1f30d7fd39
git-svn-id: http://svn.cacert.org/CAcert/Policies@1187 14b1bab8-4ef6-0310-b690-991c95c89dfd
697 lines
22 KiB
HTML
697 lines
22 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
|
|
"http://www.w3.org/TR/html4/loose.dtd">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
|
|
<title>Security Policy</title>
|
|
|
|
<style type="text/css">
|
|
<!--
|
|
P { color: #000000 }
|
|
TD P { color: #000000 }
|
|
H1 { color: #000000 }
|
|
H2 { color: #000000 }
|
|
DT { color: #000000 }
|
|
DD { color: #000000 }
|
|
H3 { color: #000000 }
|
|
TH P { color: #000000 }
|
|
|
|
.q {
|
|
color : green;
|
|
font-weight: bold;
|
|
text-align: center;
|
|
font-style:italic;
|
|
}
|
|
|
|
.error {
|
|
color : red;
|
|
font-weight: bold;
|
|
text-align: center;
|
|
font-style:italic;
|
|
}
|
|
|
|
.change {
|
|
color : blue;
|
|
font-weight: bold;
|
|
}
|
|
-->
|
|
</style>
|
|
</head>
|
|
|
|
<body style="direction: ltr; color: rgb(0, 0, 0);" lang="en-GB">
|
|
<h1>Security Policy for CAcert Systems</h1>
|
|
<p><a href="PolicyOnPolicy.html"><img src="Images/cacert-wip.png" id="graphics1" alt="CAcert Security Policy Status == wip" align="bottom" border="0" height="33" width="90"></a>
|
|
<br>
|
|
Creation date: 2009-02-16<br>
|
|
Status: <i>work-in-progress</i>
|
|
</p>
|
|
|
|
<h2><a name="1">1.</a> INTRODUCTION</h2>
|
|
|
|
<h3><a name="1.1">1.1.</a> Motivation and Scope </h3>
|
|
<p>
|
|
This Security Policy sets out the policy
|
|
for the secure operation of the CAcert critical computer systems.
|
|
These computer systems include:
|
|
</p>
|
|
<ol><li>
|
|
Physical hardware mounting the logical services
|
|
</li><li>
|
|
Webserver + database (core server(s))
|
|
</li><li>
|
|
Signing service (signing server)
|
|
</li><li>
|
|
Support interface
|
|
</li><li>
|
|
Source code (changes and patches)
|
|
</li></ol>
|
|
|
|
<h4><a name="1.1.1">1.1.1.</a> Effected Personnel </h4>
|
|
|
|
<p>
|
|
These roles and teams are effected:
|
|
</p>
|
|
|
|
<ul><li>
|
|
Hardware Controllers (Oophaga)
|
|
</li><li>
|
|
Direct Hardware Access Systems Administrators
|
|
(as listed in Oophaga Appendix B Access List)
|
|
</li><li>
|
|
Application Administrators
|
|
(online access to critical systems at Unix level)
|
|
</li><li>
|
|
Support Team
|
|
(online access via administration interfaces)
|
|
</li><li>
|
|
Software Development Team
|
|
(approval of application code)
|
|
</li></ul>
|
|
|
|
<h4><a name="1.1.1">1.1.2.</a> Out of Scope </h4>
|
|
|
|
<p>
|
|
Non-critical systems are not covered by this manual,
|
|
but may be guided by it, and impacted where they are
|
|
found within the security context.
|
|
Architecture is out of scope, see CPS#6.2.
|
|
</p>
|
|
|
|
<h3><a name="1.2">1.2.</a> Principles </h3>
|
|
<p>
|
|
Important principles of this Security Policy are:
|
|
</p>
|
|
|
|
<ul><li>
|
|
<i>dual control</i> -- at least two individuals must control a task
|
|
</li><li>
|
|
<i>four eyes</i> -- at least two individuals must be present during a task,
|
|
one to execute and one to observe.
|
|
</li><li>
|
|
<i>redundancy</i> -- no single individual is the only one authorized
|
|
to perform a task.
