bug 1131: Updated Policies based on new versions send by Policy Officer
[cacert-devel.git] / www / policy / ConfigurationControlSpecification.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" lang="en">
5 <title>Configuration-Control Specification</title>
6 <style type="text/css">
7 <!--
8 body {
9 font-family : verdana, helvetica, arial, sans-serif;
10 }
11 th {
12 text-align : left;
13 }
14 .comment {
15 color : steelblue;
16 }
17 .q {
18 color : green;
19 font-weight: bold;
20 text-align: center;
21 font-style:italic;
22 }
23 a:hover {
24 color : gray;
25 }
26 -->
27 </style>
28 </head>
29 <body lang="en-GB">
30 <h1> Configuration-Control Specification </h1>
31 <!-- Absolute URL because the policies are located absolutely. -->
32 <div class="comment">
33 <table width="100%">
34 <tbody>
35 <tr>
36 <td rowspan="2">
37 Name: CCS <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD2</a>
38 <br>
39 Creation Date : 20091214
40 <br>
41 Editor: Iang
42 <br>
43 Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
44 <br>
45 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a>
46
47 </td>
48 <td align="right" valign="top">
49 <a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
50 <img src="images/cacert-policy.png" alt="CCA Status - POLICY" style="border-style: none;" height="31" width="88">
51 </a>
52 </td>
53 </tr>
54 </tbody>
55 </table>
56 </div>
57
58
59 <h3 id="g0.0.1">Introduction </h3>
60
61 <!-- This section from A.1.a through A.1.c -->
62
63 <p>
64 The Configuration-Control Specification (CCS COD2) controls and tracks
65 those documents, processes and assets which are critical to the
66 business, security and governance of the CAcert operations.
67 </p>
68
69 <p>
70 This document is the procedure for CCS.
71 This document itself is a component of the CCS,
72 see §2.
73 <!-- A.1.c The configuration-control specification controls its own revision process. -->
74 All other documentation and process specified within
75 is derivative and is ruled by the CCS.
76 </p>
77
78 <p>
79 CCS is formated, inspired and designed to meet the needs of
80 David Ross Criteria -
81 <a href="http://rossde.com/CA_review/">Certificate Authority Review Checklist</a>
82 - section A.1 (DRC-A.1)
83 CCS may be seen as the index to systems audit under DRC.
84 </p>
85
86 <h3 id="g0.0.2">Documents </h3>
87
88 <!-- A.1.c-h: The configuration-control specification controls the revision process for the CCS,CP,CPS,PP,SP,R/L/O -->
89
90 <h4 id="g0.0.2.1">Controlled Document List </h4>
91
92 <p>
93 This CCS creates a
94 Controlled Document List (CDL)
95 of Primary or "root" documents known as Policies.
96 Primary documents may authorise other secondary documents
97 into the CDL, or "practices" outside the list.
98 </p>
99
100 <p>
101 The Controlled Document List
102 contains numbers, locations and status
103 of all controlled documents.
104 The list is part of this CCS.
105 </p>
106
107 <!-- See A.1.k, logging of documents. -->
108
109 <h4 id="g0.0.2.2">Change </h4>
110
111
112 <p>
113 Change to the documents
114 is as specified by
115 Policy on Policy (PoP).
116 Policy Officer is to manage the
117 <a href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">CDL</a>.
118 </p>
119
120 <h4 id="g0.0.2.3">Control </h4>
121
122 <p>
123 CAcert policies are required to be owned / transferred to CAcert. See PoP 6.2.
124 </p>
125
126 <h3 id="g0.0.3">Hardware </h3>
127
128 <!-- This section from A.1.j -->
129
130 <h4 id="g0.0.3.1">Controlled Hardware List </h4>
131
132 <p>
133 Critical systems are defined by Security Policy.
134 </p>
135
136 <h4 id="g0.0.3.2">Change </h4>
137
138 <p> See Security Policy. </p>
139
140 <h4 id="g0.0.3.3">Control </h4>
141
142 <p>
143 Security Policy places executive responsibility for Hardware with the Board of CAcert Inc.
144 Access is delegated to Access Engineers (SP 2) and Systems Administrators (SP 3).
145 Legal ownership may be delegated by agreement to other organisations (SP 9.4).
146 </p>
147
148 <h3 id="g0.0.4">Software </h3>
149 <!-- A.1.i: The configuration-control specification controls changes to software involved in: certs; data; comms to public -->
150 <h4 id="g0.0.4.1">Controlled Software List </h4>
151
152 <p>
153 Critical software is defined by Security Policy.
154 </p>
155
156 <!--
157
158 <ul class="q">
159
160 <li> Following are questions for exec + audit, not policy.
