Gatekeeper PKI Framework
ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Commonwealth. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration, Attorney-General s Department, Robert Garran Offices, National Circuit, Barton ACT 2600 or posted at http://www.ag.gov.au/cca
Contents FOREWORD...5 1. INTRODUCTION...7 1.1 Overview...7 1.2 System Overview...7 1.3 RA Roles and Responsibilities...7 1.4 Operation/Administrative Structure...7 1.5 Assumptions, Standards and Reference Documents...7 2. PUBLICATIONS AND REPOSITORY RESPONSIBILITIES...8 2.1 Publication...8 3. IDENTIFICATION AND VERIFICATION...8 3.1 Types of Applications and Requests...8 3.2 The Application Process... 9 3.3 Registration Process - the process and procedures in place for the collection of EOI information... 9 3.3.1 Purpose... 9 3.3.2 Steps involved... 9 3.3.3 Location... 9 3.3.4 Authority to register an application... 9 3.4 Verification, Authentication and Validation Processes... 9 3.4.1 Purpose... 9 3.4.2 Steps involved...10 3.4.3 Location...10 3.4.4 Authority to verify, authenticate and validate an application...10 3.5 Renewal Request...10 3.6 Revocation Request...10 4. RA OPERATIONAL REQUIREMENTS...11 4.1 Hours of Operations and Business Continuity...11 5. FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS...11 5.1 Physical Security Controls...11 5.1.1 Physical Controls...11 5.1.2 Managing Physical Protection... 12 5.1.3 Breaches of Physical Security... 12 5.2 Procedural Controls... 12 5.2.1 Trusted Roles... 12 5.2.2 Document Amendment Procedures... 12 5.2.3 Logical Access Control... 13 5.2.4 Configuration Management... 13 5.2.5 Archiving and Recovery... 13 3
5.2.6 Control of Removable Media... 13 5.2.7 Storage/Handling Procedures... 13 5.2.8 Emergency and Standard Destruction Procedures... 13 5.2.9 Incident Management... 13 5.3 Personnel Security Controls... 13 5.3.1 Qualifications, Experience and Clearance Requirements... 13 5.3.2 Facility Security Officer... 14 5.3.3 Training Requirements... 14 5.3.4 Documentation... 14 5.3.5 Separation... 14 5.4 Audit Logging Procedures... 14 5.5 Records Archival... 15 5.6 Compromise and Disaster Recovery...16 5.7 RA Termination...16 6. COMPLIANCE AUDITS AND OTHER ASSESSMENTS...16 7. OTHER BUSINESS AND LEGAL MATTERS... 17 7.1 Confidentiality of Information... 17 4
FOREWORD This document describes the content and structure of a (RA) Operations Manual. The RA Operations Manual is essentially an internal staff manual detailing the policies and procedures to be followed by staff for performing their day-to-day operations. The RA Operations Manual should describe the methodologies followed in implementing policies and procedures identified as necessary in the Threat and Risk Analysis and documented in more detail in the Disaster Recovery and Business Continuity Plan (DRBCP); and the Security Profile (SEC1). All Gatekeeper documents referenced in this document are available at www.gatekeeper.gov.au. The scope of Finance s review of the RA s Operations Manual is essentially a means of ensuring its consistency with the content of the DRBCP and SEC1. This Manual should contain appropriate cross references to both these documents. From the perspective of ease-of-use by RA staff, the Operations Manual should contain sufficient information to enable them to understand their roles and responsibilities without the need to cross reference a range of other documents in order to obtain that knowledge. Where an applicant is seeking Gatekeeper accreditation as a Certification Authority (CA) and a RA, separate Operations Manuals should be prepared - one for the CA and one for the RA. This document outlines procedures for preparation of the RA Operations Manual. Gatekeeper review of the RA Operations Manual will include consideration of environmental factors, technological and operational infrastructures, and the security infrastructure as it relates to the services being offered. Note: An applicant that wishes to obtain Gatekeeper accreditation as a Registration Authority Extended Services should read this document as well as the Certification Authority. Duplication of SEC1 information in the Operations Manual should be kept to a minimum to reduce the extent to which multiple documents are required to be edited when the RA s policies and procedures are revised; and to ensure that the security classification of the Operations Manual remains at an appropriate level to enable access by staff across the organisation. 5
Content and Structure The RA Operations Manual should contain, at a minimum, the following information: the role of the RA; the Evidence of Identity (EOI) process undertaken by the RA on applicants requesting Digital Certificates; operational procedures describing the manner in which all nominated personnel employed within the RA perform any task undertaken within the RA; details of all emergency procedures in place including reference to the DRBCP; detailed descriptions of the procedures followed for: access control measures and procedures for RA facilities backup and archive procedures details of all interaction between the RA and the CA; details of all operations consistent with those described in SEC1; relevant standards referenced throughout the document; graphics and functional flow diagrams to enhance the presentation of information in the Operations Manual. This will also assist Finance to develop an understanding of the nature of the proposed operations; and a complete Glossary of Terms used in the document. Contact: The Australian Government Information Management Office Department of Finance and Deregulation Phone: (02) 6215 1544 Email: gatekeeper@finance.gov.au 6