|
|
</li><li>
|
|
<i>escrow</i> -- where critical information (backups, passwords)
|
|
is kept with other parties
|
|
</li><li>
|
|
<i>logging</i> -- where events are recorded in a file
|
|
</li><li>
|
|
<i>separation of concerns</i> -- when a core task is split between
|
|
two people from different areas
|
|
</li><li>
|
|
<i>Audit</i> -- where external reviewers do checks on practices and policies
|
|
</li></ul>
|
|
|
|
<p>
|
|
Each task or asset is covered by a variety of protections
|
|
deriving from the above principles.
|
|
</p>
|
|
|
|
<h3><a name="1.3">1.3.</a> Definition of Terms</h3>
|
|
<dl>
|
|
|
|
<dt><i>Systems Administrator</i> </dt>
|
|
<dd>
|
|
A Member who manages a critial system, and has access
|
|
to security-sensitive functions or data.
|
|
</dd>
|
|
|
|
</dl>
|
|
|
|
<h3><a name="1.4">1.4.</a> Documents and Version control</h3>
|
|
|
|
<h4><a name="1.4.1">1.4.1.</a> The Security Policy Document </h4>
|
|
<p>
|
|
This Security Policy is part of the configuration-control specification
|
|
for audit purposes (DRC).
|
|
It is under the control of Policy on Policy for version purposes.
|
|
</p>
|
|
|
|
<p>
|
|
This policy document says what is done, rather than how to do it.
|
|
</p>
|
|
|
|
<h4><a name="1.4.2">1.4.2.</a> The Security Manual (Practices) Document </h4>
|
|
|
|
<p>
|
|
This Policy explicitly defers detailed security practices to the
|
|
<a href="http://wiki.cacert.org/wiki/SecurityManual">Security Manual</a>
|
|
("SM"),
|
|
The SM says how things are done.
|
|
As practices are things that vary from time to time,
|
|
including between each event of practice,
|
|
the SM is under the direct control of the Systems Administration team.
|
|
It is located and version-controlled on the CAcert wiki.
|
|
</p>
|
|
|
|
<h4><a name="1.4.3">1.4.3.</a> The Security Procedures </h4>
|
|
|
|
<p>
|
|
The team leaders may from time to time
|
|
explicitly defer single, cohesive components of the
|
|
security practices into separate procedures documents.
|
|
Each procedure should be managed in a wiki page under
|
|
their control, probably at
|
|
<a href="http://wiki.cacert.org/wiki/SystemAdministration/Procedures">
|
|
SystemAdministration/Procedures</a>.
|
|
Each procedure must be referenced explicitly in the Security Manual.
|
|
</p>
|
|
|
|
<h2><a name="2">2.</a> PHYSICAL SECURITY</h2>
|
|
|
|
|
|
|
|
<p>
|
|
Physical assets and security procedures are generally provided and maintained as set forth in the Memorandum of Understanding between CAcert and Stichting Oophaga Foundation of 10 July 2007, and as amended from time to time. Approval of both boards of CAcert and Oophaga is required for changes to the MoU.
|
|
</p>
|
|
|
|
<p>
|
|
The MoU places responsibility for the physical assets (hardware), hosting and for control of access to the hardware with Oophaga.
|
|
</p>
|
|
|
|
<h3><a name="2.1">2.1.</a> Facility </h3>
|
|
|
|
<p>
|
|
CAcert shall host critical servers in a highly secure facility.
|
|
There shall be independent verification of the physical and
|
|
access security.
|
|
</p>
|
|
|
|
<h3><a name="2.2">2.2.</a> Physical Assets </h3>
|
|
|
|
<ul class="q"><li>
|
|
Big question here is whether Oophaga falls inside SP/SM or not.
|
|
</li><li>
|
|
2nd Big Question is whether Oophaga is in SP or in SM.
|
|
</li></ul>
|
|
|
|
<h4><a name="2.2.1">2.2.1.</a> Computers </h4>
|
|
<p>
|
|
Computers shall be inventoried before being put into service.
