search

cabforum / netsec

Repository for the CA/Browser Forum Network Security Chartered Working Group
14 stars 9 forks source link

Adopt a High-Level Statement of Objectives #15

Closed BenWilson-Mozilla closed 3 months ago

BenWilson-Mozilla commented 2 years ago

An example of high-level criteria accomplished by the individual sections of the NCSSRs might include:

  1. CAs shall implement and maintain an Information Security Program.
  2. CAs shall implement a personnel security program. Persons serving in Trusted Roles shall act in a competent and trustworthy manner.
  3. CAs shall build and maintain secure networks and CA systems.
  4. CAs shall protect the confidentiality and integrity of keys and other data.
  5. CAs shall implement strong access control measures. (2)
  6. CAs shall regularly monitor and test [networks, systems, etc.] (3)
  7. CAs shall maintain a vulnerability and patch management program (4)
  8. Private keys corresponding to publicly trusted CAs shall be physically secured.
BenWilson-Mozilla commented 2 years ago

Additionally, the NetSec requirements should be re-categorized into the following domains:

PROGRAM MANAGEMENT (PM) PM-1: CAs shall implement and maintain a Network and Systems Security Program. ... PERSONNEL SECURITY (PS) ACCESS CONTROL (AC) NETWORK SECURITY (NS) OFFLINE SYSTEMS (OL) or AIR-GAPPED (AG) PHYSICAL AND ENVIRONMENTAL SECURITY (PE) CONFIGURATION MANAGEMENT (CM) MONITORING AND LOGGING (ML) VULNERABILITY MANAGEMENT (VM)

BenWilson-Mozilla commented 2 years ago

Here is an example - https://drive.google.com/file/d/1HPMVQ6mCkEwbCl2c5e-1FbHy4TPb0PwQ/view?usp=sharing

clintwilson commented 3 months ago

Added in #33