bug 1131: Yet some more updates by the Policy Officer
[cacert-devel.git] / www / policy / OrganisationAssurancePolicy.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" lang="en">
5 <title> Organisation Assurance Policy </title>
6 <style type="text/css">
7 <!--
8 .comment {
9 color : steelblue;
10 }
11 -->
12 </style>
13 </head>
14 <body>
15
16 <div class="comment">
17 <table width="100%">
18
19 <tbody>
20 <tr>
21 <td>
22 Name: OAP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD11</a>
23 <br>
24
25 Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
26 <br>
27 Editor: Jens Paul
28 <br>
29 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy"> CC-by-sa+DRP </a>
30 <br>
31 </td>
32 <td align="right" valign="top">
33 <a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
34 <img src="images/cacert-policy.png" alt="OAP Status - POLICY" style="border-style: none;" height="31" width="88">
35 </a>
36 </td>
37 </tr>
38 </tbody>
39 </table>
40 </div>
41
42 <h1> Organisation&nbsp;Assurance&nbsp;Policy </h1>
43
44 <h2 id="s0"> 0. Preliminaries </h2>
45
46 <p>
47 This policy describes how Organisation Assurers ("OAs")
48 conduct Assurances on Organisations.
49 It fits within the overall web-of-trust
50 or Assurance process of CAcert.
51 </p>
52
53 <p>
54 This policy is not a Controlled document, for purposes of
55 Configuration Control Specification ("CCS").
56 </p>
57
58 <h2 id="s1"> 1. Purpose </h2>
59
60 <p>
61 Organisations with assured status can issue certificates
62 directly with their own domains within.
63 </p>
64
65 <p>
66 The purpose and statement of the certificate remains
67 the same as with ordinary users (natural persons)
68 and as described in the CPS.
69 </p>
70
71 <ul><li>
72 The organisation named within is identified.
73 </li><li>
74 The organisation has been verified according
75 to this policy.
76 </li><li>
77 The organisation is within the jurisdiction
78 and can be taken to CAcert Arbitration.
79 </li></ul>
80
81
82 <h2 id="s2"> 2. Roles and Structure </h2>
83
84 <h3 id="s2.1"> 2.1 Assurance Officer </h3>
85
86 <p>
87 The Assurance Officer ("AO")
88 manages this policy and reports to the CAcert Inc. Committee ("Board").
89 </p>
90
91 <p>
92 The AO manages all OAs and is responsible for process,
93 the CAcert Organisation Assurance Programme ("COAP") form,
94 OA training and testing, manuals, quality control.
95 In these responsibilities, other Officers will assist.
96 </p>
97 <p>
98 The OA is appointed by the Board.
99 Where the OA is failing the Board decides.
100 </p>
101
102 <h3 id="s2.2"> 2.2 Organisation Assurers </h3>
103
104 <p>
105 </p>
106
107 <ol type="a"> <li>
108 An OA must be an experienced Assurer
109 <ol type="i">
110 <li>Have 150 assurance points.</li>
111 <li>Be fully trained and tested on all general Assurance processes.</li>
112 </ol>
113
114 </li><li>
115 Must be trained as Organisation Assurer.
116 <ol type="i">
117 <li> Global knowledge: This policy. </li>
118 <li> Global knowledge: A OA manual covers how to do the process.</li>
119 <li> Local knowledge: legal forms of organisations within jurisdiction.</li>
120 <li> Basic governance. </li>
121 <li> Training may be done a variety of ways,
122 such as on-the-job, etc. </li>
123 </ol>
124
125 </li><li>
126 Must be tested.
127 <ol type="i">
128 <li> Global test: Covers this policy and the process. </li>
129 <li> Local knowledge: Subsidiary Policy to specify. </li>
130 <li> Tests to be created, approved, run, verified
131 by CAcert only (not outsourced). </li>
132 <li> Tests are conducted manually, not online/automatic. </li>
133 <li> Documentation to be retained. </li>
134 <li> Tests may include on-the-job components. </li>
135 </ol>
136
137 </li><li>
138 Must be approved.
139 <ol type="i">
140 <li> Two supervising OAs must sign-off on new OA,
141 as trained, tested and passed.
