[1] The Digi-CA™ [2], subject to configuration, complies with more than 70 international standards [3] for Certificate Authority [4] software, services and design.
[1] The Digi-CA™ [2], subject to configuration by the Digi-CAST™ [5] Team, can comply with the following international standards for Certificate Authority [CA] software, services and design (see the Complete List of Standards & Compliance [3]).
See the Complete List of Standards & Compliance [3]
Combining the main legislation requirements, the Digi-CA™ [2] also meets the following standards:
[1] Third-Party Certifications, Standards & Compliance
[1] 45 CFR Part 162
Under the EU Electronic Signatures Directive for Qualified Electronic Signatures and National Certification Service Providers issuing Qualified Certificates [6] to the public, Digi-Sign is listed under Ireland [6].
[1] By virtue of the fact that the Digi-CA™ and Digi-CAST™ [9] Team ensure that the
standards are complied with, Digi-CA™ [2] complies with
of this Community framework journal.
[1] 7.5 CWA 14167-1
7.6 CWA 14172-3
7.7 CWA 14890
7.8 CWA 14169 / ISO 15408
7.9 CWA 14171
[1] In compliance with CWA 14167-1, Section 5.1.2 SO1.1, the Digi-CA™ and Digi-CA™ Xg Trust Centre documentation provides documented instructions for the installation, administration and usage of the Digi-CA™ systems.
In compliance [10] with CWA 14167-1, Section 5.1.2 SO2, Digi-CA™ [2] can be configured to ensure business continuity so that services are quickly and securely restored in case of failure of the Digi-CA™ system.
In compliance with CWA 14167-1, Section 5.1.2 SO2.1, the Digi-CA™ provides for availability of the system services operation at 99.9% availability on a monthly basis and also ensures the following:
In compliance with CWA 14167-1, Section 5.1.2 SO2.2 and SO2.3, the Digi-CA™ enables the continued operation of the Digi-CA™ because the entire system is replicated to a second set of Digi-CA™ servers and if required the entire Digi-CA™ can be migrated to a totally new Digi-CA™ environment at an acceptable level of risk because the information stored in the previously live system was publicly available information only.
In compliance with CWA 14167-1, Section 5.1.2 SO3, the Digi-CAST2™ Team will document the accuracy of the Time Stamping Device [12] once it is installed and tested and two sources of atomic clock are used to perform this task.
In compliance with CWA 14167-1, Section 5.1.3.1, the Digi-CA™, using two factor authentication [13] where applicable and defined administration roles, only authorized persons have any access to the system.
In compliance with CWA 14167-1, Section 5.1.3.2 IA1.1-3 & IA2, the Digi-CA™ requires each user to be identified and to be successfully authenticated before they are allowed any action on behalf of that user or role assumed by the user. There must be re-authentication after log-out and the authentication data, where used, is unique and cannot be reused.
In compliance with CWA 14167-1, Section 5.1.3.2 IA2.1-2, if the number of unsuccessful authentication attempts equals or surpasses the maximum number of allowed attempts, the Digi-CA™ system prevents further authentication attempts and if the number of unsuccessful authentication attempts equals or surpasses the maximum number of allowed attempts, and the role is that of an administrator, then a notification event is logged by the system and the access is denied until two alternative authorized personnel conduct and audit of the event and reinstate the Administrator who’s access has been denied.
In compliance with CWA 14167-1, Section 5.1.3.2 IA3.1, the probability of guessing any secret defined for any component of the Digi-CA™ is negligible.
In compliance with CWA 14167-1, Section 5.1.4.1, the system access control functions control the use of objects of the Digi-CA™ to authorized persons only. This applies to all sensitive objects of the Digi-CA™. System access control is provided by the underlying operating software and access rights to specific Digi-CA™ objects are determined by the owner of the object based on the identity of the subject attempting the access and the access rights to the object granted to the subject or the privileges held by the subject.
In compliance with CWA 14167-1, Section 5.1.4.2 SA1, the Digi-CA™ provides the capability of controlling and limiting access by identified individuals to the system/user objects they own or are responsible for and ensures they provide access protection to sensitive residual information by using secure, cryptographic based authentication methods along with defined administration roles.
In compliance with CWA 14167-1, Section 5.1.5.1, Digi-CA™ uses cryptographic keys to provide integrity, confidentiality and authentication functions within its own subsystems and in between subsystems and throughout the key life cycle management of private and/or secret keys is carried out securely.
The Digi-CA™ keys are separated into the following categories:
2. Infrastructure Keys – these are keys used by the Digi-CA™ for processes such as key agreement, subsystem authentication, audit log signing, encrypting transmitted or stored data, etc. Short term session keys are not categorized as Infrastructure keys
3. Digi-CA™ Control Keys – these are keys used by personnel managing or using the Digi-CA™ and may provide authentication, signing or confidentiality services for those personnel interacting with the system.
In terms of security requirements, ALL Signing Keys are long-term keys whose impact from exposure is high. Consequently, countermeasures for managing this risk are also high, both in number and in effect. Infrastructure keys are also considered high risk but due to their distributed functionality and shorter lifespan they are a lower risk in comparison to signing keys. The lowest risk keys, used by the Digi-CA™, are considered to be those used by personnel for controlling the Digi-CA™, as these are used by trusted individuals and have an even shorter lifespan. Session keys, used for single/short transactions are treated as sensitive information but with lower security requirements to the above stated categories.
Infrastructure and Control keys may be either asymmetric or symmetric keys.
Key Generation refers to the creation of keys.
Key Distribution
All Key Distribution is the function of distributing the Digi-CA’s™ Public Key, Infrastructure or Control keys.
Key Usage
This is the controlling of usage of generated keys within cryptographic algorithms to provide cryptographic services.
Key Change
Key change may be:
Key Destruction
When a key is compromised or when it reaches the end of its operational life it may be destroyed to prevent any further use of the key.
Key Storage, Backup & Recovery
After Key Generation, the keys may be stored in secure environments and may be copied and backed up to meet operational requirements. These backed up keys may need to be recovered when for example the existing key is inadvertently destroyed.
[1] At the end of a key’s operational life it may be archived to allow use of the key at some later (undefined) time. This is specifically in reference to Public Keys used to verify digital signature [14] but does not preclude archiving of other types of keys where justified.
In compliance [10] with CWA 14167-1, Section 5.1.5.2 KM1.1-7, Digi-CA™ [2] is configured to work with Eracom and nCipher HSMs and these HSMs comply with this standard whilst the Digi-CA™ ensure Infrastructure and Control Keys are generated and maintained in the HSM. All key generation meets the cryptographic requirements specified in [ALGO].
In compliance with CWA 14167-1, Section 5.1.5.2 KM2.1-2.4, the Digi-CA™ private and secret keys are not distributed in plain text and Public Keys that have not been certified are kept secure to prevent interception or manipulation and the Digi-CA™ distributes the cryptographic keys in accordance with either the package or process cryptographic key distribution method.
The Public Key associated with all the Signing Keys and/or Infrastructure Keys (e.g. Revocation Status Service, Time-Stamping Service) can be made available to Subjects and Relying Parties. The integrity and authenticity of this Public Key and any associated parameters is maintained during initial and subsequent distribution.
In compliance with CWA 14167-1, Section 5.1.5.2 KM2.5, the Digi-CA™ the SSRoot is verifiable using data provided within the Digi-ID™ [15] and the Digi-ID™ subject and issuer fields are identical.
In compliance with CWA 14167-1, Section 5.1.5.2 KM2.6, the Digi-CA™ is capable of producing a fingerprint of a self-signed certificate using the hashing algorithms defined in [ALGO].
In compliance with CWA 14167-1, Section 5.1.5.2 KM3.1-3, access controls to the Digi-CA™ are in place for all secure cryptographic modules used for all signing, infrastructure and control keys. The Digi-CA™ provides support for dual-person control when using control keys and this provides administration functionality of the Digi-CA™. Separate infrastructure keys are generated for separate functions and infrastructure keys associated with the Registration Service, Digi-CA™ and the Revocation Management Service are not shared.
In compliance with CWA 14167-1, Section 5.1.5.2 KM3.4-5, the Subject Device Provision Service, ensures that the subject keys for creating the Digi-IDs™ are separate from those used for other functions and that the key usage extension is present in the signature certificate being issued. If the key usage non Repudiation bit is asserted then it is not combined with any other key usage and authorised key usage only occurs within the operational life of the key.
In compliance with CWA 14167-1, Section 5.1.5.2 KM3.6, before the Digi-CA™ relies on Digi-IDs™ for asymmetric infrastructure or controls keys they ensure that the Digi-IDs™ related to these keys are still valid and this is done by checking the CRL.
In compliance with CWA 14167-1, Section 5.1.5.2 KM4.1-2, the Digi-CA™ enables the infrastructure and control keys to be changed on a regular basis and if any of the algorithms used in the Digi-CA™ are considered to have become unsuitable (as specified in [ALGO]), keys based on those algorithms are changed immediately. Key changeover is carried out securely and requires an out-of-band change.
In compliance with CWA 14167-1, Section 5.1.5.2 KM5.1-2, when all the Signing Keys reach the end of their life they are destroyed such that the signing keys cannot be retrieved and when the systems have been used to generate, use or store secret/Private Keys and are to be withdrawn from service or transferred their associated keys they too are destroyed.
In compliance with CWA 14167-1, Section 5.1.5.2 KM5.3-4, the Digi-CA™ provides the capability to zeroise plaintext secret and Private Keys stored in both the hardware and the software and the software key destruction is carried out using secure wiping processes that positively overwrite the keys.
In compliance with CWA 14167-1, Section 5.1.5.2 KM6.1-3, the Digi-CA™ facilitates the secure storage of all Private Keys and in conjunction with the HSM all the Signing Key are stored in, as is the private/secret infrastructure and control.
In compliance with CWA 14167-1, Section 5.1.5.2 KM6.4, if any private/secret key in a secure cryptographic module or HCD is exported from that module, it is protected by the module, to ensure its confidentiality, before being stored outside that module and any other sensitive key material is never be stored in an unprotected state.
