The CESNET CA equipment SHALL be located within a dedicated closed room in the CESNET a.l.e. office area.
The physical access to the CESNET CA operating room SHALL be allowed only to the CESNET CA authorized personnel. The keys to the operating room MUST not be taken out of the CESNET a.l.e. office area.
Unauthorized personnel and visitors who require access to secure areas must be escorted by authorized personnel at all times.
The critical CESNET CA equipment is connected to uninterrupted power supply units.
The CESNET CA secure operating room is located on the fourth flour of the building in a building which is not in a flood zone.
The CESNET CA secure operating room MAY be provided with smoke detectors and/or a fire suppression system.
All the media MUST be backed up and stored in fireproof safes in the CESNET a.l.e. office area. Critical backup media MUST also stored off-site (see Section 5.1.8).
All CESNET CA paper waste MUST be shredded. Magnetic media MUST be physically/mechanically destroyed before disposal.
Weekly backups of CESNET CA computer operating system and CA software and CESNET CA private keys MUST be stored off site in a bank safe deposit box.
In order to prevent any one person from circumventing the entire system, responsibilities at the CESNET CA are divided among different trusted roles:
System Administrator is responsible for:
The CESNET CA equipment maintenance and management.
The security of the CESNET CA equipment.
The regular backups.
Certification Authority is responsible for:
Issuing certificates and CRLs.
Compliance with the CPS.
Security Auditor is responsible for:
Audit logs monitoring.
Registration Authority is responsible for:
Authentication of identities.
Different roles can be occupied by one person.
The CESNET CA does not require presence of more than one person to act within any role.
No stipulation.
No background checks or clearance procedures for trusted roles are required.
No background checks or clearance procedures are required.
The CESNET CA personnel MUST be trained in:
Basic PKI Concepts.
The use and operation of the PKI software.
The relevant CPs and CPSs.
Computer security.
Training MUST be provided to the personnel at least annually.
Training in the use and operation of the PKI software MUST be provided whenever the software is updated.
Any changes in CPs and/or CPS MUST be communicated to the CESNET CA personnel as soon as possible.
No job rotation has been defined.
Unauthorized actions will be dealt with by the director of CESNET a.l.e..
Not applicable
The CESNET CA personnel SHOULD be supplied witch documentation including:
this CPS
all applicable CPs
documentation to the CA/RA software