1. INTRODUCTION 1.1 Overview Provide a general introduction to the document describing its purpose: what it is meant to achieve; and who it is for. 1.2 System Overview Provide a descriptive paragraph and a system diagram of the total PKI system to the extent that it is known to the RA, including RA and CA interaction (Certificate application, EOI, delivery, acceptance and proof of possession). 1.3 RA Roles and Responsibilities Describe: the roles and responsibilities of the RA; and the roles and functions of all staff from senior organisation management through to operational staff. 1.4 Operation/Administrative Structure Provide an organisational diagram indicating the operation/administrative structure. 1.5 Assumptions, Standards and Reference Documents List any underlying assumptions made in relation to this document and provide the justification or rationale for each. Provide details of standards applied and reference documents used within the Operations Manual. 7
2. PUBLICATIONS AND REPOSITORY RESPONSIBILITIES This section should specify information on a range of legal and general practice topics. 2.1 Publication Briefly describe how information concerning your organisation's operations is made available to staff. Provide details on: how and where the RA publishes information to its staff regarding its operational practices; the frequency of this publication; and how access to this information is controlled. 3. IDENTIFICATION AND VERIFICATION This section should describe: the functions of the RA; the process and procedures in place for the collection of EOI information - the procedures used to register, verify, authenticate and validate an applicant requesting a Digital Certificate; how parties requesting revocation are verified, if applicable; the processes and procedures in place for Certificate suspension request; the process and procedures in place for storing EOI information collected; and details of naming practices, including name ownership recognition and name dispute resolution processes. 3.1 Types of Applications and Requests Briefly describe the following elements of the identification and authentication process for individual and entity registration: types of Digital Certificate applications; authentication requirements for the organisational identity of an applicant; authentication requirements for a person acting on behalf of an Organisation, including:
number of pieces of identification required how a RA validates the pieces of identification provided whether the individual must present personally to the authenticating RA the EOI process undertaken and the CA/RA interface procedures the requirements for processing and storing EOI documentation guidelines for EOI checking procedures; and authentication requirements for additional certificate holders within an Organisation. 3.2 The Application Process Detail the process by which an applicant obtains an application form. 3.3 Registration Process - the process and procedures in place for the collection of EOI information 3.3.1 Purpose Describe the purpose of registration. 3.3.2 Steps involved Outline the steps involved in registering an individual and an Organisation. 3.3.3 Location State the location where registration is performed. 3.3.4 Authority to register an application State who within the RA has the authority to register an applicant. 3.4 Verification, Authentication and Validation Processes 3.4.1 Purpose Describe the purpose of verification, authentication and validation. 9
3.4.2 Steps involved Outline the steps involved in verifying, authenticating and validating an individual and an entity. 3.4.3 Location State the location where verification, authentication and validation is done. 3.4.4 Authority to verify, authenticate and validate an application State who within the RA is responsible for verifying, authenticating and validating an application. 3.5 Renewal Request Describe the identification and authentication process for Certificate renewal requests to the extent that this is known to the RA. 3.6 Revocation Request Describe the identification and authentication process for Certificate revocation requests to the extent that this is known to the RA. 3.7 Suspension Request (if applicable) Describe the processes for Certificate suspension request to the extent that this is known to the RA: circumstances for suspension; who can request Certificate suspension; who is responsible within the RA for processing this request; procedures for Certificate suspension request; and time lines. 10
4. RA OPERATIONAL REQUIREMENTS This section should describe and detail the operational requirements of the RA. It should provide employees with working details of how the RA operates. 4.1 Hours of Operations and Business Continuity Detail the hours of operation and the availability of services. Detail any external technical support, including contact details of external providers if applicable. 5. FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS 5.1 Physical Security Controls 5.1.1 Physical Controls Describe the physical controls on the facility housing the RA systems. Topics addressed should include: site location and construction; physical access; power and air conditioning; water exposures; fire prevention and protection; media storage; waste disposal; off-site backup; safe hand carriage; and intruder detection systems. 11
5.1.2 Managing Physical Protection Define rules for all staff regarding access controls including: access password management (where utilised) to the main site power and air conditioning media secure waste disposal off-site back up and other issues visitor access and processes. This section should provide a general overview of the physical security arrangements with cross references to the details provided in SEC1. 5.1.3 Breaches of Physical Security Describe actions to be taken to report breaches of security and/or trust. 5.2 Procedural Controls Describe the various procedures applied in relation to the following: 5.2.1 Trusted Roles Describe what are considered to be trusted roles (Positions of Trust) in the operation of the RA. State the number of people required per task. How identity and authentication is verified before access is granted. Security level cleared for personnel in trusted roles. Define any no lone zones and describe how access is controlled. How physical access to secure areas is recorded. 5.2.2 Document Amendment Procedures Detail procedures for amending documents. 12