All Signing Keys of the Digi-CA™ may be stored and backed up only when additional security mechanisms are in place. For instance, this may be accomplished using m of n techniques, where m component parts out of a total of n component parts are required for successful key initialization. For recovery from failure purposes, it is recommended that m= 2. If n = 4, then m = 3, if n = 5, then m = 3, etc.
In compliance with CWA 14167-1, Section 5.1.5.2 KM6.5-7, the Digi-CA™ ensures that backup, storage and restoration of private/secret NQC/QC Signing, Infrastructure and Control Keys is only performed by authorized personnel (e.g. Security Officer role) and ensures that backup, storage and restoration of private NQC/QC Signing Keys is only performed at least under dual-person control and does not contain functions that allow for backup or escrow of Subject signature keys (Private Keys).
In compliance with CWA 14167-1, Section 5.1.5.2 KM7.1, the Digi-CA™ does not contain functions that allow for backup or escrow of Subject signature keys (Private Keys).
In compliance with CWA 14167-1, Section 5.1.5.2 AA1.1, the Digi-CA™ logs the following:
In compliance with CWA 14167-1, Section 5.1.5.2 AA2.1-2, the Digi-CA™ system maintains audit data and guarantee sufficient space is reserved for that data and the audit log cannot be automatically overwritten.
In compliance with CWA 14167-1, Section 5.1.5.2 AA3.1, the Digi-CA™ system service specific audit logging for all audit records that contain the following parameters:
In compliance with CWA 14167-1, Section 5.1.6 AA4.1-2, the Digi-CA™ provides the capability to search for events in the audit log based on the date and time of event, type of event and/or identity of the user and the audit records are presented in a manner suitable for the user to interpret the information.
In compliance with CWA 14167-1, Section 5.1.6 AA4.1-2, the Digi-CA™ prohibits all user read access to the audit records, except those users that have been granted explicit read access (e.g. those with System Auditor role) and modifications of the audit records is prevented.
In compliance with CWA 14167-1, Section 5.1.6 AA6.1, the Digi-CA™ generates an email alarm to the Security Officer upon detection of a potential or actual security violation.
In compliance with CWA 14167-1, Section 5.1.6 AA7.1, the Digi-CA™ ensures the integrity of the audit data for non qualified Digi-IDs™ and for qualified Digi-IDs™ ensures the integrity of the audit data by providing a digital signature, keyed hash or an authentication code with each entry in the audit log, computed over the entire audit log or over the current entry and the cryptographic result of the previous one and also provides a function to verify the integrity of the audit data.
In compliance with CWA 14167-1, Section 5.1.6 AA8.1, the Digi-CA™ the use of a trusted time source that is used to mark the time of audited events.
In compliance with CWA 14167-1, Section 5.1.7 AR1.1-4, the Digi-CA™ is capable of generating an archiving on media appropriate for storage and subsequent processing in providing necessary legal evidence in support of electronic signatures. Each entry includes the time at which the event occurred and does not include critical security parameters in an unprotected form. The following items are archived:
In compliance with CWA 14167-1, Section 5.1.7 AR2.1, the Digi-CA™ provides the capability to search for events in the archive based on the type of events.
In compliance with CWA 14167-1, Section 5.1.7 AR3.1, the Digi-CA™ ensures each entry in the archive is protected from modification.
In compliance with CWA 14167-1, Section 5.1.8 BK1.1-3, the Digi-CA™ includes a backup function so that the data stored in the backup is sufficient to recreate the state of the system and a user linked to a role with sufficient privileges is capable of invoking the backup function on demand.
In compliance with CWA 14167-1, Section 5.1.8 BK2.1-2, the Digi-CA™ backups are protected against modification and are protected against modification through use of digital signatures, keyed hashes or authentication codes. Critical security parameters and other confidential information is stored in encrypted form only and the encryption meets the cryptographic requirements specified in [ALGO].
In compliance with CWA 14167-1, Section 5.1.8 BK3.1-2, the Digi-CA™ include a recovery function that is able to restore the state of the system from a backup and a user linked to a role with sufficient privileges is capable of invoking the recovery function on demand.
In compliance with CWA 14167-1, Section 5.2.1 GE1, the Digi-CA™ ensures that all messages created by any core service is protected (e.g. by using message authentication codes, digital signatures, etc.) by using the service’s Infrastructure Keys, contains a message time, to indicate the time at which the sender created the message and includes replay attack protection (e.g. by using nonces).
In compliance with CWA 14167-1, Section 5.2.2.1, the Digi-CA™ ensures that the Digi-ID™ application is carried out by the Registration Service after identification of the Subject has been carried out meeting the requirements specified in the associated Certificate Policy in accordance with ETSI 101 456 and that the Registration Service by its nature manages end entity subject data that may be affected by many different data protection requirements.
In compliance with CWA 14167-1, Section 5.2.2.2 R1, the Digi-CA™ ensure that if the Digi-ID™ application contains any subject sensitive information, the Digi-ID™ request is protected before being forwarded from the Registration Service to the Digi-CA™ thus ensuring message confidentiality but this functionality is only provided if required by the customer or the local legislation in the territory where the Digi-CA™ Xg Trust Centre resides.
In compliance with CWA 14167-1, Section 5.2.2.2 R1.2, the Digi-CAST3™ Team will ensure that the service implements a suitable mechanism to obtain proof-of-possession (POP) to ensure the entity requesting Certification is the actual holder of the Private Key related to the Public Key requiring Certification (an example of this would be to include a signature block with each Digi-ID™ application, which is created by the Private Key associated with the Public Key requiring Certification. Suitable algorithms for creating the signature are detailed in [ALGO]).
In compliance with CWA 14167-1, Section 5.2.2.2 R1.3-4, the Digi-CAST3™ Team will ensure that the Registration Service is be configured to allow collection of enough data from the subject to satisfy the requirements for QCs as specified in Annex I of [Dir.1999/93/EC]. And the Digi-CA™ provides a mechanism to allow approval of Digi-ID™ applications using the RA Control Centre, by a Registration Officer, before leaving the Registration Service.
In compliance with CWA 14167-1, Section 5.2.2.2 R1.3-4, the Digi-CAST3™ Team will ensure that the Registration Service notes the time of the application and the information publication control to allow subjects to control the Digi-CA’s™ publication of the QC via the Dissemination Service.
In compliance with CWA 14167-1, Section 5.2.2.2 R1.6, the Digi-ID™ requests from the Registration Service are digitally signed for authentication and data integrity using its Infrastructure or Control Keys.
In compliance with CWA 14167-1, Section 5.2.2.2 R2.1, the Digi-CA™ implements mechanisms and security controls to protect the privacy and confidentiality of Subject information.
In compliance with CWA 14167-1, Section 5.2.2.2 R3.1, the Digi-CA™ logs all events relating to registration including Digi-ID™ re-key/renewal requests and approved requests for Certification.
In compliance with CWA 14167-1, Section 5.2.3.1, when using the Package Method, the Digi-CA™ generates the Digi-ID™ using the Public Key supplied. This ensures the CSP has ‘locked’ the binding of the Subject’s Public Key to its identity.
During the period prior to the expiration of the Digi-ID™, such period being defined by the Certificate Policy, the Digi-CA™ renewal of the new Digi-ID™ is produced using the existing Public Key or a re-key using the registration information used to generate the previous Digi-ID™. Digi-ID™ renewal covers Infrastructure, Control and Subject Digi-IDs™.
[1] In compliance with CWA 14167-1, Section 5.2.3.2 CG1.1-3, the Digi-CA™ ensures the integrity, data origin authenticity, and where necessary, the privacy and confidentiality of the Digi-ID™ [15] request message and the Digi-ID™ request is processed securely and checked for conformance with the applicable Certificate Policy. Before the Digi-ID™ generation, the Digi-CA™ [2] ensures Proof of Possession is validated.
In compliance [10] with CWA 14167-1, Section 5.2.3.2 CG1.4-6, the key used to sign a QC is only used for signing QCs and, optionally, the related Revocation Status Data and this service only generate Digi-IDs™ that are consistent with the allowed profiles as determined by the Security Officer. All Digi-IDs™ have the following properties:
In compliance with CWA 14167-1, Section 5.2.3.2 CG2.1-2, for re-certification [10], the Digi-CA™ ensures process security against Digi-ID™ substitution attacks and the re-certification of Control and Infrastructure Digi-IDs™ with 5.1.5.2 KM.4 - Key Change.
In compliance with CWA 14167-1, Section 5.2.3.2 CG2.3, the Digi-CA™ ensures that all the Signing Keys are updated prior to their expiry. The related (renewed) Public Keys provide at least the same level of trust as when they were initially distributed. This is accomplished by providing at least the following intermediary certificates to prove possession of the new Private Key as follows:
2. Providing a Digi-ID™ of the new Public Key signed with the old Private Key
3. Providing the new self signed Digi-ID™ (signed with the new Private Key)
In compliance with CWA 14167-1, Section 5.2.3.2 CG2.4, the Digi-CA™ re-certifying and/or re-keying of Subject keys, is as secure as the initial certificate generation and the Subject Certificates are renewed prior to their expiry. The Digi-CA™ automatically rejects a renewal request signed with an expired or revoked key.
In compliance with CWA 14167-1, Section 5.2.3.2 CG4.1, the Digi-CA™ logs the following events:
In compliance with CWA 14167-1, Section 5.2.4.1 D1.1-2, the Digi-ID™ dissemination by the Digi-CA™ is limited to the Subject, and to Relying Parties according to the limits expressed by the Subject and the dissemination process manages the Digi-IDs™ accordingly.
In compliance with CWA 14167-1, Section 5.2.4.1 D2.1, if a repository is set up, an access control policy is defined to securely manage the access to stored data and read access privileges are granted to Subjects and to authorised entities according to the rules defined by the Subject and the Security Policy whilst write access privileges are limited to authorised roles, according to the definition of roles proposed in 5.1.1.