|
|
Inventory list shall be available to all Systems Administrators.
|
|
Units shall have nickname clearly marked on front and rear of chassis.
|
|
Machines shall be housed in secured facilities (cages and/or locked racks).
|
|
</p>
|
|
|
|
<h4><a name="2.2.1.1">2.2.1.1</a> Acquisition </h4>
|
|
<p>
|
|
Acquisition of new equipment that is subject to a
|
|
pre-purchase security risk must be done from a
|
|
vendor that is regularly and commercially in business.
|
|
Precautions must be taken to prevent equipment being
|
|
prepared in advance.
|
|
</p>
|
|
|
|
<p>
|
|
Acquisition may be done by CAcert systems administrators
|
|
but the ownership and control of the hardware transfers
|
|
to Oophaga the moment the equipment is in use.
|
|
</p>
|
|
|
|
<h4><a name="2.2.2">2.2.2.</a> Cables </h4>
|
|
|
|
<p>
|
|
Cabling to all equipment shall be labeled at both ends
|
|
with identification of end points.
|
|
</p>
|
|
|
|
<h4><a name="2.2.3">2.2.3.</a> Media </h4>
|
|
|
|
<h4><a name="2.2.3.1">2.2.3.1</a> Provisioning </h4>
|
|
|
|
<p>
|
|
Storage media (disk drives, tapes, removable media)
|
|
are inventoried upon acquisition.
|
|
CAcert system administrators will report any changes
|
|
in the use or location of the media to the routine
|
|
logging list for update to the inventory.
|
|
</p>
|
|
|
|
<p>
|
|
New storage media (whether disk or removable) shall be
|
|
securely wiped and reformatted before use.
|
|
</p>
|
|
|
|
<h4><a name="2.2.3.2">2.2.3.2</a> Storage </h4>
|
|
|
|
<p>
|
|
Removable media shall be securely stored at all times,
|
|
including when not in use. When there is a change to
|
|
status of media, a report is made to the log specifying
|
|
the new status
|
|
(sysadmins present, steps taken, location of storage, etc).
|
|
Drives that are kept for reuse are wiped securely before storage.
|
|
Reuse can only be within critical systems.
|
|
</p>
|
|
|
|
<h4><a name="2.2.3.3">2.2.3.3</a> Retirement </h4>
|
|
|
|
<p>
|
|
Storage media that is exposed to critical data and is
|
|
to be retired from service shall be destroyed or otherwise secured.
|
|
The following steps are to be taken:
|
|
</p>
|
|
|
|
<ol><li>
|
|
The media is to be securely erased.
|
|
</li><li>
|
|
One of the following, in order of preference:
|
|
<ol type="a"><li>
|
|
rendered unreadable via physical means that
|
|
destroys the platters and electronics, or,
|
|
</li><li>
|
|
disposed of via a licensed disposal facility, or
|
|
</li><li>
|
|
sealed and stored securely until the data has expired.
|
|
The years of retirement and of expiry should be marked
|
|
by CAcert systems administrator.
|
|
</li></ol>
|
|
</li></ol>
|
|
|
|
<p>
|
|
Records of secure erasure and method of final disposal
|
|
shall be tracked in the asset inventory.
|
|
Where critical data is involved,
|
|
2 system administrators must sign-off on each step.
|
|
</p>
|
|
|
|
<h3><a name="2.3">2.3.</a> Physical Access </h3>
|
|
|
|
<p>
|
|
In accordance with the principle of dual control,
|
|
at least two persons authorized for access must
|
|
be on-site at the same time for physical access to be granted.
|
|
</p>
|
|
|
|
<h4><a name="2.3.1">2.3.1.</a> Access Authorisation </h4>
|
|
|
|
<p>
|
|
Access to physical equipment must be authorised.
|
|
</p>
|
|
|
|
<h4><a name="2.3.2">2.3.2.</a> Access Profiles </h4>
|
|
|
|
<p>
|
|
The Security Manual must present the different access profiles.