142 </li>
143 <li> AO must sign-off on a new OA,
144 as supervised, trained and tested.
145 </li>
146 </ol>
147 </li>
148 <li>The OA can decide when a CAcert
149 (individual) Assurer
150 has done several OA Application Advises to appoint this
151 person to OA Assurer.
152 </li>
153
154 </ol>
155
156 <h3 id="s2.3"> 2.3 Organisation Assurance Advisor ("OAA") </h3>
157 <p>
158 In countries/states/provinces where no OA Assurers are
159 operating for an OA Application (COAP) the OA
160 can be advised by an experienced local CAcert
161 (individual) Assurer to take the decision
162 to accept the OA Application (COAP) of the organisation.
163 </p>
164 <p>
165 The local Assurer must have at least 150 Points,
166 should know the language, and know
167 the organisation trade office registry culture and quality.
168 </p>
169
170
171 <h3 id="s2.4"> 2.4 Organisation Administrator </h3>
172
173 <p>
174 The Administrator within each Organisation ("O-Admin")
175 is the one who handles the assurance requests
176 and the issuing of certificates.
177 </p>
178
179 <ol type="a"> <li>
180 O-Admin must be Assurer
181 <ol type="i">
182 <li>Have 100 assurance points.</li>
183 <li>Fully trained and tested as Assurer.</li>
184 </ol>
185
186 </li><li>
187 Organisation is required to appoint O-Admin,
188 and appoint ones as required.
189 <ol type="i">
190 <li> On COAP Request Form.</li>
191 </ol>
192
193 </li><li>
194 O-Admin must work with an assigned OA.
195 <ol type="i">
196 <li> Have contact details.</li>
197 </ol>
198 </ol>
199
200
201 <h2 id="s3"> 3. Policies </h2>
202
203 <h3 id="s3.1"> 3.1 Policy </h3>
204
205 <p>
206 There is one policy being this present document,
207 and several subsidiary policies.
208 </p>
209
210 <ol type="a">
211 <li> This policy authorises the creation of subsidiary policies. </li>
212 <li> This policy is international. </li>
213 <li> Subsidiary policies are implementations of the policy. </li>
214 <li> Organisations are assured under an appropriate subsidiary policy. </li>
215 </ol>
216
217 <h3 id="s3.2"> 3.2 Subsidiary Policies </h3>
218
219 <p>
220 The nature of the Subsidiary Policies ("SubPols"):
221 </p>
222
223 <ol type="a"><li>
224 SubPols are purposed to check the organisation
225 under the rules of the jurisdiction that creates the
226 organisation. This does not evidence an intention
227 by CAcert to
228 enter into the local jurisdiction, nor an intention
229 to impose the rules of that jurisdiction over any other
230 organisation.
231 CAcert assurances are conducted under the jurisdiction
232 of CAcert.
233 </li><li>
234 For OAs,
235 SubPol specifies the <i>tests of local knowledge</i>
236 including the local organisation assurance COAP forms.
237 </li><li>
238 For assurances,
239 SubPol specifies the <i>local documentation forms</i>
240 which are acceptable under this SubPol to meet the
241 standard.
242 </li><li>
243 SubPols are subjected to the normal
244 policy approval process.
245 </li></ol>
246
247 <h3 id="s3.3"> 3.3 Freedom to Assemble </h3>
248
249 <p>
250 Subsidiary Policies are open, accessible and free to enter.
251 </p>
252
253 <ol type="a"><li>
254 SubPols compete but are compatible.
255 </li><li>
256 No SubPol is a franchise.
257 </li><li>
258 Many will be on State or National lines,
259 reflecting the legal
260 tradition of organisations created
261 ("incorporated") by states.
262 </li><li>
263 However, there is no need for strict national lines;
264 it is possible to have 2 SubPols in one country, or one
265 covering several countries with the same language
266 (e.g., Austria with Germany, England with Wales but not Scotland).
267 </li><li>
268 There could also be SubPols for special
269 organisations, one person organisations,
270 UN agencies, churches, etc.
271 </li><li>
272 Where it is appropriate to use the SubPol
273 in another situation (another country?), it
274 can be so approved.