In compliance with CWA 14167-1, Section 5.2.5.2 RM1.1-6 and RM 2.1, requests and reports relating to revocation and/or suspension are processed by the Digi-CA™ in a timely manner and the maximum delay between receipt of a revocation and/or suspension request and the change to Digi-ID™ status information does not exceed 24 hours.
All requests for suspension, reinstating and revocation is authenticated and validated and once a Digi-ID™ is definitely revoked the Digi-CA™ ensures that it cannot be reinstated. Revocation of certificates related to all Signing Keys is only possible under at least dual control and status changes can be instigated by authenticated:
The Certificate Status database is updated immediately after request/report processing is complete. The Digi-CA™ is able to revoke any Digi-ID™ it has issued, even after a disaster.
In compliance with CWA 14167-1, Section 5.2.5.2 RM2.2, where Periodical Messaging is used, the Digi-CA™ supports the following requirements:
And all events related to certificate status change requests, whether approved or disapproved, are logged.
In compliance with CWA 14167-1, Section 5.2.6.2 RS1.1-3, Real-time or Periodic Messages provided to this service are only from trusted Revocation Management Services and if the Digi-CA™ is providing an ‘online’ revocation status service, it validates the integrity and authenticity of Real-time or Periodic messages sent to it and it ensures that replies to responses from the Certificate Status database are for the requested certificates.
In compliance with CWA 14167-1, Section 5.2.6.2 RS2.1-4 and 3.1, all certificate status responses from the ‘online’ Revocation Status Service are digitally signed by the Revocation Status Service using its infrastructure keys and signature algorithms/keys used for status response are compliant with [ALGO]. The response message contains the time at which the Revocation Status Service/Issuer signed the response. All ‘online’ Revocation Status Service certificate status requests and responses are logged.
In compliance with CWA 14167-1, Section 5.3.1.2 TS1.1-2, the Digi-CA™ controls the origin of each request before checking its correctness and verifies that the request for time stamping uses a hash algorithm that is specified as approved by [ALGO].
In compliance with CWA 14167-1, Section 5.3.1.2 TS2.1-2, the Digi-CA’s™ trusted time source(s) are synchronised to Co-ordinated Universal Time (UTC) within the tolerance dictated by Certificate Policy e.g. to within 1 second and this is the same source as specified in requirement SO3 and the Digi-CA™ clock is synchronised with the UTC using a mechanism that is demonstrated to be reliable.
In compliance with CWA 14167-1, Section 5.3.1.2 TS3.1-3, the Serial Number used within the time stamping token is unique for each token issued by Digi-Sign and this property is preserved even after a possible interruption of the service. As well as Time Parameter inclusion, the time stamping token includes the accuracy of the time source used if this is exceeds that required by the time stamping policy. An indication of the policy under which the time stamping token was created is included.
In compliance with CWA 14167-1, Section 5.3.1.2 TS4.1-6, the Time Stamping Authority [TSA] Signing Keys are generated and stored in a secure cryptographic module and the cryptographic module of fulfils the requirements of KM 1.2. The TSA Control Keys are stored in a hardware cryptographic device (HCD) and the TSA Signing Key is only used for signing time stamping tokens produced by the TSA. The TSA ensures that the time stamping token’s response contains the same datum that was sent with the request and that the signature algorithms/keys used by the TSA meets the cryptographic requirements specified in [ALGO].
In compliance with CWA 14167-1, Section 5.3.2.2 TS5 and 6, the following Time-Stamping [17] Service specific events are logged:
And all Time-Stamp Tokens are archived in accordance with [AR 1.1].
In compliance with CWA 14167-1, Section 5.3.1.2 SP1-4, the Eracom and nCipher HSMs meet this criteria as certified in their FIPS accreditation and as the key pairs are generated within these certified HSMs this satisfies the requirement.
[1] On the basis that the Trust Centre achieves certification to BS 7799 or ISO 17799, the Digi-CA™ Administrators and Operators will have passed the required training and certification for the correct conduct and security practices required to work in the Digi-CA™ Xg Trust Centre.
[1] Digi-CA™ [2] uses vendor specific Cryptographic API to import keys and certificates into the Digi-Card™. The Digi-CA™ does not participate in the certificate usage process, which means that it does not provide applications that will use the card interface and installed keys and certificates to sign any data. On the assumption that only CWA 14890 compliant Digi-Cards™ are used in conjunction with the Digi-CA™, by association, Digi-CA™ complies with this standard.
[18] In compliance with CWA 15579 Digi-Bill™ uses both Qualified and non-Qualified Digital Signatures, as required by your national law. It also complies with 2001/115/EC [6], CWA 15580 [19] and CWA 15588 [20].
According to the Council Directive 2001/115/EC [2] “invoices sent by electronic means shall be accepted by Member States provided that the authenticity of the origin and integrity of the contents are guaranteed”. This could be guaranteed “by means of an advanced electronic signature within the meaning of Article 2 (2) of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures; Member States may however ask for the advanced electronic signature to be based on a qualified certificate and created by a secure signature creation device, within the meaning of Article 2(6) and (10) of the aforementioned Directive”.
It further states that: “Authenticity of the origin and integrity of the content has to be guaranteed when using electronic data interchange (EDI) as defined in Commission Recommendation 1994/820/EC of 19 October 1994 relating to the legal aspects “when the agreement relating to the exchange provides for the use of procedures guaranteeing the authenticity of the origin and integrity of the data”. However, as per the Directive [2]: “Member States may, subject to conditions which they lay down, require that an additional summary document on paper is necessary” to be exchanged, summarising a set of invoices. Where the applicable law allows for it this summary document could also be exchanged electronically. It is to be remarked that usage of EDI is subject to meeting the previously italicised wording. To exchange this summary document electronically also electronic signatures can be used to guarantee authenticity of the origin and integrity”.
In compliance with CWA 15579, the Digi-Bill™ uses the required advanced electronic signature and timestamp and also ensures that:
[1] Digi-CA™ is configured to work many HSMs (nCipher, SafeNet, etc) and as this standard relates to the use of the Secure Signature Creation Device [SSCD] found in HSMs, the fact that these devices meet the standards [10] means that by association, Digi-CA™ complies with this standard.
[1] The Digi-CA™ complies with this standard by virtue of the fact that its Digi-IDs™ can be opened, examined and read by persons or handicapped persons using the functions within a standard Windows® PC and all of the required information in this standard is made available for this person to verify the Digi-ID™ [15].
With regard to the security requirements for the Digi-ID™ verification systems on the understanding that the Digi-CAST2™ Team conduct the installation, the integrity and authenticity of hardware and software are supervised at all stages and the security-relevant data and processes in secure areas is protected against unauthorised modification. If any unauthorised modification of the secure area hardware components occurs, the Digi-CAST2™ Team are trained to recognise them.
The components of the signature verification system use a combination of trusted devices and other hardware and software that are both physically secured and tested after installation using the checks and Procedures of the Digi-CAST2™ Team.
[18] In compliance with CWA 15579 Digi-Bill™ uses both Qualified and non-Qualified Digital Signatures, as required by your national law. It also complies with 2001/115/EC [6], CWA 15580 [19],CWA 15581 [21] and CWA 15582 [22].
According to the EU Council Directive 2001/115/EC [2] “invoices sent by electronic means shall be accepted by Member States provided that the authenticity of the origin and integrity of the contents are guaranteed”. This could be guaranteed “by means of an advanced electronic signature within the meaning of Article 2 (2) of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures; Member States may however ask for the advanced electronic signature to be based on a qualified certificate and created by a secure signature creation device, within the meaning of Article 2(6) and (10) of the aforementioned Directive”.
It further states that: “Authenticity of the origin and integrity of the content has to be guaranteed when using electronic data interchange (EDI) as defined in Commission Recommendation 1994/820/EC [6] of 19 October 1994 relating to the legal aspects “when the agreement relating to the exchange provides for the use of procedures guaranteeing the authenticity of the origin and integrity of the data”. However, as per the Directive [2]: “Member States may, subject to conditions which they lay down, require that an additional summary document on paper is necessary” to be exchanged, summarising a set of invoices. Where the applicable law allows for it this summary document could also be exchanged electronically. It is to be remarked that usage of EDI is subject to meeting the previously italicised wording. To exchange this summary document electronically also electronic signatures can be used to guarantee authenticity of the origin and integrity”.
In compliance with CWA 15579, the Digi-Bill™ uses the required advanced electronic signature and timestamp and also ensures that:
[18] In compliance with CWA 15580 Digi-Bill™ complies with 2001/115/EC [6], CWA 15579 [25], CWA 15581 [21] and CWA 15582 [22].
According to the EU Council Directive 2001/115/EC [2] “regarding the storage of Invoices, every taxable person shall ensure that copies of invoices issued by himself, by his customer or, in his name and on his behalf, by a third party, and all the invoices which he has received, are stored”. This could be guaranteed “The authenticity of the origin and integrity of the content of the invoices, as well as their readability, must be guaranteed throughout the storage period. With regard to invoices that are not sent under either an advanced electronic signature, or by EDI (i.e. the “third option” – “by other electronic means”), the information they contain may not be altered and must remain legible throughout the aforementioned period”.
In compliance with CWA 15580, the Digi-Bill™ uses the required advanced electronic signature and timestamp and also ensures that:
[18] In compliance with CWA 15582 Digi-Bill™ complies with 2001/115/EC [6], CWA 15579 [25], CWA 15580 [19] and CWA 15582 [22].
In compliance with CWA 15581, the Digi-Bill™ uses the required advanced electronic signature and timestamp and also ensures that:
[18] In compliance with CWA 15582 Digi-Bill™ complies with 2001/115/EC [6], CWA 15579 [25], CWA 15580 [19] and CWA 15581 [21].
In compliance with CWA 15582, the Digi-Bill™ uses the required advanced electronic signature and timestamp and also ensures that:
1.ETSI 101 456
2.ETSI 002 176
3.ETSI 102 023
4.ETSI 101 861
[1] In response to ETSI 101 456 sub section 7.1 Note 1 and Note 2, the Digi-CAST3™ Team in conjunction with the certified BS 7799 Trust Centre Team will ensure that all documentation, subscriber agreements, Certificate Policy and Certificate Practice Statement [26] are up to date and publicly available.