|
|
At least one CAcert systems administrator will be present for
|
|
logical access to CAcert critical servers.
|
|
Only the most basic and safest of accesses should be done with
|
|
one CAcert systems administrator present.
|
|
Others must not access the data.
|
|
</p>
|
|
|
|
<h4><a name="2.3.3">2.3.3.</a> Access Logging </h4>
|
|
|
|
<p>
|
|
All physical accesses are logged and reported to all.
|
|
</p>
|
|
|
|
<h4><a name="2.3.4">2.3.4.</a> Emergency Access </h4>
|
|
|
|
<p>
|
|
There is no procedure for emergency access.
|
|
If emergency access is gained,
|
|
this must be reported and justified immediately.
|
|
See DPR.
|
|
</p>
|
|
|
|
<h4><a name="2.3.5">2.3.5.</a> Physical Security codes & devices </h4>
|
|
|
|
<p>
|
|
All personel who are in possession of physical security
|
|
codes and devices (keys) are to be authorised and documented.
|
|
</p>
|
|
|
|
|
|
|
|
<h2><a name="3">3.</a> LOGICAL SECURITY</h2>
|
|
|
|
<h3><a name="3.1">3.1.</a> Network </h3>
|
|
<h4><a name="3.1.1">3.1.1.</a> Infrastructure </h4>
|
|
|
|
<p>
|
|
Current and complete diagrams of the physical and logical CAcert network infrastructure shall be maintained by systems administration team leader. These diagrams should include cabling information, physical port configuration details, and expected/allowed data flow directions, as applicable. Diagrams should be revision controlled, and must be updated when any change is made.
|
|
</p>
|
|
|
|
<h5> 3.1.1.1. External connectivity </h5>
|
|
|
|
<p>
|
|
Only such services as are required for normal operation should be visible externally; systems and servers which do not require access to the Internet for their normal operation must not be granted that access.
|
|
</p>
|
|
|
|
<h5> 3.1.1.2. Internal connectivity </h5>
|
|
|
|
<p>
|
|
System and server connections internal to the CAcert infrastructure should be kept to the minimum required for routine operations. Any new connectivity desired must be requested and approved by CAcert system administration team leader and then must be reflected in the appropriate infrastructure diagram(s).
|
|
</p>
|
|
|
|
|
|
<h4><a name="3.1.2">3.1.2.</a> Operating Configuration </h4>
|
|
|
|
<h5> 3.1.2.1. Ingress </h5>
|
|
|
|
<p>
|
|
All ports on which incoming traffic is expected shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
|
|
</p>
|
|
|
|
<h5> 3.1.2.2. Egress </h5>
|
|
|
|
<p>
|
|
All ports to which outbound traffic is initiated shall be documented; traffic to other ports must be blocked. Unexpected traffic must be logged as an exception.
|
|
</p>
|
|
|
|
<h4><a name="3.1.3">3.1.3.</a> Intrusion detection </h4>
|
|
|
|
<p class="q">
|
|
(iang:) this one is covered in DRC-A.5.f. which says: "The security manual describes how computer systems are configured and updated to protect them against hostile intrusion, unauthorized electronic access, and "malware" and how individuals are authorized to perform those tasks."
|
|
</p>
|
|
|
|
<p>
|
|
Logs should be examined regularly (by manual or automatic means) for unusual patterns and/or traffic; anomalies should be investigated as they are discovered and should be reported to appropriate personnel in near-real-time (e.g. text message, email) and investigated as soon as possible. Suspicious activity which may indicate an actual system intrusion or compromise should trigger the incident response protocol described in section 5.1.
|
|
</p>
|
|
|
|
<h3><a name="3.2">3.2.</a> Operating System </h3>
|
|
|
|
<p>
|
|
Any operating system used for critical server machines must be available under an OSI-approved open source software license.
