The CESNET CA equipment SHALL be located within a dedicated closed room in the CESNET a. l. e. office area.
The physical access to the CESNET CA operating room SHALL be allowed only to the CESNET CA authorized personnel. The keys to the operating room MUST not be taken out of the CESNET a. l. e. office area.
Unauthorized personnel and visitors who require access to secure areas must be escorted by authorized personnel at all times.
The critical CESNET CA equipment is connected to uninterrupted power supply units.
The CESNET CA secure operating room is located on the fourth flour of the building in a building which is not in a flood zone.
The CESNET CA secure operating room MAY be provided with smoke detectors and/or a fire suppression system. The operating room is located in CESNET a. l. e. premises under continual control.
All the media MUST be backed up and stored in fireproof safes in the CESNET a. l. e. office area. Critical backup media MUST also stored off-site (see Section 5.1.8).
All CESNET CA paper waste MUST be shredded. Magnetic media MUST be physically/mechanically destroyed before disposal.
Responsibilities at the CESNET CA are divided among different trusted roles:
System Administrator is responsible for:
The CESNET CA equipment maintenance and management.
The security of the CESNET CA equipment.
The regular backups.
Security Officer is responsible for:
CESNET CA signing key activation.
Trusted roles assignment.
Compliance with the CPS.
Security Auditor is responsible for:
Audit logs monitoring.
Registration Authority Officer is responsible for:
Authentication of identities.
Security Trustee
CESNET CA private key activation assistance.
Different roles can be occupied by one person.
CESNET CA requires at least one Security Officer and one Security Trustee to activate its private signing key.
No background checks or clearance procedures for trusted roles are required.
The CESNET CA personnel MUST be trained in:
Basic PKI Concepts.
The use and operation of the PKI software.
The relevant CPs and CPSs.
Computer security.
Training MUST be provided to the personnel at least annually.
Training in the use and operation of the PKI software MUST be provided whenever the software is updated.
Any changes in CPs and/or CPS MUST be communicated to the CESNET CA personnel as soon as possible.
Unauthorized actions will be dealt with by the director of CESNET a. l. e..