In response to ETSI 101 456 sub section 7.2.1 and 7.2.2 the key generation is undertaken in a physically secured environment by personnel in trusted roles under dual control. The number of personnel authorized to carry out this function is kept to a minimum and is consistent with the Trust Centre practices.
Both the private signing key is held and the key generation is carried out within the secure cryptographic Eracom Host Orange Hardware Security Module [HSM] device that is certified to FIPS PUB 140-2 level 3 and meets the requirements identified in CEN Workshop Agreement 14167-2 [8] and the keys are not accessible outside the HSM.
The key generation is performed using the RSA algorithm that is a minimum of 1024 bits and is recognized as being fit for the purposes of qualified certificates.
The Digi-CA™ [2] private signing is backed up, stored and recovered only by personnel in trusted roles using dual control in a physically secured environment. The number of personnel authorized to carry out this function are kept to a minimum and be consistent with the Digi-CA’s™ practices and backup copies of the Digi-CA™ private signing keys are subject to a greater level of security controls than the keys currently in use.
In response to ETSI 101 456 sub section 7.2.3 the Digi-CA™ signature verification (public) keys are made available to relying parties by combining the public LDAP directory, Certificate Revokation List and OCSP [16] Service.
In response to ETSI 101 456 sub section 7.2.4 the Digi-CA™ and subject private signing keys are not held in a way which provides a backup decryption capability, allowing authorized entities under certain conditions to decrypt data using information supplied by one or more parties (commonly called key escrow).
In response to ETSI 101 456 sub section 7.2.5 the Digi-CA™ signing key(s) used for generating certificates and/or issuing revocation status information, is not be used for any other purpose and the certificate signing keys are only be used within the physically secure Trust Centre.
In response to ETSI 101 456 sub section 7.2.6 the Digi-CA™ private signing keys are not used beyond the end of their life cycle and all copies of the Digi-CA™ private signing keys are destroyed such that the Private Keys cannot be retrieved; or are retained in a manner such that they are protected against being put back into use.
In response to ETSI 101 456 sub section 7.2.7 the certificate signing cryptographic hardware was not tampered with during shipment and neither was the certificate and revocation status information signing cryptographic hardware. The installation, activation, back-up and recovery of the Digi-CA’s™ signing keys in cryptographic hardware requires simultaneous control of at least of two trusted employees and certificate and revocation status information signing cryptographic hardware is functioning correctly. The Digi-CA™ private signing keys stored on Digi-CA™ cryptographic hardware will be destroyed upon device retirement.
In response to ETSI 101 456 sub section 7.2.9 the secure signature creation device preparation is securely controlled by the service provider and then stored and distributed. Secure signature creation device deactivation and reactivation is securely controlled, where it has associated user activation data. The activation data is securely prepared and distributed separately from the secure signature creation device.
In response to ETSI 101 456 sub section 7.3.1 the Digi-CA™ ensures that subjects are properly identified and authenticated; and that subject certificate requests are complete, accurate and duly authorized. Before entering into a contractual relationship with a subscriber, the Digi-CA™ informs the subscriber of the terms and conditions regarding the use of the certificate. The Digi-CA™ communicates this information through a durable (i.e. with integrity over time) means of communication, which may be transmitted electronically, and in readily understandable language. The service provider verifies by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued. Evidence of the identity is checked against a physical person either directly or indirectly using means which provides equivalent assurance to physical presence and the submitted evidence may be in the form of either paper or electronic documentation. Where the subject is a person, the evidence provided is of full name, date and place of birth, a nationally recognized number, or other attributes that is used to, as far as possible, distinguish the person from others with the same name.
Where the subject is a person who is identified in association with a legal person, or other organizational entity, the evidence provided is of full name, date and place of birth, a nationally recognized identity number, or other attributes of the subject which is used to, as far as possible, distinguish the person from others with the same name; full name and legal status of the associated legal person or other organizational entity, any relevant existing registration information (e.g. company registration) of the associated legal person or other organizational entity and an evidence that the subject is associated with the legal person or other organizational entity. The subscriber provides a physical address, or other attributes, which describe how the subscriber may be contacted. The Digi-CA™ records all the information used to verify the subjects' identity, including any reference number on the documentation used for verification, and any limitations on its validity.
The Digi-CA™ also records the signed agreement with the subscriber including agreement to the subscriber's obligations, agreement to use a SSCD if required, consent to the keeping of a record by the Digi-CA™ of information used in registration, subject device provision, any subsequent revocation, and passing of this information to third parties under the same conditions as required by this policy in the case of the Digi-CA™ terminating its services, whether and under what conditions, the subscriber requires and the subject's consents to the publication of the certificate and confirmation that the information held in the certificate is correct.
The records identified above are retained for at the period of time as indicated to the subscriber and as necessary for the purposes for providing evidence of certification [10] in legal proceedings. If the Digi-CA™ does not generate the subject’s key pair, the certificate request process ensures that the subject has possession of the Private Key associated with the Public Key presented for certification and the CA ensures that the requirements of the national data protection legislation are adhered to (including the use of pseudonyms if applicable) within their registration process.
In response to ETSI 101 456 sub section 7.3.2 the Digi-CA™ checks that the information used to verify the identity and attributes of the subject is still valid and if any of the Digi-CA™ terms and conditions have changed, these shall be communicated to the subscriber and agreed. If any information has changed, this is verified, recorded, agreed to by the subscriber, the Digi-CA™ issues a new certificate using the subject's previously certified Public Key, only if its cryptographic security is still sufficient for the new certificate's intended lifetime and no indications exist that the subject's Private Key is compromised.
In response to ETSI 101 456 sub section 7.3.3 the Digi-CA™ ensures that it issues certificates securely to maintain their authenticity and the procedure of issuing the certificate is securely linked to the associated registration, certificate renewal or rekey, including the provision of any subject generated Public Key. If the Digi-CA™ generated the subject’s key, the procedure of issuing the certificate is securely linked to the generation of the key pair by the Digi-CA™ and the Private Key is securely passed to the registered subscriber or subject. The Digi-CA™ ensures over time the uniqueness of the distinguished name assigned to the subject within the domain of the Digi-CA™. (i.e. over the life time of the Digi-CA™ a distinguished name which has been used in an issued certificate shall never be re-assigned to another entity) and the confidentiality and integrity of registration data shall be protected especially when exchanged with the subscriber, subject or between distributed Digi-CA™ system components. The Digi-CA™ also verifies that registration data is exchanged with recognized registration service providers, whose identity is authenticated, in the event that external registration service providers are used.
In response to ETSI 101 456 sub section 7.3.4 the Digi-CA™ makes available to subscribers and relying parties the terms and conditions regarding the use of the certificate, the qualified certificate policy being applied, including a clear statement as to whether the policy is for certificates issued to the public and whether the policy requires uses of a SSCD, any limitations on its use, the subscriber's obligations including whether the policy requires uses of a SSCD, information on how to validate the certificate including requirements to check the revocation status of the certificate, such that the relying party is considered to "reasonably rely" on the certificate, limitations of liability including the purposes/uses for which the Digi-CA™ accepts (or excludes) liability, the period of time which registration information is retained, the period of time which Digi-CA™ event logs are retained, procedures for complaints and dispute settlement, the applicable legal system; and if the Digi-CA™ has been certified to be conformant with the identified qualified certificate policy, and if so through which scheme. The information identified is available through a durable (i.e. with integrity over time) means of communication, which is transmitted electronically, and in readily understandable language.
In response to ETSI 101 456 sub section 7.3.5 upon generation, the complete and accurate certificate is available to subscriber or subject for whom the certificate is being issued and certificates are available for retrieval in only those cases for which the subject's consent has been obtained. The Digi-CA™ makes available to relying parties the terms and conditions regarding the use of the certificate and the applicable terms and conditions are readily identifiable for a given a certificate. The information identified is available 24 hours per day, 7 days per week. Upon system failure, service or other factors, which are not under the control of the Digi-CA™, the Digi-CA™ makes best endeavours to ensure that this information service is not unavailable for longer than a maximum period of time as denoted in the certification practice statement. The information identified is publicly and internationally available.
In response to ETSI 101 456 sub section 7.3.6 the Digi-CA™ ensures that certificates are revoked in a timely manner based on authorized and validated certificate revocation requests and documents, as part of its certification practice statement the procedures for revocation of certificates including who may submit revocation reports and requests, how they may be submitted, any requirements for subsequent confirmation of revocation reports and requests, whether and for what reasons certificates may be suspended, the mechanism used for distributing revocation status information and the maximum delay between receipt of a revocation request or report and the change to revocation status information being available to all relying parties. This is at most 1 day. Requests and reports relating to revocation (e.g. due to compromise of subject's Private Key, death of the subject, unexpected termination of a subscriber's or subject's agreement or business functions, violation of contractual obligations) are processed on receipt and checked to be from an authorized source. Such reports and requests are confirmed as required under the Digi-CA’s™ practices.
A certificate's revocation status is set to suspended whilst the revocation is being confirmed. The Digi-CA™ ensures that a certificate is not kept suspended for longer than is necessary to confirm its status. The subject, and where applicable the subscriber, of a revoked or suspended certificate, is informed of the change of status of its certificate and once a certificate is definitively revoked (i.e. not suspended) it is not reinstated. Where Certificate Revocation Lists (CRLs) including any variants (e.g. Delta CRLs) are used, these are published at least daily and every CRL is stated a time for next CRL issue and a new CRL may be published before the stated time of the next CRL issue. The certification authority signs the CRL or an authority designated by the Digi-CA™. Revocation management services and Revocation status information are available 24 hours per day, 7 days per week. Upon system failure, service or other factors, which are not under the control of the Digi-CA™, the Digi-CA™ makes best endeavours to ensure that this service is not unavailable for longer than a maximum period of time as denoted in the certification practice statement. The integrity and authenticity of the status information is protected and Revocation status information is publicly and internationally available.