5.2.3 Logical Access Control Describe how logical access is managed and controlled - what position within the organisation authorises access. What positions are permitted access? 5.2.4 Configuration Management Describe: organisational configuration management plan; software version control; hardware configuration; and database management. 5.2.5 Archiving and Recovery Describe the procedures for archiving and recovery of backup data. 5.2.6 Control of Removable Media Detail inventory control measures for removable magnetic media and legacy hardware. 5.2.7 Storage/Handling Procedures Detail the lock up procedures for the beginning and end of shifts; and describe daily alarm checks. 5.2.8 Emergency and Standard Destruction Procedures Describe the procedures for emergency and standard destruction of classified material. 5.2.9 Incident Management Describe the procedures for managing incidents of a security nature. 5.3 Personnel Security Controls 5.3.1 Qualifications, Experience and Clearance Requirements Identify which positions are designated as a Positions of Trust (POT). Describe the procedures for gaining appropriate security clearances for POT positions. 13
Describe the responsibilities for each of the POT roles. Identify which positions are Designated Security Assessment Positions (DSAPs). Describe the procedures for gaining appropriate security clearances for DSAP positions. Describe the responsibilities for each of the DSAP roles. 5.3.2 Facility Security Officer Describe the roles and responsibilities of the Facility Security Officer (FSO). 5.3.3 Training Requirements Describe the training requirements for staff. Describe the retraining frequency and requirements. Describe the employment rotation frequency and sequence. 5.3.4 Documentation Describe confidentiality provisions (i.e. non-disclosure agreements) to which employees are subject. Refer to organisation employment policy. Identify which of the Gatekeeper evaluated documents are supplied to which positions in the organisation. 5.3.5 Separation Describe the procedures for separation of personnel from the organisation. 5.4 Audit Logging Procedures Describe the event logging and audit procedures implemented for the purpose of maintaining a secure environment. Elements should include: types of events recorded; frequency with which audit logs are processed or audited; period for which audit logs are kept; protection of audit logs; who can view audit logs; 14
protection against modification of audit log; protection against deletion of audit log; audit log back up procedures; whether the audit log accumulation system is internal or external to the entity; whether the subject who caused an audit event to occur is notified of the audit action; and vulnerability assessments. Reference to SEC1 should be made to address event logging and audit systems that are to be implemented for the purpose of maintaining a secure environment. 5.5 Records Archival Describe the general records archival (or records retention) policies and procedures including reference to the following: types of events recorded; retention period for archive; protection of archives - physical and electronic; who can view the archive; protection against modification of archive; protection against deletion of archive; archive backup procedures; requirements for time-stamping of records; whether the archive collection system is internal or external; and procedures to obtain and verify archive information. Reference to SEC1 should be made to address record archival issues that are to be implemented for the purpose of maintaining a secure environment. 15
5.6 Compromise and Disaster Recovery Reference to the Disaster Recovery and Business Continuity Plan is required. Describe the overall management responsibilities including personnel tasked with the responsibility for implementing various stages of the plan. Include details of notification process and recovery procedure references. Failure response times should be provided, with brief details of corrective action to be taken and other protective actions. Detail the frequency with which disaster recovery exercises will be conducted. This may also include exercises in recovery from backups and/or desktop exercises. Describe immediate actions to be taken in the event of a disaster. State who is permitted to authorise a desktop disaster recovery exercise. 5.7 RA Termination Describe the procedures relating to termination and for termination notification, including the identity of the custodian of RA archival records. 6. COMPLIANCE AUDITS AND OTHER ASSESSMENTS This section should describe: the frequency of audits for each entity - noting that Gatekeeper requires an annual Compliance Audit of Accredited Service Providers; the identity/qualifications of the auditor - ensure no conflicts of interest; a list of topics to be addressed/covered under the audit; actions to be taken as a result of a deficiency found during compliance audit; audit results: with whom they are shared (e.g., subject CA, RA, and/or end entities); who communicates these results (e.g., entity being audited or auditor); and how the results are communicated. 16
7. OTHER BUSINESS AND LEGAL MATTERS 7.1 Confidentiality of Information Indicate adherence to the Privacy Act 1988 (Cth) and describe the process and procedures relating to: types of information that must be kept confidential by the RA; how this information will be protected; types of information that are not considered confidential; policy on release of information to law enforcement officials; information that can be revealed as part of civil discovery; conditions upon which the RA may disclose information at the request of a Certificate holder; and any other circumstance under which confidential information may be disclosed. 17