Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Reorder Section 4 and update from NSWG discussion
Based on discussion August 13, 2024, update Section 4. Also reordering 4 of the 5 subsections to be more "sequential"
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -469,30 +469,9 @@ These policies and procedures SHOULD apply to Security Support Systems. | |
|
|
||
| The CA MUST define an inventory of Certificate Systems. | ||
|
|
||
| #### 4.2 Intrusion Detection and Prevention | ||
|
|
||
| The CA MUST protect the inventory of Certificate Systems against common network and system threats using intrusion detection and prevention controls. | ||
This comment has been minimized.
Sorry, something went wrong. |
||
|
|
||
| Some common network and system threats include, but are not limited to: | ||
|
|
||
|
|
@@ -502,24 +481,47 @@ Some common network and system threats include, but are not limited to: | |
| * unauthorized access; and | ||
| * malicious data injection. | ||
|
|
||
| #### 4.3 Vulnerability Correction Process | ||
|
|
||
| The CA MUST document and follow a vulnerability correction process that includes: | ||
|
|
||
| 1. identification; | ||
| 1. review; | ||
| 1. response; and | ||
| 1. remediation. | ||
This comment has been minimized.
Sorry, something went wrong. 
dkluge
|
||
|
|
||
| #### 4.4 Vulnerability Identification | ||
|
|
||
| ##### 4.4.1 Penetration Testing | ||
|
|
||
| As part of the identification component of the CA's vulnerability correction process, the CA MUST define and follow a program for performing penetration tests that ensures: | ||
|
|
||
| 1. penetration tests are performed: | ||
| * at least on an annual basis; and | ||
| * after infrastructure or application changes that are organizationally defined as significant; and | ||
| 2. penetration tests are performed by a person or entity (or collective group thereof) with the requisite skills, tools, proficiency, code of ethics, and independence; and | ||
| 3. vulnerabilities identified during the penetration test are remediated using the vulnerability correction process in [Section 4.3](#43-vulnerability-correction-process). | ||
|
|
||
| #### 4.5 Vulnerability Management Timeframe | ||
|
|
||
| The CA MUST establish one or more timeframes for reviewing, responding to, and remediating all identified vulnerabilities. | ||
|
|
||
| Each timeframe MUST be established based on a risk assessment performed by the CA. | ||
|
|
||
| The risk assessment MUST be based on a documented security analysis. | ||
|
|
||
| The security analysis SHOULD take into account and address the following principles: | ||
|
|
||
| * criticality of assets; | ||
| * maintaining confidentiality, integrity, and availability of assets; | ||
| * risk tolerance; | ||
This comment has been minimized.
Sorry, something went wrong. |
||
| * regulatory requirements; | ||
| * likelihood and impact of exploitation; | ||
| * dependencies and interdependencies; | ||
| * remediation resource requirements; | ||
| * historical data; and | ||
| * present threat landscape. | ||
|
|
||
| The CA MUST ensure vulnerabilities are reviewed, responded to, and remediated in accordance with their established timeframe(s). | ||
|
|
||
| The CA MUST document in Section 6.7 of their Certificate Policy and/or Certification Practices Statement each timeframe established for responding to and remediating vulnerabilities. | ||
The CA MUST protect the systems in the inventory of Certificate Systems ...