[1] In response to ETSI 101 456 sub section 7.4.1 the Digi-CA™ carries out a risk assessment to evaluate business risks and determine the necessary security requirements and operational procedures and retains responsibility for all aspects of the provision of certification [10] services, even if some functions are outsourced to subcontractors. Responsibilities of third parties are clearly defined by the Digi-CA™ [2] and appropriate arrangements made to ensure that third parties are bound to implement any controls required by the Digi-CA™. The Digi-CA™ retains responsibility for the disclosure of relevant practices of all parties. The Digi-CA™ management provides direction on information security through a suitable high level steering forum that is responsible for defining the Digi-CA’s™ information security policy and ensuring publication and communication of the policy to all employees who are impacted by the policy. The information security infrastructure necessary to manage the security within the Digi-CA™ is maintained at all times. The Digi-CA™ management forum approves any changes that will impact on the level of security provided. The security controls and operating procedures for Digi-CA™ facilities, systems and information assets providing the certification services are documented, implemented and maintained and Digi-CA™ ensures that the security of information is maintained when the responsibility for Digi-CA™ functions has been outsourced to another organization or entity.
In response to ETSI 101 456 sub section 7.4.2 the Digi-CA™ maintains an inventory of all information assets and assigns a classification for the protection requirements to those assets consistent with the risk analysis.
In response to ETSI 101 456 sub section 7.4.3 the Digi-CA™ employs personnel, which possess the expert knowledge, experience and qualifications necessary for the offered services and as appropriate to the job function and Security roles and responsibilities, as specified in the Digi-CA’s™ security policy, are documented in job descriptions. Trusted roles, on which the security of the Digi-CA’s™ operation is dependent, are clearly identified. Digi-CA™ personnel (both temporary and permanent) have job descriptions defined from the view point of separation of duties and least privilege, determining position sensitivity based on the duties and access levels, background screening and employee training and awareness. Where appropriate, these differentiate between general functions and Digi-CA™ specific functions. It is recommended that the job descriptions include skills and experience requirements. Personnel exercise administrative and management procedures and processes that are in line with the Digi-CA’s™ information security management procedures. Managerial personnel are employed who possess expertise in the electronic signature technology and familiarity with security procedures for personnel with security responsibilities and experience with information security and risk assessment and all Digi-CA™ personnel in trusted roles are free from conflicting interests that might prejudice the impartiality of the Digi-CA™ operations.
Trusted roles include roles such as Security Officers: Overall responsibility for administering the implementation of the security practices. Additionally approve the generation/revocation/suspension of Certificates; System Administrators: Authorized to install, configure and maintain the Digi-CA™ trustworthy systems for registration, certificate generation, subject device provision and revocation management; System Operators: Responsible for operating the Digi-CA™ trustworthy systems on a day-to-day basis and authorized to perform system backup and recovery; System Auditors: Authorized to view and maintain archives and audit logs of the Digi-CA™ trustworthy systems. Digi-CA™ personnel are formally appointed to trusted roles by senior management responsible for security. The Digi-CA™ do not appoint to trusted roles or management any person who is known to have a conviction for a serious crime or other offence which affects his/her suitability for the position. Personnel do not have access to the trusted functions until any necessary checks are completed.
In response to ETSI 101 456 sub section 7.4.4 physical access to facilities concerned with certificate generation, subject device provision, and revocation management services are limited to properly authorized individuals, Controls are implemented to avoid loss, damage or compromise of assets and interruption to business activities; and Controls are implemented to avoid compromise or theft of information and information processing facilities. Certificate generation, subject device provision and revocation management. The facilities concerned with certificate generation, subject device provision and revocation management are operated in an environment, which physically protects the services from compromise through unauthorized access to systems or data. Physical protection is achieved through the creation of clearly defined security perimeters (i.e. physical barriers) around the certificate generation, subject device provision and revocation management services. Any parts of the premises shared with other organizations are outside this perimeter.
Physical and environmental security controls are implemented to protect the facility housing system resources, the system resources themselves, and the facilities used to support their operation. The Digi-CA’s™ physical and environmental security policy for systems concerned with certificate generation, subject device provision and revocation management services address the physical access control, natural disaster protection, fire safety factors, failure of supporting utilities (e.g. power, telecommunications), structure collapse, plumbing leaks, protection against theft, breaking and entering, and disaster recovery, etc and controls are implemented to protect against equipment, information, media and software relating to the Digi-CA™ services being taken off-site without authorization..
In response to ETSI 101 456 sub section 7.4.5 the integrity of Digi-CA™ systems and information are protected against viruses, malicious and unauthorized software and damage from security incidents and malfunctions are minimized through the use of incident reporting and response procedures. Media used within the Digi-CA™ are securely handled to protect media from damage, theft and unauthorized access. Procedures are established and implemented for all trusted and administrative roles that impact on the provision of certification services and all media are handled securely in accordance with requirements of the information classification scheme. Media containing sensitive data are securely disposed of when no longer required. Capacity demands are monitored and projections of future capacity requirements made to ensure that adequate processing power and storage are available. The Digi-CA™ acts in a timely and coordinated manner in order to respond quickly to incidents and to limit the impact of breaches of security. All incidents are reported as soon as possible after the incident and Digi-CA™ security operations are separated from normal operations.
In response to ETSI 101 456 sub section 7.4.6 Controls (e.g. firewalls) are implemented to protect the Digi-CA’s™ internal network domains from external network domains accessible by third parties and sensitive data are protected when exchanged over networks, which are not secure. The Digi-CA™ ensures effective administration of user (this includes operators, administrators and any users given direct access to the system) access to maintain system security, including user account management, auditing and timely modification or removal of access. The Digi-CA™ ensures access to information and application system functions are restricted in accordance with the access control policy and that the Digi-CA™ system provides sufficient computer security controls for the separation of trusted roles identified in Digi-CA’s™ practices, including the separation of security administrator and operation functions. Particularly, use of system utility programs are restricted and tightly controlled. Digi-CA™ personnel are successfully identified and authenticated before using critical applications related to certificate management and accountable for their activities, for example by retaining event logs. Sensitive data is protected against being revealed through re-used storage objects (e.g. deleted files) being accessible to unauthorized users.
The Digi-CA™ ensures that local network components (e.g. routers) are kept in a physically secure environment and their configurations periodically audited for compliance [10] with the requirements specified by the Digi-CA™. Continuous monitoring and alarm facilities are provided to enable the Digi-CA™ to detect, register and react in a timely manner upon any unauthorized and/or irregular attempts to access its resources. Dissemination application enforces access control on attempts to add or delete certificates and modify other associated information and continuous monitoring and alarm facilities are provided to enable the Digi-CA™ to detect, register and react in a timely manner upon any unauthorized and/or irregular attempts to access its resources. Revocation status application enforces access control on attempts to modify revocation status information.
In response to ETSI 101 456 sub section 7.4.7 an analysis of security requirements are carried out at the design and requirements specification stage of any systems development project undertaken by the Digi-CA™ or on behalf of the Digi-CA™ to ensure that security is built into IT systems. Change control procedures exist for releases, modifications and emergency software fixes for any operational software.
In response to ETSI 101 456 sub section 7.4.8 the Digi-CA’s™ business continuity plan (or disaster recovery plan) addresses the compromise or suspected compromise of a Digi-CA’s™ private signing key as a disaster. In the case of compromise the Digi-CA™ informs all subscribers, relying parties and other CAs with which it has agreements or other form of established relations of the compromise and indicates that certificates and revocation status information issued using this Digi-CA™ key may no longer be valid.
In response to ETSI 101 456 sub section 7.4.9 the Digi-CA™ ensures that potential disruptions to subscribers and relying parties are minimized as a result of the cessation of the Digi-CA’s™ services, and ensure continued maintenance of records required to provide evidence of certification for the purposes of legal proceedings. Before the Digi-CA™ terminates its services, it informs all subscribers, relying parties and other CAs with which it has agreements or other form of established relations and terminates all authorization of subcontractors to act on behalf of the Digi-CA™ in the performance of any functions related to the process of issuing certificates. The Digi-CA™ performs necessary undertakings to transfer obligations for maintaining registration information and event log archives for their respective period of time as indicated to the subscriber and relying party. The Digi-CA™ also destroys, or withdraws from use, its Private Keys. The Digi-CA™ have an arrangement to cover the costs to fulfil these minimum requirements in case the Digi-CA™ becomes bankrupt or for other reasons is unable to cover the costs by itself. The Digi-CA™ states in its practices the provisions made for termination of service such as the notification of affected entities, the transfer of its obligations to other parties and the handling of the revocation status for unexpired certificates that have been issued.
[1] In response to ETSI 101 456 sub section 7.4.10 important records are protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory requirements, as well as to support essential business activities and the Digi-CA™ [2] ensures that the requirements of the European data protection Directive, as implemented through national legislation, are met. Appropriate technical and organizational measures are taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and the information that users contribute to the Digi-CA™ are completely protected from disclosure without the user's agreement, a court order or other legal authorization.
In response to ETSI 101 456 sub section 7.4.11 the Digi-CA™ ensures that all relevant information concerning a qualified certificate is recorded for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. The confidentiality and integrity of current and archived records concerning qualified certificates are maintained and records concerning qualified certificates are completely and confidentially archived in accordance with disclosed business practices. Records concerning qualified certificates are made available if required for the purposes of providing evidence of certification for the purpose of legal proceedings. The subject, and within the constraints of data protection requirements the subscriber, have access to registration and other information relating to the subject. The precise time of significant Digi-CA™ environmental, key management and certificate management events are recorded and records concerning qualified certificates are held for a period of time as appropriate for providing necessary legal evidence in support of electronic signatures.