|
|
</p>
|
|
|
|
<h4> 3.2.1. Disk Encryption </h4>
|
|
|
|
<p>
|
|
Any operating system used for critical server machines must support software full-disk or disk volume encryption, and this encryption option must be enabled for all relevant disks/volumes when the operating system is first installed on the machine.
|
|
</p>
|
|
|
|
|
|
<h4> 3.2.2. Operating configuration </h4>
|
|
|
|
<p>
|
|
Servers must enable only the operating system functions required to support the necessary services. Options and packages chosen at OS install shall be documented, and newly-installed systems must be inspected to ensure that only required services are active, and their functionality is limited through configuration options. Any required application software must follow similar techniques to ensure minimal exposure footprint.
|
|
</p>
|
|
|
|
<p>
|
|
Documentation for installing and configuring servers with the appropriate software packages and configurations will be maintained by the system administrators in the wiki.
|
|
</p>
|
|
|
|
|
|
<h4> 3.2.3. Patching </h4>
|
|
|
|
<p class="q">A.1.i, A.1.k:</p>
|
|
|
|
<p>
|
|
Software used on production servers must be kept current with respect to patches affecting software security. Patch application is governed by CCS and must be approved by the systems administration team leader, fully documented in the logs and reported by email to the systems administration list on completion (see §4.2).
|
|
</p>
|
|
|
|
<h5> 3.2.3.1. “emergency” patching </h5>
|
|
|
|
<p>
|
|
Application of a patch is deemed an <i>emergency</i>
|
|
when a remote exploit for a weakness in the particular piece
|
|
of software has become known
|
|
(on servers allowing direct local user access,
|
|
an emergent local exploit may also be deemed to be an emergency).
|
|
Application of patches in this case may occur as soon as possible,
|
|
bypassing the normal configuration-change process.
|
|
The systems administration team leader must either approve the patch,
|
|
instruct remedial action, or refer the case to dispute resolution.
|
|
</p>
|
|
|
|
<p>
|
|
<b>
|
|
Declaration of an emergency patching situation should not occur with any regularity.
|
|
</b>
|
|
Emergency patch events must be documented within the regular summaries to Board.
|
|
</p>
|
|
|
|
<h3> 3.3. Application </h3>
|
|
|
|
<p class="q">
|
|
This section deals with applications written in-house.<br>
|
|
CPS 6.6 refers to this section for all info.
|
|
</p>
|
|
|
|
<p>
|
|
Software development takes place on various test systems (not a critical system). See §7. Once offered by Software Development (team), system administration team leader has to approve the installation of each release or patch.
|
|
</p>
|
|
|
|
<p>
|
|
Any changes made to source code must be referred back to software development.
|
|
</p>
|
|
|
|
<h3> 3.4. Access control </h3>
|
|
|
|
<p>
|
|
General user access to CAcert services shall normally be conducted through a web-based application interface. Features are made available according to Assurance Points and direct permissions.
|
|
</p>
|
|
|
|
<p>
|
|
Direct Permissions are managed by the Application to enable special online administrators from the Support Team access to certain functions.
|
|
</p>
|
|
|
|
<p>
|
|
Direct command-line access to critical systems shall only be granted to systems administrators designated on the Remote and Virtual Access and Contact List (SSH Access List). Systems administrators who appear on the CAcert _Access_ List in the MoU, Appendix B, are implied to be on the SSH Access List.
|
|
</p>
|
|
|
|
<ul class="q">
|
|
<li> this means that Oophaga have a veto on the administrators who can remote access the data. </li>
|
|
<li> yet Oophaga have no view over the data, nor authority. </li>
|
|
<li> Probably the list has to be split into two, one in the MoU framework, and another purely managed by CAcert. </li>
|
|
</ul>
|
|
|
|
<h4> 3.4.1. Authorisation </h4>
|
|
|
|
<p>
|
|
The access control lists are:
|
|
</p>
|
|
|
|
<ul><li>
|
|
Online support team members,
|
|
managed by the Systems Administration team leader.
|
|
</li><li>
|
|
SSH Access List, maintained by the Systems Administration team leader.
