Open daniel-ac-martin opened 5 months ago
I've been talking to HOCS to find a good way to link to their internal policies and standards, not got a solution just yet but I'll DM a link across to you.
Would suggest that the requirement should be 'Secrets MUST be generated in line with HO standards' and then list (and preferably link) all the relevant standards for the different types of secrets
Which content do you think should be reviewed? SEGAS-00006: https://engineering.homeoffice.gov.uk/standards/managing-secrets/
Why do you think we should review this? Is there a single standard policy that this refers to? If so, can we link to it?
If there is a standard policy, is it really up to scratch for production systems? e.g. Just because we would allow a user to have a 10-character long password that doesn't mean that a system to system password should be as short as that.
Also passwords are not the only secret, we could probably also do with some certificate standards.
Most likely these standards will need to be override-able by the local cyber/infosec people, but I still think we would benefit from a good default position.
Do you have a suggestion for how this could be improved? "Passwords for system accounts should be randomly generated, and at least X characters long." (Where is X is quite a large number, but not so large as to break things. - 64?)
I've previously defined a certificate standard (for a specific system) along these lines:
But that might need to be expanded upon and/or updated to be more stringent. (I defer to others on that.)
Please confirm the below