Ballot SC34: Account Management

Purpose of Ballot
=================

Encourage the use of continuous monitoring for the identification of
access permissions on Certificate Systems that are no longer necessary
for operations.

Motivation
==========

Section 2(j) of the Network and Certificate System Security Requirements
("NSRs") provide that:

    Each CA or Delegated Third Party SHALL: [...] Review all system
    accounts at least every three (3) months and deactivate any accounts
    that are no longer necessary for operations;

Effectiveness of Human Reviews
------------------------------

This wording suggests that CA should identify and remove obsolete access
permissions by performing human reviews of their Certificate Systems. In
a large CA environment, consisting of numerous systems and accounts,
such a human review is impractical to perform and therefore likely to be
less effective than the use of a monitoring solution.

Internal Consistency of the NSRs
--------------------------------

Ballot SC29 has made it a requirement that CAs continuously monitor
security relevant configurations and to alert on unauthorized changes so
that these can be addressed within at most twenty-four (24) hours.

This ballot proposes the use of a similar approach for access
permissions. It would be incoherent to require CAs to address security
relevant misconfigurations within 24 hours while allowing (a maximum of)
90 days for the detection of obsolete access permissions.

Terminology
-----------

This ballot proposes that the requirement in Section 2(j) shall apply to
"accounts and access permissions" generally. In its current version
Section 2(j) only applies to "system accounts" but that term was
considered ambiguous by the NetSec Subcommittee. A mapping of similar
provisions across the WebTrust Principles and Criteria yielded that all
types of accounts should be in scope of Section 2(j) because the
corresponding WebTrust requirements apply to "Access rights" and
"Logical access controls" generally. It would be surprising if there was
no corresponding requirement in the NSRs.

Data Sources
------------

The Subcommittee further considered whether a recommendation could be
added that CAs "SHOULD" perform some type of automatic comparison
between access configurations and HR systems, but did not want to
dictate one particular data source or method of implementation. Instead,
the Subcommittee believes that the CA's auditor will assess as part of
its test of design whether the data sources are appropriate for the
stated purpose of the requirement namely to identify whether the
accounts and permissions are still "necessary for operation".

docs/NSR.md

@@ -142,7 +142,9 @@ h. Have a policy that requires Trusted Roles to log out of or lock workstations
 
 i. Have a procedure to configure workstations with inactivity time-outs that log the user off or lock the workstation after a set time of inactivity without input from the user (the CA or Delegated Third Party MAY allow a workstation to remain active and unattended if the workstation is otherwise secured and running administrative tasks that would be interrupted by an inactivity time-out or system lock);
 
-j. Review all system accounts at least every three (3) months and deactivate any accounts that are no longer necessary for operations;
+j. Review accounts and access permissions at least every three (3) months or continuously monitor them for access that is no longer necessary for operation. Access that is identified to be no longer necessary for operation shall be removed.
+
+   If continuous monitoring is used, the approved access permission configurations shall be reviewed every six (6) months.
 
 k. Lockout account access to Certificate Systems after no more than five (5) failed access attempts, provided that this security measure;