|
|
</li></ul>
|
|
|
|
<p>
|
|
Changes to the above lists are approved by the board.
|
|
</p>
|
|
|
|
<h4> 3.4.2. Authentication </h4>
|
|
|
|
<p>
|
|
A strong method of authentication is used and documented.
|
|
</p>
|
|
|
|
<h4> 3.4.3. Removing access </h4>
|
|
|
|
<p>
|
|
Upon resignation from systems administration team, or determination by two members of the OS access list that access is no longer required, an entity's access to CAcert systems may be be temporarily removed. The removal is made permanent when the Board approves the change to the Access List.
|
|
</p>
|
|
|
|
<p class="q">Maybe easier just to say, on direction of the Arbitrator.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<h2> <a name="4">4.</a> OPERATIONAL SECURITY </h2>
|
|
|
|
<h3> <a name="4.1">4.1.</a> System administration </h3>
|
|
|
|
<p>
|
|
Primary systems administration tasks shall be conducted under four eyes principle.
|
|
These shall include
|
|
backup performance verification,
|
|
log inspection,
|
|
software patch identification and application,
|
|
account creation and deletion,
|
|
and hardware maintenance.
|
|
</p>
|
|
|
|
<p>
|
|
System administrators must pass a background check and comply with all applicable policies in force.
|
|
</p>
|
|
|
|
<h4> <a name="4.1.1">4.1.1.</a> Privileged accounts and passwords </h4>
|
|
<p>
|
|
Access to Accounts (root and user via SSH or console) must be strictly controlled.
|
|
Passwords and passphrases entered into the systems will be kept private
|
|
to CAcert sysadmins in all cases.
|
|
</p>
|
|
|
|
<h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5>
|
|
<p>
|
|
Only system administrators designated on the Access List
|
|
shall be authorized to access accounts.
|
|
</p>
|
|
|
|
<p class="q">Assumes above that there is no reason to have access
|
|
to a Unix-level account on the critical machines unless on the Access List.</p>
|
|
|
|
<h5> <a name="4.1.1.2">4.1.1.2.</a> Access to </h5>
|
|
<p>
|
|
All remote communications for systems administration purposes is encrypted,
|
|
logged and monitored.
|
|
</p>
|
|
|
|
<h5> <a name="4.1.1.3">4.1.1.3.</a> Changing </h5>
|
|
|
|
<p>
|
|
Passwords must be kept secure.
|
|
The procedure for changing passwords should be documented.
|
|
</p>
|
|
|
|
<h4> <a name="4.1.2">4.1.2.</a> Required staff response time </h4>
|
|
<p>
|
|
Response times should be documented.
|
|
</p>
|
|
|
|
<h4> <a name="4.1.3">4.1.3.</a> Change management procedures </h4>
|
|
<p>
|
|
All changes made to system configuration must be recorded.
|
|
</p>
|
|
|
|
<h3> <a name="4.2">4.2.</a> Logging </h3>
|
|
|
|
<h4> <a name="4.2.1">4.2.1.</a> Coverage </h4>
|
|
|
|
<p>
|
|
Logs shall be maintained for:
|
|
</p>
|
|
|
|
<ul>
|
|
<li> anomalous network traffic, </li>
|
|
<li> system activities and events, </li>
|
|
<li> application (certificate, web, mail, and database) events, </li>
|
|
<li> "Comms Module" requests for certificate signing on both the cryptographic module (signing server) and the main online server, </li>
|
|
<li> login and root access, </li>
|
|
<li> configuration changes. </li>
|
|
</ul>
|
|
|
|
<h4> <a name="4.2.2">4.2.2.</a> Access and Security </h4>
|
|
|
|
<p>
|
|
Access to logs must be restricted.
|
|
The security of the logs should be documented.
|
|
The records retention should be documented.
|
|
</p>
|
|
|
|
<h4> <a name="4.2.3">4.2.3.</a> Automated logs </h4>
|
|
<p>
|
|
Logging should be automated,
|
|
and use should be made of appropriate system-provided automated tools.
