cacert-policies/ConfigurationControlSpecification.html
Ian Grigg b44b84a96a another attempt
git-svn-id: http://svn.cacert.org/CAcert/Policies@1741 14b1bab8-4ef6-0310-b690-991c95c89dfd
2009-12-31 20:02:37 +00:00

283 lines
8.1 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
<title>Configuration Controlled Specification - work-in-progress</title>
<style type="text/css">
<!--
body {
font-family : verdana, helvetica, arial, sans-serif;
}
th {
text-align : left;
}
.q {
color : green;
font-weight: bold;
text-align: center;
font-style:italic;
}
.error {
color : red;
font-weight: bold;
text-align: center;
font-style:italic;
}
.change {
color : blue;
font-weight: bold;
}
a:hover {
color : gray;
}
-->
</style>
</head>
<body lang="en-GB">
<h1> Configuration Control Specification </h1>
<!-- Absolute URL because the policies are located absolutely. -->
<a href="http://www.cacert.org/policy/PolicyOnPolicy.php"><img align="right" src="Images/cacert-wip.png" alt="Configuration Control Specification Status == work-in-progress" border="0"></a><p>
Creation date: 20091214<br>
Status: <i>WIP </i><br><br>
<h3> <a name="1">1</a> <a name="Introduction"> Introduction </a> </h3>
<!-- This section from A.1.a through A.1.c -->
<p>
The Configuration Control Specification (CCS) controls and tracks those documents, processes and assets which are critical to the business, security and governance of the CAcert operations.
</p>
<p>
This document is the procedure for CCS.
This document itself is a component of the CCS.
All other documentation and process specified within
is derivative and is ruled by the CCS.
</p>
<h3> <a name="2">2</a> <a name="Documents"> Documents </a> </h3>
<!-- This section from A.1.c through A.1.h -->
<h4> <a name="2.1">2.1</a> <a name="doc_list"> Controlled Document List </a> </h4>
<p>
This CCS creates a list of Primary or "root" documents:
</p>
<hr>
<table>
<!-- Since is first date under control -->
<tr> <th><small>CAcert Official Document number</small>.</th> <th>Abbrev.</th> <th>Name</th> <th>Location</th> <th>Since</th> <th>Comments</th> </tr>
<tr>
<td> COD1 </td>
<td> PoP </td>
<td> Policy On Policy </td>
<td> <a href="http://www.cacert.org/policy/PolicyOnPolicy.php">http://www.cacert.org/policy/PolicyOnPolicy.php</a> </td>
<td> p20070822.... </td>
<td> covers all documents </td>
</tr>
<tr>
<td> COD2 </td>
<td> CCS </td>
<td> Configuration Control Specification </td>
<td> <a href="http://www.cacert.org/policy/ConfigurationControlSpecification.php">http://www.cacert.org/policy/ConfigurationControlSpecification.php</a> </td>
<td> 2010..... </td>
<td> this document </td>
</tr>
<tr>
<td> COD6 </td>
<td> CPS </td>
<td> Certification Practice Statement </td>
<td> <a href="http://www.cacert.org/policy/CertificationPracticeStatement.php">http://www.cacert.org/policy/CertificationPracticeStatement.php</a> </td>
<td> p200903xx.... </td>
<td> includes Certificate Policies </td>
</tr>
<tr>
<td> COD5 </td>
<td> PP </td>
<td> Privacy Policy </td>
<td> <a href="http://www.cacert.org/">http://www.cacert.org/</a> </td>
<td> 20060629 </td>
<td> <i> out of date </i> </td>
</tr>
<tr>
<td> 5 </td>
<td> SP </td>
<td> Security Policy </td>
<td> <a href="http://www.cacert.org/policy/SecurityPolicy.php">http://www.cacert.org/policy/SecurityPolicy.php</a> </td>
<td> p20090327 </td>
<td> . </td>
</tr>
<tr>
<td> 6 </td>
<td> CCA </td>
<td> CAcert Community Agreement </td>
<td> <a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">http://www.cacert.org/policy/CAcertCommunityAgreement.php</a> </td>
<td> p20070822... </td>
<td> Subscriber Agreement </td>
</tr>
<tr>
<td> COD4 </td>
<td> NRP-DaL </td>
<td> Non-Related Persons -- Disclaimer and Licence </td>
<td> <a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">http://www.cacert.org/policy/NRPDisclaimerAndLicence.php</a> </td>
<td> m20070918.1 </td>
<td> Relying Party Agreement </td>
</tr>
<tr>
<td> 7 </td>
<td> 3pv-DaL </td>
<td> 3rd Party Vendor -- Disclaimer and Licence </td>
<td> <a href="http://www.cacert.org/policy/3pvDisclaimerAndLicence.php">http://www.cacert.org/policy/3pvDisclaimerAndLicence.php</a> </td>
<td> p2010... </td>
<td> Distributor Agreement </td>
</tr>
<tr>
<td> COD7 </td>
<td> DRP </td>
<td> Dispute Resolution Policy </td>
<td> <a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">http://www.cacert.org/policy/DisputeResolutionPolicy.php</a> </td>
<td> m20070919.3 </td>
<td> . </td>
</tr>
<tr>
<td> 9 </td>
<td> AP </td>
<td> Assurance Policy </td>
<td> <a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">http://www.cacert.org/policy/DisputeResolutionPolicy.php</a> </td>
<td> p2010... </td>
<td> . </td>
</tr>
</table>
<hr>
<p>
Primary Documents may authorise other secondary documents
under the same process (PoP).
