify standard process times for all processes, and must designate Maximum Acceptable Outages and Recovery Time Objectives for the Core Processes.
Board must have a basic plan to recover.
Board must maintain a key persons List with all the contact information needed.
Software development team is responsible for the security of the code.
The source code is under CCS. Additions to the team are approved by Board
The primary tasks are:
Software Development is not primarily tasked to write the code. In principle, anyone can submit code changes for approval.
The application code and patches are maintained in a central version control system by the software development team.
The integrity of the central version control system is crucial for the integrity of the applications running on the critical systems.
Patches are signed off by the team leader or his designated reviewer. Each software change should be reviewed by a person other than the author. Author and sign-off must be logged.
Software Development team maintains a test system. Each patch should be built and tested. Test status of each patch must be logged.
Software Development team maintains a bug system. Primary communications should go through this system. Access should be granted to all software developers, systems administrators, and patch contributors. Access may be granted to other Members.
Once signed off, software development (team leader) coordinates with systems administration (team leader) to offer the patch. Software development people are not to have access to the critical systems, providing a dual control at the teams level.
If compilation and/or other processing of the application source code in the version control system is necessary to deploy the application, detailed installation instructions should also be maintained in the version control system and offered to the system administrators.
Systems administrators copy the patches securely from the repository onto the critical machine. See §3.3.
The access interface is under CCS. Additions to the team are approved by Board
Access to Member's private information is restricted. Support staff may be authorised by the Board to access any additional, restricted interfaces. Each such special access is managed by the team leader.
Each team should have a minimum of 2 members available at any time. Individuals should be active in only one team at any one time, but may be observers on any number of teams.
One individual in each team is designated leader and reports to Board.
New team members need:
The team supports the process of adding new team members.
Background checks are carried out with full seriousness. Background checks must be conducted under the direction of the Arbitrator, with a separate Case Manager to provide four eyes.
An investigation should include examination of:
A background check is to be done for all critical roles. The background check should be done on all of:
The process of the background check should be documented as a procedure.
Documentation of each individual check should be preserved and should be reviewable under any future Arbitration. It must include:
The following privacy considerations exist:
CAcert trusted roles give up some privacy for the privacy of others.
Individuals and access (both) must be authorised by the Board. Only the Board may approve new individuals or any access to the systems. Each Individual should be proposed to the Board, with the relevant supporting information as above.
The Board should deliberate directly and in full. Board members who are also active in the area should recuse from the vote, but should support the deliberations. Deliberations and decisions should be documented. All conflicts of interest should be examined.
It is the responsibility of all individuals to observe and report on security issues. All of CAcert observes all where possible. It is the responsibility of each individual to resolve it satisfactorily, or to ensure that it is reported fully.
Only information subject to a specific and documented exception may be kept secret or confidential. The exception itself must not be secret or confidential. All secrets and confidentials are reviewable under Arbitration, and may be reversed.
Termination of access may be for resignation, Arbitration ruling, or decision of Board or team leader. On termination (for any reason), access and information must be secured.
It is the responsibility of the team leaders to coordinate technical testing and training, especially of new team members.
what goes in here? Non-root keys?
Root keys should be generated on a machine built securely for that purpose only and cleaned/wiped/destroyed immediately afterwards.
Root keys must be kept on reliable removable media used for that purpose only. Private Keys must be encrypted and should be dual-encrypted. Passphrase must be strong and must be separately escrowed from media. Dual control must be maintained.
The top-level root must be escrowed under Board control. Subroots may be escrowed by either Board or Systems Administration Team.
Recovery must only be conducted under Board or Arbitrator direction. A recovery exercise should be conducted approximately every year.
Document.
Document.
Board has responsibility for formal advisory to the public.
The board is responsible for the CA at the executive level.
All external inquiries of security import are filed as disputes and placed before the Arbitrator under DRP.
Only the Arbitrator has the authority to deal with external requests and/or create a procedure. Systems administrators, board members and other key roles do not have the authority to answer legal inquiry. The Arbitrator's ruling may instruct individuals, and becomes your authority to act.
CAcert may at its option outsource critical components to other organisations, however this must not be a barrier to security. Outsourced arrangements must be transparent.
Any outsourcing arrangements must be documented. All arrangements must be:
Specifically, all involved personnel must be CAcert Assurers. Contracts should be written with the above in mind.
Contact information for all key people and teams must be documented.
All incorporated Documents must be documented.
Relevant and helpdul Documents should be referenced for convenience.
This is the end of the Security Policy.