The events are logged in a way that they cannot be easily deleted or destroyed (except for transfer to long term media) within the period of time that they are required to be held and the Digi-CA™ documents the specific events and data to be logged. The Digi-CA™ ensures all events relating to registration including requests for certificate re-key or renewal, are logged. The Digi-CA™ ensures that all registration information is recorded such as type of document(s) presented by the applicant to support registration, record of unique identification data, numbers, or a combination thereof (e.g. applicant's drivers license number) of identification documents, if applicable, storage location of copies of applications and identification documents, including the signed subscriber agreement, any specific choices in the subscriber agreement (e.g. consent to publication of certificate), identity of entity accepting the application, method used to validate identification documents, if any and name of receiving Digi-CA™ and/or submitting Registration Authority, if applicable.
The Digi-CA™ ensures that privacy of subject information is maintained. The Digi-CA™ log all events relating to the life cycle of Digi-CA™ keys, the life cycle of certificates, the life cycle of keys managed by the Digi-CA™, including any subject keys generated by the Digi-CA™, the preparation of SSCDs. and ensures that all requests and reports relating to revocation, as well as the resulting action, are logged.
In response to ETSI 101 456 sub section 7.5 policies and procedures under which the Digi-CA™ operates are non-discriminatory. The Digi-CA™ makes its services accessible to all applicants whose activities fall within its declared field of operation. The Digi-CA™ is a legal entity according to national law and has a system or systems for quality and information security management appropriate for the certification services it is providing. The Digi-CA™ has adequate arrangements to cover liabilities arising from its operations and/or activities and financial stability and resources required to operate in conformity with this policy. The Digi-CA™ employs a sufficient number of personnel having the necessary education, training, technical knowledge and experience relating to the type, range and volume of work necessary to provide certification services. The Digi-CA™ has policies and procedures for the resolution of complaints and disputes received from customers or other parties about the provisioning of electronic trust services or any other related matters and a properly documented agreement and contractual relationship in place where the provisioning of services involves subcontracting, outsourcing or other third party arrangements. The parts of the Digi-CA™ concerned with certificate generation and revocation management are independent of other organizations for its decisions relating to the establishing, provisioning and maintaining and suspending of services; in particular its senior executive, senior staff and staff in trusted roles, must be free from any commercial, financial and other pressures which might adversely influence trust in the services it provides. The parts of the Digi-CA™ concerned with certificate generation and revocation management have a documented structure which safeguards impartiality of operations.
In response to ETSI 101 456 sub section 8.1, the Digi-CAST3™ Team will help you ensure that:
b) A risk assessment is carried out to evaluate business requirements and determine the security requirements to be included in the qualified certificate policy for all the areas identified above.
c) All the Certificate Policy documents are approved and modified in accordance with a defined review process, including responsibilities for maintaining the qualified certificate policy.
d) A defined review process exists to ensure that the qualified certificate policies are supported by the Digi-Certificate Practice Statement [26]™.
e) The Digi-CA™ Xg Trust Centre makes available the qualified certificate policies supported by the Digi-CA™ to all appropriate subscribers and relying parties.
f) Revisions to qualified certificate policies supported by the Digi-CA™ are made available to subscribers and relying parties.
g) The qualified certificate policy incorporates all the requirements of Clauses 6 and in particular:
h) That the Digi-CA™ Xg Trust Centre is responsible for conformance with the procedures prescribed in this policy, even when the CA functionality is undertaken by sub-contractors.
i) The CA shall provide all its certification services consistent with its certification practice statement.
j) That the subscriber submits accurate and complete information in accordance with the requirements of the ETSI 101 456 policy, particularly with regards to registration and that the subscriber only uses the key pair for electronic signatures in accordance with any other limitations notified to the subscriber. That the subscriber exercises reasonable care to avoid unauthorized use of the subject's Private Key and if they participate in generating these keys using the Process Method that the algorithm used is recognized as being fit for the purposes of qualified electronic signatures and that the key length and algorithm are recognized as being fit for the purposes of qualified electronic signatures.
k) The Digi-CA™ can show that only the subject holds the Private Key once delivered to the subject and that if the Certificate Policy requires use of an SSCD (i.e. QCP public + SSCD), the Digi-CA™ will only use the certificate with electronic signatures created using such a device.
l) If the Digi-CA™ is not required to issue qualified certificates and if the certificate is issued by the CA under the Certificate Policy for QCP public + SSCD and the subject's keys are generated under control of the subscriber, the Digi-CA™ will generate the subject's keys within the SSCD to be used for signing.
m) The Digi-CA™ Administrator will also ensure that subscribers will notify them without any reasonable delay, if any of the following occur up to the end of the validity period indicated in the certificate:
n) the subject's Private Key has been lost, stolen, potentially compromised; or
o) control over the subjects Private Key has been lost due compromise of activation data (e.g. PIN code) or other reasons; and/or
p) inaccuracy or changes to the certificate content, as notified to the subscriber.
q) and should any of the above occur, the use of the subject's Private Key is immediately and permanently discontinued.
r) the Digi-CA™ unique OID is obtained for the Certificate Policy of the form required in ITU-T Recommendation X.509 [3].
In response to ETSI 101 456 sub section 8.3, the Digi-CAST3™ will advise whether your Certificate Policy requires the use of SSCD and the ways in which the specific policy adds to or further constrains the requirements of the qualified certificate policy as defined in ETSI 101 456.
In response to ETSI 101 456 sub section 8.3, the Digi-CAST3™ will ensure you only claim conformance to the standard and the applicable qualified certificate policy by ensuring you adhere to the standard as a whole.
[1] Digi-CA™ complies with this standard by using defined Algorithms and Parameters for Secure Electronic Signatures, that are accepted by this standard, namely:
[1] By virtue of the fact that the Digi-CAST3™ Team will help you select the correct Time Stamping [12] Policy and TimStamping Authority Practice Statements so that they comply with this standard, this means that the subsequent use of the Digi-CA™ [2] in accordance with these document means that it is compliant with this standard.
[1]
7.14 IETF RFC 2527
7.15 IETF RFC 3647
[1] Complying with this standard means the Digi-Certificate Practice Statement [26]™ documentation is written according to the guidelines set out in this document and Digi-CAST™ will ensure that your CPS meets these guidelines.
[1] Complying with this standard means the Certificate Policy documentation is written according to the guidelines set out in this document and Digi-CAST™ will ensure that your CPS meets these guidelines.
ISO 27001 is the Certification Standard from the International Standards Oganization [ISO] Certification for Information Security Management System [ISMS]. It is based on the internationally accredited British Standard BS7799 that has been in existence for more than a decade and was significantly revised and improved in May 1999.
All organisations trying to follow best practice to design, deploy, run and support ICT security systems should consider an ISMS. ISMS are frameworks with a systematic approach to managing sensitive company information so that it remains secure. It encompasses premises, people, processes and IT systems.
ISO/IEC 27001:2005 is the latest international standard Specification for an ISMS. In October 2005, BS 7799 part 2 was adopted by ISO, its name was changed to be officially released as the new international standard ISO/IEC 27001:2005. ISO 27001 is essentially a direct replacement for BS 7799 part 2. It includes a summary of ISO 27001:2005 controls as an appendix.
The standard covers the following topics:
It is important to note that not all departments of the organisation must apply for the standard which means that organisation XYZ may be certified for department 1 but not for department 2. When applying for the standard, applicants are asked to confirm where the standard should be applicable for their organisation in the “Statements of Applicability”.
To implement the ISMS according to ISO 27001 in your organisation, consult the Digi-CAST™ [5] Team that use a methodology specifically for ISO 27001 that can expedite your ISO 27001 Certification considerably.
[27] Digi-CAST™ [9] is the system used to implement all Certificate Authority systems. Digi-CAST3™ is the methodology used to implement the compliance strategy for ISO 27001 [28].
[29] This ISMS is specific only to the three Certificate Authority [CA] rooms in Isa Town, the five Registration Authority Control Centre operator desks located on the ground floor of the National ID card issuing centre in Isa Town and the two Public Servers located in Juffair, in the Kingdom of Bahrain. The ISMS does not extend beyond these two geographicaal locations and the personnel that make up the operational and management team for these areas. It should also be noted that the Key Ceremony(s) that occurs is outside the physical environment and is not included in the ISMS, however, detailed scripts, explanations and security documentation from each Key Ceremony will be introduced into the ISMS as required.
The Information Security Management System covers all activities within the PKI [30] infrastructure in Juffair and ISA Town including related infrastructure key components such as Digi-CA and associated HSM. It relates to all assets, software and infrastructure used for storing, handling, processing and distributing digital certificates to Bahrain citizens.
Where terms which are used in ISO27001:2005 are used here, the definitions provided in clause 3 of that standard are applied. Where terms are defined in ISO17799:2005 but not in ISO27001:2005, the ISO17799:2005 definitions are applied here.
In particular, the ISMS is defined as the part (which includes organisational structure, policies, planning activities, plans, responsibilities, working practices, procedures, processes and resources) of the Organisation’s overall management system which, based on a business risk approach, enables management to establish, implement, operate, monitor, review, maintain and improve information security within the Organisation.
A current version of this document is available to PKI staff members of staff and is available on request from the Information Security Manager.
This procedure was approved by the Director General of IT and the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis under his/her signature
Adlin Hisyamuddin Shaikh Salman Mohammed Al-Khalifa
Information Security Manager Director General of IT
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Change history
Issue 1 7 November, 2007 Initial issue
[29] The Organisation’s ISMS documentation consists of:
a) The individual has the necessary skill, competence and resources to carry out the processes or task(s) and
b) The Owner retains accountability for ensuring that the process or task is carried out correctly.
Adlin Hisyamuddin Shaikh Salman Mohammed Al-Khalifa
Information Security Manager Director General of IT
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29]
3.3 The ACT Phase – Maintain & Improve the ISMS
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29] The Organisation’s approach to risk, which has been specifically approved and authorised by management, is contained in the risk management framework, which it applies to its overall strategic planning process. The risk management framework is designed to identify and assess risks (including information security risk) in the business plan, to identify and evaluate options for the treatment of those risks, and to select control objectives and controls that will reduce those risks to acceptable levels within the context of the business plan, operational requirements, constraints and objectives and national and international legislation and regulation. [ISO17799 4.1 and 4.2]
CIO has decided not to use an automated tool to perform risk assessments. Instead it has sought advice from external security consultants VigiTrust to set out the initial to procedures and documentation and in conjunction and co-operation with the Digi-CAST3™ Team, has been trained on the use of this manual and the implementation of the procedures necessary to produce a number of methodologies to perform risk assessment on a regular basis
Risk assessments projects need to be carried out regularly and need to help CIO identify the threat landscape, vulnerabilities and threat levels associated to each vulnerability against each of its tangible and intangible assets.