Document Officer manages a controlled documents list
containing numbers, locations and versions of all controlled documents.
</p>
<h4> <a name="2.2">2.2</a> <a name="doc_change"> Change </a> </h4>
<p>
Overall responsibility for change to documents resides with the policy mailgroup, as specified in Policy on Policy. CAcert Inc., board maintains a veto on new policies while in DRAFT. Fully approved documents (POLICY status) are published on the CAcert website at http://www.cacert.org/policy/ in plain HTML format.
</p>
<p>
Pre-approval work (DRAFT status) and working documents (work-in-progress status) are made available on publically-accessible version management systems (Subversion: http://svn.cacert.org/CAcert/Policies . wiki: http://wiki.cacert.org/wiki/PolicyDrafts ).
</p>
<h4> <a name="2.3">2.3</a> <a name="doc_control"> Control </a> </h4>
<p>
CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2.
</p>
<h3> <a name="3">3</a> <a name="Hardware"> Hardware </a> </h3>
<!-- This section from A.1.j -->
<h4> <a name="3.1">3.1</a> <a name="hard_list"> Controlled Hardware List </a> </h4>
<p>
Critical systems are defined by Security Policy.
</p>
<h4> <a name="3.2">3.2</a> <a name="hard_change"> Change </a> </h4>
<p> See Security Policy. </p>
<h4> <a name="3.3">3.3</a> <a name="hard_control"> Control </a> </h4>
<p>
Control of Hardware is the ultimate responsibility of the Board of CAcert Inc.
The responsibility for acts with hardware is delegated
to Access Engineers and Systems Administrators as per
Security Policy.
The ownership responsibility is delegated by agreement to Oophaga.
</p>
<h3> <a name="4">4</a> <a name="Software"> Software </a> </h3>
<!-- This section from A.1.i -->
<h4> <a name="4.1">4.1</a> <a name="hard_list"> Controlled Software List </a> </h4>
<p>
Critical software is defined by Security Policy.
</p>
<h4> <a name="4.2">4.2</a> <a name="soft_change"> Change </a> </h4>
<p> See Security Policy. </p>
<h4> <a name="4.3">4.3</a> <a name="soft_control"> Control </a> </h4>
<p>
CAcert owns or requires full control over its code
by means of an approved free and open licence.
Such code must be identified and managed by Software Assessment.
</p>
<p>
Developers transfer full rights to CAcert
(in a similar fashion to documents),
or organise their contributions under a
proper free and open source code regime,
as approved by Board.
Where code is published
(beyond scope of this document)
care must be taken not to infringe licence conditions.
For example, mingling issues with GPL.
</p>
<p>
The Software Assessment Team Leader
maintains a registry of assignments
of title or full licence,
and a registry of software under approved open source licences.
</p>
<h3> <a name="5">5</a> <a name="Logs"> Logs </a> </h3>
<!-- This section from A.1.k -->
<h4> <a name="5.1">5.1</a> <a name="logs_list"> Controlled Logs List </a> </h4>
<p>
Logs are defined by Security Policy.
</p>
<h4> <a name="5.2">5.2</a> <a name="logs_change"> Changes </a> </h4>
<p> Changes to Hardware and Software are logged according to Security Policy. </p>
<h4> <a name="5.3">5.3</a> <a name="logs_archive"> Archive </a> </h4>
<p> See Security Policy. </p>
</body></html>