|
|
Automated logs should be reviewed periodically;
|
|
suspicious events should be flagged and investigated in a timely fashion.
|
|
</p>
|
|
|
|
<h4> <a name="4.2.4">4.2.4.</a> Operational (manual) logs </h4>
|
|
<p>
|
|
Configuration changes, no matter how small, must be logged.
|
|
Access to this log shall be restricted.
|
|
</p>
|
|
|
|
<p>
|
|
All physical visits will be logged and a report provided by the accessor.
|
|
</p>
|
|
|
|
<h3> <a name="4.3">4.3.</a> Backup </h3>
|
|
|
|
<p>
|
|
The procedure for all backups must be documented,
|
|
according to the following sub-headings.
|
|
</p>
|
|
|
|
<h4> <a name="4.3.1">4.3.1.</a> Type </h4>
|
|
<p>
|
|
Backups must be taken for operational
|
|
and for disaster recovery purposes ("offline").
|
|
Disaster recovery backups must be offline and remote.
|
|
Operational backups may be online and local.
|
|
</p>
|
|
|
|
<h4> <a name="4.3.2">4.3.2.</a> Frequency </h4>
|
|
<p>Document.</p>
|
|
|
|
<h4> <a name="4.3.3">4.3.3.</a> Storage </h4>
|
|
<p>
|
|
Backups must be protected to the same level as the critical systems themselves.
|
|
Offline backups should be distributed.
|
|
</p>
|
|
|
|
<h4> <a name="4.3.4">4.3.4.</a> Retention period and Re-use </h4>
|
|
<p>Document.</p>
|
|
|
|
<h4> <a name="4.3.5">4.3.5.</a> Encryption </h4>
|
|
<p>
|
|
Backups must be encrypted and must only be transmitted via secured channels.
|
|
Off-site backups must be dual-encrypted using divergent methods.
|
|
</p>
|
|
|
|
<h4> <a name="4.3.6">4.3.6.</a> Verifying Backups </h4>
|
|
<p>
|
|
Two CAcert system administrators must be
|
|
present for verification of a backup.
|
|
Four eyes principle must be maintained when the key and backup are together.
|
|
For any other purpose than verification of the success of the backup, see next.
|
|
</p>
|
|
|
|
<h4> <a name="4.3.7">4.3.7.</a> Key Management </h4>
|
|
<p>
|
|
The encryption keys must be stored securely by the
|
|
CAcert systems administrators.
|
|
Paper documentation must be stored with manual backups.
|
|
</p>
|
|
|
|
<h4> <a name="4.3.8">4.3.8.</a> Reading Backups </h4>
|
|
<p>
|
|
Conditions and procedures for examining the backups for purposes
|
|
other than for verification must be documented
|
|
and must be under Arbitrator control.
|
|
</p>
|
|
|
|
<h3> <a name="4.4">4.4.</a> Data retention </h3>
|
|
|
|
<h4> <a name="4.4.1">4.4.1.</a> User data </h4>
|
|
|
|
<p>
|
|
Termination of user data is under direction of the Arbitrator.
|
|
See CCA.
|
|
</p>
|
|
|
|
<h4> <a name="4.4.2">4.4.2.</a> System logs </h4>
|
|
<p>Document.</p>
|
|
|
|
<h4> <a name="4.4.3">4.4.3.</a> Incident reports </h4>
|
|
<p>
|
|
The systems administration team leader is to maintain incident reports securely.
|
|
Access to incident reports is restricted.
|
|
</p>
|
|
|
|
<h3> <a name="4.5">4.5.</a> Cycling </h3>
|
|
<p>Document.</p>
|
|
|
|
|
|
|
|
<hr>
|
|
<a href="http://validator.w3.org/check?uri=referer"><img src="Images/valid-html401-blue.png" id="graphics2" alt="Valid HTML 4.01" align="right" border="0" height="33" width="90"></a>
|
|
<p>This is the end of the Security Policy.</p>
|
|
</body></html>
|