CIO opted to work with Digi-Sign because of its knowledge of Certificate Authority [CA [4]] and Public Key Infrastructures [PKI [30]] and with VigiTrust because of their in the filed of risk assessment for particularly sensitive information and projects related to the security of sensitive assets.
CIO considered tools such as RA2 or equivalent on the market. However these tools require a deep understanding of the current security threat landscape and are only extremely effective for security professionals.
It was therefore decided to work with security consultants who had their own methodologies backed by a proven track record of helping blue chip organizations to meet security best practice guidelines.
Some initial research was conducted by CIO as to whether an automated tool would be appropriate to perform the risk assessment tasks related to this project. It was very quickly identified that consultants would be required in order to engage with CIO and conduct risks assessments. After a full tendering process in accordance with the laws of the Kingdom of Bahrain and a lengthy and careful consideration process, Batelco and Digi-Sign were selected to provide this service to the CIO in co-operation with Digi-Sign’s ISO consultancy partner VigiTrust.
The chosen methodology is based on benchmarking vulnerabilities and threats to each assets against a risk matrix. The matrix consists in evaluation of the asset in terms of importance to CIO, assigning a probability of likelihood for each threat and determining an absolute impact for the threat. The risk is calculated as follows:
Risk (aka “Absolute risk”) = Probability of Threat * Absolute Impact of Threat
The information below details all of the elements of this risk calculation model:
Evaluation of Assets
The operation owner defines the value of each asset detected depending on his perception of impact on operations) or on users in general in case of loss, theft, inaccessibility, deterioration / corruption or any other security violations. Perceived value is ranked as follows:
Unimportant (0) Damage on the asset never affects the data system
Not very important (1) Damage on the asset has very little impact on the data system. The data system keeps operating. Damage on it does not tarnish the company name.
Medium (2) Damage on the asset affects the data system. The data system keeps operating but the asset in question must be replaced. Damage thereon can affect the company name negatively to a somewhat noticeable extent.
Important (3) Damage on the asset has major impact on the data system. The data system is only half operational in that it may not be fully accessible or its integrity might have been somewhat compromised. The asset in question must be replaced. Damage thereon affects the company name adversely.
Very important (4) The asset plays a major part for the operation of the data system. Damage on the asset has a huge impact on the operability of the data system. Only parts of the data system remain useable. Damage thereon has substantial adverse impact on the company name.
Extremely important (5) The asset is essential for the operation of the data system. Damage on the asset directly influences the data system. The data system is out of operation. Damage thereof has very adverse impact on the company name.
At this stage Potential vulnerabilities are listed for each asset. Vulnerabilities are the weaknesses identified for assets. Potential threats are listed for each asset. Threats are potential tools by which vulnerabilities can be misused or exploited.
Important Note: The value as determined by the above procedure is entered in the “Critical” column Risk Treatment Plan file that accompanies this document and is referenced “Digi-CAST Asset List & Risk Treatment Issue 001-071107.xls”.
Threat Probability Values
Negligible (0) Not likely to happen.
Very low (1) Twice or three times in a period of 5 years.
Low (2) May happen once a year or a shorter period of time.
Medium (3) May happen every six months or within a period of time between one to 6 months.
High (4) May happen once a month or within a period of time between 2 days to one month.
Very high (5) May happen once a day.
Extremely High (6) May happen multiple times a day.
Threat Impact Values
Unimportant (0) The threat has no impact on the asset.
Small (1) The threat has little impact on the asset. There is no need to repair or re-configure the asset.
Important (2) Although the impact by the threat is minor and is only reported by a few persons or organizations, the threat can still have concrete damage. Corrective action involving time, effort and financial input may have to be implemented to make up for the damage and eradicate the issues.
Detrimental (3) The Threat can damage the reputation of asset and system operators. Significant spending may be necessary to repair the damage and eradicate the issues.
Serious (4) The Threat inflicts substantial damage on the asset and/or many staff members and the organization itself may be significantly impacted by the damage. Large scale restructuring may be necessary in the damaged system. Corrective action needs to be taken to eradicate the issues.
Very serious (5) Threats causes the asset to be out of operation indefinitely. It requires the system to be re-designed and re-structured totally. Corrective action needs to be taken to eradicate the issues.
The information pertaining to absolute risks requires the use of the values detailed above according to the formula, Absolute Risk = Threat Probability Value * Threat Impact Value.
So by determining the “Threat Probability Value” (i.e. 1 – 6) using the horizontal part of the following Risk Calculation Table and then searching down the vertical column for the “Threat Impact Value”, the “Absolute Risk Value” can be calculated.
Important Note: All three values are entered in the Risk Treatment Plan file that accompanies this document and is referenced “Digi-CAST Asset List & Risk Treatment Issue 001-071107.xls”.
Every time an asset is added or removed from the Trust Centre, this Digi-CAST™ [9] Manual and the “Digi-CAST Asset List & Risk Treatment” must be updated and must be signed by the Information Security Manual.
In addition, the new Issue must be circulated to all members of the Trust Centre Team and Trust Centre Management. And this is the responsibility of the Information Security Manager.
Risk Calculation Table
| Probability of the Threat to Happen |
Unimportant (0) |
Minor (1) | Important (2) | Detrimental (3) | Serious (4) | Very serious (5) |
| Negligible (0) | None (0) | None (0) | None (0) | None (0) | None (0) | None (0) |
| Very low (1) | None (0) | Low (1) | Low (2) | Low (3) | Medium (4) | Medium (5) |
| Low (2) | None (0) | Low (2) | Medium (4) | Medium (6) | High (8) | High (10) |
| Medium (3) | None (0) | Low (3) | Medium (6) | High (9) | High (9) | Critical (15) |
| High (4) | None (0) | Medium (4) | High (8) | High (12) | Critical (16) | Very High (20) |
| Very High (5) | None (0) | Medium (5) | High (10) | Critical (15) | Very High (20) | Very High (25) |
| Extremely High (6) | None (0) | Medium (6) | High (12) | Critical (18) | Very High (24) | Very High (30) |
Absolute Risk Table
Absolute Risk |
Risk Score |
Multiplication Values
|
| None | 0 | 0 |
| Low | 1 | 1,2,3 |
| Medium | 2 | 4,5,6 |
| High | 3 | 8,9,10,12 |
| Critical | 4 | 15,16,18 |
| Very high | 5 | 20,24,25,30 |
Actual Risk Value is calculated by using the following final formula:
1. Absolute Risk = Probability of the Threat * Absolute Impact of the Threat
2. Absolute Risk Score Simplified Absolute Risk Score (Table 4)
3. Actual Risk Value = New Absolute Risk Score * Asset Value Identification of Targets, Controls and Counter Measures and Management of Risks
3–Step Absolute Risk Calculation
Step 1
Take into consideration the impact an event using the “Threat Impact Values” scale above (0 - 5).
Step 2
Then consider the likelihood it could happen using the “Threat Possibility Values” scale above (0 - 6).
Step 3
Then use the table, which gives you the risk for the RTP (it is a basic multiplier). The value you get will appear on the “Absolute Risk Table” and this enables you to label the Risk appropriately.
Example
Rack server:
The Rack could be physically damaged or it could collapse resulting in machines having to be powered off before being moved - results in disruption to services.
Probability of that happening is low (2) however impact of the issue, if it did happen, is high (4) as it would seriously disrupt services. Therefore the Absolute Risk Value is 4 x 2 = 8. The Absolute Risk (8) is then entered in the Absolute Risk column of the Digi-CAST Asset List & Risk Treatment.
In Summary
Low Absolute Risk Value is typically low to high impact with little probability of occurrence (or vice versa).
High Absolute Risk Value is typically high impact and high probability (unusual and rare, but may occur).
Medium Absolute Risk Value is more complicated and requires careful attention as it suggests that the impact would be medium to high and so is the probability. This is where indicating actual controls in place will ensure that a proper risk assessment has been conducted.
Consider the asset and carefully consider the likelihood of the potential threat happening. Should it happen, what impact would have it have on the CIO Trust Centre if it did happen and then using the above system assign figures and calculate the Absolute Risk Value.
The CIO Trust Centre staff must understand the scoring mechanism and regular training should be provided by the Information Security Manager to all the members of the Trust Centre Team. In addition ongoing security awareness through training, reference manual, demonstration and incident reporting, resolution and documentation is provided in order for Trust Centre Team to keep abreast of the latest threats in order to be able to continually assess risks and take pre-emptive action.
The Organisation’s method for risk assessment is to use risk assessment tool in this Digi-CAST™ [9] Manual and uses the procedure as set out below. This tool and methodology is suitable for the scope of the Organisation’s ISMS (Section 1), the business objectives (3.1b1 above), the security, contractual, legal and regulatory requirements (3.1b2) above and risk management framework that were identified earlier. The selection criteria are set out in DOC 4.2. [ISO27001 4.2.1c] and the risk assessment procedure itself is carried out as described in DOC 4.4.
This method of risk assessment is applied throughout the Organization in respect of information risks.
The Information Security Manager is responsible for carrying out risk assessments wherever they are required by the ISMS.
Procedure
Controls are implemented according to relevant associated processes and OWIs pertaining to each threat.
The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
A current version of this document is available to the Trust Centre team members on request.
This procedure was approved by the Director General of IT and the President of the CIO on 08 November 2007 and is issued on a version-controlled basis under their signatures.
The Organisation has a documented approach (framework in DOC 4.3, tool in DOC 4.2 and procedure/methodology in DOC 4.4) to risk assessment.
