Activities Requiring Multiple Individuals

The following activities require two or more individuals to be present:

•   Physical access to the CA computing environment including associated network equipment;

•   Physical access to the Cryptomodules containing CA Keys;

•   Physical access to the activation material associated with the Cryptomodules containing CA Keys;

•   Physical access to the equipment containing CA root and Subordinate Certificates used to issue Subscriber Certificates;

•   Activities involving the creation or backup of Root Certificates or Subordinate Certificates, or the signing of OCSP materials;

•   Activities involving the receiving of new Cryptomodules; and

•   Activities involving the decommissioning or destruction of Cryptomodules.

  Personnel  Controls  

Background,  Qualifications,  Experience,  and  Security  Clearance   Requirements  

CAs, RAs, CSAs, and CMAs will formulate and follow personnel and management policies sufficient to provide reasonable assurance of the trustworthiness and competence of their employees and of the satisfactory performance of their duties in manner consistent with this Policy.

Background  Check  Procedures  

CAs will conduct an appropriate investigation of all personnel who serve in Trusted Roles prior to their employment and thereafter as necessary or as stipulated in organization policy, to verify their

trustworthiness and competence in accordance with the requirements of this Policy and the CA’s personnel practices or equivalent. Personnel who fail an initial or subsequent investigation will not serve or continue to serve in a Trusted Role.

Page 45 of 83  

Training  Requirements  

The CA must ensure that all personnel performing managerial duties with respect to the operation of the CA and RAs receive suitable training in (i) CA/RA security principles and mechanisms; (ii) security awareness; (iii) all PKI software versions in use on the CA system; (iv) duties they are expected to perform;

and (v) disaster recovery and business continuity procedures.

Retraining  Frequency  and  Requirements  

The requirements of Section 5.3.3 must be kept current to accommodate changes in the CA system.

Refresher training must be conducted as required.

Job  Rotation  Frequency  and  Sequence  

This Policy makes no stipulation regarding frequency or sequence of job rotation.

Sanctions  for  Unauthorized  Actions    

In the event of actual or suspected unauthorized action by a person performing duties with respect to the operation of the CA or RA, the CA should suspend his or her access to the CA system.

Independent  Contractor  Requirements    

The CA must ensure that contractor access to the CA site is in accordance with Section 5.1.1.

Documentation  Supplied  to  Personnel  

Documentation sufficient to define duties and procedures for each role will be provided to the personnel filling that role.

  Audit  Logging  Procedures  

Types  of  Events  Recorded  

The CA and each Delegated Third Party shall record details of the actions taken to process a certificate request and to issue a Certificate, including all information generated and documentation received in connection with the certificate request, the time and date, and the personnel involved. The CA shall make these records available to its Qualified Auditor as proof of the CA’s compliance with the CP, CPS, and the CA/B Forum Baseline Requirements.

The CA will record events related to CA servers and related equipment and applications, at a minimum including events that relate to the proper and secure function of the CA system, and the certificate life cycle items listed in Section 5.5.1. Events may be attributable to human action (in any role) or may be

automatically invoked by the equipment. At a minimum, the information recorded will include the type of event, and the date and time the event occurred, the source of the event, and the success or failure of a requested action.

Where possible, the audit data will be collected by automated means; when this is not possible, a logbook, paper form, or other physical mechanism will be used. Audit processes will be invoked at system startup, and will cease only at system shutdown. Should it become apparent that an automated audit system has failed and that redundant audit systems are not sufficient to provide needed audit logs, the affected component(s) will cease CA-related operations until the audit capability can be restored. If it is unacceptable to cease CA operation, other means will be employed to maintain audit capability.

Frequency  of  Log  Review  and  Processing  

The CA must ensure that its audit logs are reviewed by Trusted Role CA personnel at least weekly and all significant events are explained in an audit log summary. Such reviews may include both electronic and

Page 46 of 83

manual means, and may involve verifying that the log has not been tampered with, and then briefly inspecting all log entries, with a more thorough investigation of any alerts or irregularities in the logs.

The Trusted Role employee will validate the integrity of logging processes and ensure that monitoring, logging, alerting, and log-integrity-verification functions are operating properly (an in-house or third-party audit log reduction and analysis tool may be used). Supporting manual and electronic logs from the CA and RA should be compared where any action is deemed suspicious. Actions taken following these reviews must be documented.

Retention  Period  for  Audit  Logs  

The information generated on the CA equipment will be kept on the CA equipment until the information is moved to an appropriate archive facility. Deletion of the audit log from the CA equipment will be

performed by a person performing a Trust Role other than CA Operator. This Trusted Role will be identified in the CA’s CPS. Audit logs shall be retained as archive records in accordance with Section 5.5.2.

Protection  of  Audit  Logs  

The audit log, to the extent possible, will not be open for reading or modification by any human, or by any automated process other than those that perform audit processing. Audit logs that have not been archived must not be deleted. Any entity that does not have modification access to the audit log may archive it (note that deletion requires modification access). Audit data to be archived shall be moved to a safe, secure storage location separate from the CA equipment.

Audit  Log  Backup  Procedures  

Audit logs and audit summaries shall be backed up or copied if in manual form.

Audit  Collection  System  (Internal  vs.  External)    

This Policy makes no requirement for the audit log collection system to be external to the CA equipment.

The audit process shall run independently of the CA Operator and will not in any way be under the control of the CA Operator.

The CA shall identify those Certificate Systems under the control of the CA or Delegated Third Party Trusted Roles capable of monitoring and logging system activity and enable those systems to continuously monitor and log system activity.

Notification  to  Event-­Causing  Subject  

Where an event is logged by the audit collection system no notice need be given to the individual, organization, device or application that caused the event.

Vulnerability  Assessments  

Events recorded by the audit process will be logged, in part, to monitor system vulnerabilities. The CA must ensure that a vulnerability assessment is performed, and reviewed, with remediation or mitigations performed in a timely manner, at least once yearly, or following examination of log events that show attempts or suspected attempts to breach the system.

The CA must undergo or perform a vulnerability scan for the following additional reasons:

1.   Within one week of receiving a request from the CA/Browser Forum;

2.   After any system or network changes that the CA determines are significant; and

Page 47 of 83

3.   At least once per quarter, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate systems.

The CA must also undergo a penetration test on itself and each Delegated Third Party’s Certificate Systems on at least an annual basis and after infrastructure or application upgrades or modifications that the CA determines are significant. The CA will also record evidence that each vulnerability scan and penetration test was performed by a person or entity (or collective group thereof) with the skills, tools, proficiency, code of ethics, and independence necessary to provide a reliable vulnerability scan or penetration test.

Should the CA or the CA discover a critical vulnerability during a penetration test not previously addressed by the CA’s vulnerability correction process, the following must be completed within 96 hours:

1.   The CA must remediate the critical vulnerability;

2.   If remediation of the critical vulnerability within 96 hours is not possible, create and implement a plan to mitigate the Critical Vulnerability, giving priority to:

a.   Vulnerabilities with high CVSS scores, starting with the vulnerabilities the CA determines are the most critical (such as those with a CVSS score of 10.0) and

b.   Systems that lack sufficient compensating controls that, if the vulnerability were left unmitigated, would allow external system control, code execution, privilege escalation, or system compromise; or

3.   Document the factual basis for the CA’s determination that the vulnerability does not require remediation because:

a.   The CA disagrees with the NVD rating, b.   The identification is a false positive,

c.   The exploit of the vulnerability is prevented by compensating controls or an absence of threats; or

d.   Other similar reasons.