275 (e.g., Austrian SubPol might be approved for Germany.)
276 The SubPol must record this approval.
277 </li></ol>
278
279
280 <h2 id="s4"> 4. Process </h2>
281
282 <h3 id="s4.1"> 4.1 Standard of Organisation Assurance </h3>
283 <p>
284 The essential standard of Organisation Assurance is:
285 </p>
286
287 <ol type="a"><li>
288 the organisation exists
289 </li><li>
290 the organisation name is correct and consistent:
291 <ol type="i">
292 <li>in official documents specified in SubPol.</li>
293 <li>on COAP form.</li>
294 <li>in CAcert database.</li>
295 <li>form or type of legal entity is consistent</li>
296 </ol>
297 </li><li>
298 signing rights:
299 requestor can sign on behalf of the organisation.
300 </li><li>
301 the organisation has agreed to the terms of the
302 CAcert Community Agreement
303 and is therefore subject to Arbitration.
304 </li></ol>
305
306 <p>
307 Acceptable documents to meet above standard
308 are stated in the SubPol.
309 </p>
310
311 <h3 id="s4.2"> 4.2 COAP </h3>
312 <p>
313 The COAP form documents the checks and the resultant
314 assurance results to meet the standard.
315 Additional information to be provided on form:
316 </p>
317
318 <ol type="a"><li>
319 CAcert account of O-Admin (email address?)
320 </li><li>
321 location:
322 <ol type="i">
323 <li>country (MUST).</li>
324 <li>city (MUST).</li>
325 <li>additional contact information (as required by SubPol).</li>
326 </ol>
327 </li><li>
328 administrator account name(s) (1 or more)
329 </li><li>
330 domain name(s)
331 </li><li>
332 Agreement with
333 CAcert Community Agreement.
334 Statement and initials box for organisation
335 and also for OA.
336 </li><li>
337 Date of completion of Assurance.
338 Records should be maintained for 7 years from
339 this date.
340 </li></ol>
341
342 <p>
343 The COAP should be in English. Where translations
344 are provided, they should be matched to the English,
345 and indication provided that the English is the
346 ruling language (due to Arbitration requirements).
347 </p>
348
349 <h3 id="s4.3"> 4.3 Jurisdiction </h3>
350
351 <p>
352 Organisation Assurances are carried out by
353 CAcert Inc. under its Arbitration jurisdiction.
354 Actions carried out by OAs are under this regime.
355 </p>
356
357 <ol type="a"><li>
358 The organisation has agreed to the terms of the
359 CAcert Community Agreement.
360 </li><li>
361 The organisation, the Organisation Assurers, CAcert and
362 other related parties are bound into CAcert's jurisdiction
363 and dispute resolution.
364 </li><li>
365 The OA is responsible for ensuring that the
366 organisation reads, understands, intends and
367 agrees to the
368 CAcert Community Agreement.
369 This OA responsibility should be recorded on COAP
370 (statement and initials box).
371 </li></ol>
372
373 <h2 id="s5"> 5. Exceptions </h2>
374
375
376 <ol type="a"><li>
377 <b> Conflicts of Interest.</b>
378 An OA must not assure an organisation in which
379 there is a close or direct relationship by, e.g.,
380 employment, family, financial interests.
381 Other conflicts of interest must be disclosed.
382 </li><li>
383 <b> Trusted Third Parties.</b>
384 TTPs are not generally approved to be part of
385 organisation assurance,
386 but may be approved by subsidiary policies according
387 to local needs.
388 </li><li>
389 <b>Exceptional Organisations.</b>
390 (e.g., Vatican, International Space Station, United Nations)
391 can be dealt with as a single-organisation
392 SubPol.
393 The OA creates the checks, documents them,
394 and subjects them to to normal policy approval.
395 </li><li>
396 <b>DBA.</b>
397 Alternative names for organisations
398 (DBA, "doing business as")
399 can be added as long as they are proven independently.
400 E.g., registration as DBA or holding of registered trade mark.
401 This means that the anglo law tradition of unregistered DBAs
402 is not accepted without further proof.
403 </li>
404 </ol>
405
406
407 </body>
408 </html>