161
162 <li>One thing that is not so well covered by CAcert is the last bullet point of A.1.i</li>
163
164 <li>"communicating with subscribers and with the general public."</li>
165
166 <li>website is under SP; maillists,blogs,etc are not.</li>
167
168 <li>as community has deliberately gone this direction, I suggest we argue it that way.</li>
169
170 <li> What is far more problematic is the failure to do CCA &amp; Challenge notification.</li>
171
172 <li> What about translingo and voting? </li>
173
174 <li> See <a href="https://lists.cacert.org/wws/arc/cacert-sysadm/2010-02/msg00008.html">thread</a> </li>
175 </ul>
176 -->
177
178 <h4 id="g0.0.4.2">Change </h4>
179
180 <p> See Security Policy. </p>
181
182 <h4 id="g0.0.4.3">Control </h4>
183
184 <p>
185 CAcert owns its code, or requires control over open source code in use
186 by means of an approved free and open licence.
187 Such code must be identified and managed by Software Assessment.
188 </p>
189
190 <p>
191 Developers transfer full rights to CAcert
192 (in a similar fashion to documents),
193 or organise their contributions under a
194 proper free and open source code regime,
195 as approved by Board.
196 Where code is published
197 (beyond scope of this document)
198 care must be taken not to infringe licence conditions.
199 For example, mingling issues with GPL.
200 </p>
201
202 <p>
203 The Software Assessment Team Leader
204 maintains a registry of assignments
205 of title or full licence,
206 and a registry of software under approved open source licences.
207 </p>
208
209 <h3 id="g0.0.5">Certificates </h3>
210
211 <!-- This section from A.1.b -->
212
213 <p> This section applies to Root and Sub-root certificates, not to End-entity (subscriber, member) certificates. </p>
214
215 <h4 id="g0.0.5.1">Certificates List </h4>
216
217 <p> Certificates (Root and sub-root) are to be listed in the CPS. </p>
218
219 <h4 id="g0.0.5.2">Changes </h4>
220
221 <p>
222 Creation and handling of Certificates
223 is controlled by Security Policy.
224 Usage of Certificates
225 is controlled by Certification Practice Statement.
226 </p>
227
228 <h4 id="g0.0.5.3">Archive </h4>
229
230 <p> See Security Policy. </p>
231
232 <h3 id="g0.0.6">Logs </h3>
233
234 <!-- This section from A.1.k -->
235
236 <h4 id="g0.0.6.1">Controlled Logs List </h4>
237
238 <p> Logs are defined by Security Policy. </p>
239
240 <h4 id="g0.0.6.2">Changes </h4>
241
242 <p> Changes to Hardware, Software and Root Certificates are logged according to Security Policy. </p>
243
244 <h4 id="g0.0.6.3">Archive </h4>
245
246 <p> See Security Policy. </p>
247
248 <h3 id="g0.0.7">Data </h3>
249
250 <!-- This section from A.1.i-j, bullets 2,3 -->
251
252 <h4 id="g0.0.7.1">Types of Data </h4>
253
254 <p>
255 Types of critical member data is defined by Assurance Policy.
256 </p>
257
258 <h4 id="g0.0.7.2">Changes </h4>
259
260 <p>
261 Changes and access to critical member data
262 is as defined under Assurance Policy,
263 CAcert Community Agreement and
264 Dispute Resolution Policy.
265 Implementation of
266 collection and storage of critical member data
267 (user interface software and databases)
268 is defined by Security Policy.
269 </p>
270
271 <h4 id="g0.0.7.3">Archive </h4>
272
273 <p>
274 Data retention is controlled by Security Policy and CAcert Community Agreement.
275 </p>
276 </body>
277 </html>