Document structure

[vanbroup]

NSR.md contains four main sections with an alphabetical list of requirements. Can we split these requirements up into individual sub sections so that the document can be automatically parsed for adoption into a GRC system?

The biggest impact of this change is that we need to define a title for each requirement.

Now:

# 1. GENERAL PROTECTIONS FOR THE NETWORK AND SUPPORTING SYSTEMS

Each CA or Delegated Third Party SHALL:

a.	Segment Certificate Systems into networks based on their functional or logical relationship, for example separate physical networks or VLANs;

b.	Apply equivalent security controls to all systems co-located in the same network with a Certificate System;

Proposed:

# 1. GENERAL PROTECTIONS FOR THE NETWORK AND SUPPORTING SYSTEMS

Each CA or Delegated Third Party SHALL:

## 1.a.	Network Segments
Segment Certificate Systems into networks based on their functional or logical relationship, for example separate physical networks or VLANs;

## 1.b.	Security Controls
Apply equivalent security controls to all systems co-located in the same network with a Certificate System;

(I'm using ## 1.a instead of ## 1.1 to keep existing references to these sections)

[RufusJWB]

Wouldn't it make sense to integrate the NetSec Requirements into the chapters 5 and 6.5 to 6.7 of the BRGs?

[sleevi]

A little of the document structure was touched on in 3df1fbc0d0ea14f8163d6fed6c64b1dc90dfee77 , although the revamp to full sections was not explored.

I'm not sure, however, how to interpret or generalized the requirements for a GRC system (presumably, governance, risk, and compliance?), and how section titles meaningfully improve that. However, it's something the NetSec subcommittee can continue to look at.

[clintwilson]

Document structure updated substantially in #33