5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS
Prev   Next

 5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS

5.1. Physical Controls

5.1.1. Site location and construction

The CESNET CA equipment SHALL be located within a dedicated closed room in the CESNET a. l. e. office area.

5.1.2. Physical access

The physical access to the CESNET CA operating room SHALL be allowed only to the CESNET CA authorized personnel. The keys to the operating room MUST not be taken out of the CESNET a. l. e. office area.

Unauthorized personnel and visitors who require access to secure areas must be escorted by authorized personnel at all times.

5.1.3. Power and air conditioning

The critical CESNET CA equipment is connected to uninterrupted power supply units.

5.1.4. Water exposures

The CESNET CA secure operating room is located on the fourth flour of the building in a building which is not in a flood zone.

5.1.5. Fire prevention and protection

The CESNET CA secure operating room MAY be provided with smoke detectors and/or a fire suppression system. The operating room is located in CESNET a. l. e. premises under continual control.

5.1.6. Media storage

All the media MUST be backed up and stored in fireproof safes in the CESNET a. l. e. office area. Critical backup media MUST also stored off-site (see Section 5.1.8).

5.1.7. Waste disposal

All CESNET CA paper waste MUST be shredded. Magnetic media MUST be physically/mechanically destroyed before disposal.

5.1.8. Off-site backup

Backups of CESNET CA computer operating system and CA software and CESNET CA private keys MUST be stored off site in a bank safe deposit box.

5.2. Procedural Controls

5.2.1. Trusted roles

Responsibilities at the CESNET CA are divided among different trusted roles:

  1. System Administrator is responsible for:

    1. The CESNET CA equipment maintenance and management.

    2. The security of the CESNET CA equipment.

    3. The regular backups.

  2. Security Officer is responsible for:

    1. CESNET CA signing key activation.

    2. Trusted roles assignment.

    3. Compliance with the CPS.

  3. Security Auditor is responsible for:

    1. Audit logs monitoring.

  4. Registration Authority Officer is responsible for:

    1. Authentication of identities.

  5. Security Trustee

    1. CESNET CA private key activation assistance.

Different roles can be occupied by one person.

5.2.2. Number of persons required per task

CESNET CA requires at least one Security Officer and one Security Trustee to activate its private signing key.

5.2.3. Identification and authentication for each role

No stipulation.

5.3. Personnel Controls

5.3.1. Background, qualifications, experience, and clearance requirements

No background checks or clearance procedures for trusted roles are required.

5.3.2. Background check procedures

No background checks or clearance procedures are required.

5.3.3. Training requirements

The CESNET CA personnel MUST be trained in:

  1. Basic PKI Concepts.

  2. The use and operation of the PKI software.

  3. The relevant CPs and CPSs.

  4. Computer security.

5.3.4. Retraining frequency and requirements

Training MUST be provided to the personnel at least annually.

Training in the use and operation of the PKI software MUST be provided whenever the software is updated.

Any changes in CPs and/or CPS MUST be communicated to the CESNET CA personnel as soon as possible.

5.3.5. Job rotation frequency and sequence

No job rotation has been defined.

5.3.6. Sanctions for unauthorized actions

Unauthorized actions will be dealt with by the director of CESNET a. l. e..

5.3.7. Contracting personnel requirements

Not applicable

5.3.8. Documentation supplied to personnel

The CESNET CA personnel SHOULD be supplied witch documentation including:

  • this CPS

  • all applicable CPs

  • documentation to the CA/RA software

Prev   Next
 4. OPERATIONAL REQUIREMENTS Home  6. TECHNICAL SECURITY CONTROLS