Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Purpose of Ballot ================= Encourage the use of continuous monitoring for the identification of access permissions on Certificate Systems that are no longer necessary for operations. Motivation ========== Section 2(j) of the Network and Certificate System Security Requirements ("NSRs") provide that: Each CA or Delegated Third Party SHALL: [...] Review all system accounts at least every three (3) months and deactivate any accounts that are no longer necessary for operations; Effectiveness of Human Reviews ------------------------------ This wording suggests that CA should identify and remove obsolete access permissions by performing human reviews of their Certificate Systems. In a large CA environment, consisting of numerous systems and accounts, such a human review is impractical to perform and therefore likely to be less effective than the use of a monitoring solution. Internal Consistency of the NSRs -------------------------------- Ballot SC29 has made it a requirement that CAs continuously monitor security relevant configurations and to alert on unauthorized changes so that these can be addressed within at most twenty-four (24) hours. This ballot proposes the use of a similar approach for access permissions. It would be incoherent to require CAs to address security relevant misconfigurations within 24 hours while allowing (a maximum of) 90 days for the detection of obsolete access permissions. Terminology ----------- This ballot proposes that the requirement in Section 2(j) shall apply to "accounts and access permissions" generally. In its current version Section 2(j) only applies to "system accounts" but that term was considered ambiguous by the NetSec Subcommittee. A mapping of similar provisions across the WebTrust Principles and Criteria yielded that all types of accounts should be in scope of Section 2(j) because the corresponding WebTrust requirements apply to "Access rights" and "Logical access controls" generally. It would be surprising if there was no corresponding requirement in the NSRs. Data Sources ------------ The Subcommittee further considered whether a recommendation could be added that CAs "SHOULD" perform some type of automatic comparison between access configurations and HR systems, but did not want to dictate one particular data source or method of implementation. Instead, the Subcommittee believes that the CA's auditor will assess as part of its test of design whether the data sources are appropriate for the stated purpose of the requirement namely to identify whether the accounts and permissions are still "necessary for operation".
- Loading branch information