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29] Information Security Policy
Control objective: The organization provides management direction and support for information security in accordance with business requirements and relevant laws and regulations of the Kingdom of Bahrain.
The management team and the board of directors have approved and authorized an information security policy for the Organisation. This policy is set out below and is authorized for separate distribution under the President of CIO’s signature, with the reference DOC 5.1. A current version of this document is available to all staff and contractors, and to external parties [when signing supply contracts]. The development of the information security policy is carried out under the PDCA process described in Section 3 of the Information Security Manual.
INFORMATION SECURITY POLICY
The Board and management of The Central Informatics Organization [CIO], located at National Smart Card Centre [NSCC], Building 1088, Road 4025, Block 842, Isa Town and Government Data Network Centre, 1091, Road 4225, Juffair 342, and both locations are in the Kingdom of Bahrain and provide for the operation of the National ID card, identity verification and validation of the citizens and residents of the Kingdom of Bahrain is in the business of providing Digital Certificates [14] and related Public Key Infrastructure [PKI [30]] services, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout the CIO CA [4] and RA areas in order to preserve the integrity, reputation and security of the citizens, residents and Government Departments and Agents it serves. Information and information security requirements will continue to be aligned with the CIO goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.
The CIO’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The risk assessment, Statement of Applicability and risk treatment plan identify how information-related risks are controlled. The Information Security Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data back up procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the Manual and are supported by specific, documented policies and procedures.
All employees of the CIO [and certain external parties identified in the ISMS] are expected to comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive appropriate training, initially by the Digi-CAST3™ Team and ultimately by the Information Security Manager.
The CIO has established Trust Centre top-level management steering committee chaired by the Director General of IT and including the President of the CIO and the Chief Security Officer to support the ISMS framework and to periodically review the security policy.
The CIO is committed to achieving certification [10] of its ISMS to ISO27001:2005
This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, “information security” is defined as:
preserving
This means that management, all full time or part time staff, sub contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in Section 13 of the Manual) and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in the [organization’s] disciplinary policy. All staff will receive information security awareness training and more specialized staff will receive appropriately specialized information security training
the availability.
This means that information and associated assets should be accessible to authorized users when required and therefore physically secure. The computer network identified as part of the scoping work for Section 1 of the Manual is resilient and the organization is able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There are appropriate business continuity plans to meet the requirements of the CIO Trust Centre as approved by the Director General of IT.
Confidentiality
This involves ensuring that information is only accessible to those authorized to access it and therefore to preventing both deliberate and accidental unauthorized access to the CIO Trust Centre’s information and proprietary knowledge and its systems including its network(s), website(s), extranet(s), and e-commerce systems.
And integrity
This involves safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of either physical assets or electronic data. There must be appropriate contingency [including for network(s), e-commerce system(s), web site(s), extranet(s)] and data back-up plans, and security incident reporting. The CIO Trust Centre will comply with all relevant data-related legislation in the Kingdom of Bahrain within which it operates.
Of the physical (assets)
The physical assets of the CIO Trust Centre including but not limited to computer hardware, data cabling, telephone systems, filing systems and physical data files and information assets
The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, web site(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs as well as on CD ROMs, floppy disks, USB sticks, back up tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context “data” also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc)
of the CIO.
The CIO Trust Centre and such partners that are part of our integrated network and have signed up to our security policy and have accepted our ISMS.
The ISMS is the Information Security Management System, of which this policy, the information security manual (“the Manual”) and other supporting and related documentation is a part, and which has been designed in accordance with the [specification contained in ISO27001:2005]
A SECURITY BREACH
A SECURITY BREACH is any incident or activity that causes or may cause a break down in the availability, confidentiality or integrity of the physical or electronic information assets of the Organization.
The Information Security Manager is the Owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements in clause 5.1.2 in the Manual.
A current version of this document is available to all members of staff on the on request and as it does not contain confidential information, it can be released to relevant external parties.
This information security policy was approved by the Trust Centre Committee and the Directors of the CIO on 08 November, 2007 and is issued on a version-controlled basis under the signature of the Information Security Manager.
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
The Organisation’s information security policy is reviewed at planned intervals, or when and if significant changes occur, to ensure its continuing suitability, adequacy, and effectiveness.
Note: The Information Security Manager accepts his role as owner of this document and intends to conduct several internal audits before 30 November, 2007 to ensure all aspects of the ISMS are correct, accurate and that this ISMS accurately reflects the total CIO Trust Centre environment.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29] Control objective: management of information security within the Organisation and establishment of a management framework for the initiation, implementation and control of the ISMS.
The Organisation’s management actively supports information security within the Organisation through clear direction, demonstrated commitment, explicit assignment and acknowledgement of its – and everyone else’s - information security responsibilities.
Due to the small size of the organisation, it co-ordinates its information security activities through a the Trust Centre Managers consisting of Director General of IT and the Information Security Manager from different parts of the organisation who have relevant roles and job functions
The Organisation has clearly defined all information security responsibilities.
The Organisation has clearly defined all information security responsibilities
The Organisation has defined and implemented a management authorisation process (see DOC 6.4) for new information processing facilities.
A confidentiality and non-disclosure agreement (DOC 6.5) reflecting the Organisation’s requirements for the handling of information is in place (also see 8.1.3 [32]) and is reviewed regularly
The Organisation maintains appropriate contacts with relevant authorities
The organisation maintains appropriate contact with special interest groups and other specialist security forums and professional associations
The Organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, rules, processes and procedures for information security) is independently reviewed at planned intervals, and when significant changes to the security implementation occur.
Control objective: to maintain the security of organisational information processing facilities and information assets that are accessed, processed, communicated to or managed by external parties
The Organisation’s procedures for identifying risks to its information assets and information processing facilities from business processes involving external parties, and for implementing appropriate controls before granting access, are identified in DOC 6.8.
All identified security requirements are addressed, in line with the procedure in DOC 6.8 and the Organisation does not apply this control because none of its customers access any of its information assets.
Agreements with third parties involving accessing, processing, communicating or managing organisational information assets or information processing facilities, or adding products or services to information processing facilities, contain or refer to all identified security requirements, as required in DOC 6.8, and third parties are not allowed to access the Organisation’s information assets until such an agreement has been signed.
“Facility” is defined as “any system(s) or device(s) that will be used to process or store organizational information or that will connect to an organizational network or other information processing facility.” It includes hardware, software and services.
a) Approved (as to adequacy for the business purpose) and authorized by the line manager who/whose team will use them (business approval);
b) Approved and authorized by the local Site Managers (see 6.1.3.8) as to meeting all relevant security policies and requirements are met (site approval);
c) Approved and authorized by the IT Manager as to compatibility with current (and planned future) system components (technical approval);
d) Approved and authorized by the Information Security Manager as to meeting information security requirements (e.g. information classification, anti-malware, etc) (security approval).
e) Signatures and dates must be on the procurement documentation before the procurement can proceed.
User-level information processing devices (notebooks, PDAs, mobile phones, etc) are all considered as “facilities” in terms of this procedure and the Organization requires each individual deployment of any such device to be approved and authorized in line with this procedure. Where relevant, a risk assessment will be carried out in line with DOC 4.4 [32]
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Control objective: to achieve and maintain appropriate protection of organizational assets.
[29]
All information assets are clearly identified, and an inventory of all important assets has been drawn up and is maintained in line with the requirements of DOC 7.1
All assets associated with the information systems or services are ‘owned’ by a designated individual or part of the Organisation, and details of the Owner are identified on the asset inventory in line with DOC 7.1.
Rules for the acceptable use of information and assets associated with information processing facilities have been identified, documented and implemented.
Control objective: to ensure that information receives an appropriate level of protection
Information has been classified in terms of value, legal requirements, sensitivity and criticality to the Organisation
An appropriate set of procedures for information labelling and handling has been developed in accordance with the classification scheme adopted by the Organisation and this is set out in DOC 7.6
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Control objective: to ensure that all employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
[29]
Security roles and responsibilities of employees, contractors and third party users have been defined and documented as required by the Organisation’s information security policy.
Background verification checks on all candidates for employment, contractors and third party users are carried out in line with DOC 8.1 and in accordance with the laws, regulations and ethics of the Kingdom of Bahrain, and proportional to the Organization business requirements, the classification of the information to be accessed, and the perceived risks
Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, which state their and the Organization responsibility for information security
Control objective: to ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
All employees of the Organization and, where relevant, contractors and third party users receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
The Organisation has a formal disciplinary process for employees who have committed a security breach
Control objective: to ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner
All employees, contractors and third party users are required to return all Organisational assets in their possession upon termination of their employment, contract or agreement.
The access rights of all employees, contractors and third party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Control objective: to prevent unauthorized physical access, damage and interference to the organization premises and information.
[29]
The Organization uses security perimeters to protect areas that contain information and information processing facilities.
Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
The Organization has designed and applied physical security for offices, rooms and facilities.
The Organization has designed and applied physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster
The Organization has designed and applied physical protection and guidelines for working in secure areas and these are contained in DOC 9.8.
Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises are controlled and isolated from information processing facilities to avoid unauthorized access.
Control objective: to prevent loss, damage, theft or compromise of assets and interruption to the organization activities
Equipment is sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access
Equipment is protected from power failures and other disruptions caused by failures in supporting utilities.
Power and telecommunications cabling carrying data or supporting information services is protected from interception or damage
Equipment is correctly maintained to ensure its continued availability and integrity
Security is applied to off-site equipment taking into account the different risks of working outside the Organization premises
All items of equipment containing storage media are checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal
Equipment, information or software may not be taken off-site without prior authorization as required by DOC 9.12
PREMISES INSPECTION
Site Address:
Date and time of Inspection:
Inspector:
a) Completeness of perimeter:
b) External walls of solid construction:
c) Access possible over walls/through roof?
d) Access possible under walls?
e) External doors solid?
1. With required locks/breach alarms?
2. With automatic closing mechanisms?
3. Remote access doors protected by cameras?
f) External windows locked/barred?
g) Fire doors alarmed and monitored in accordance with Work Instruction DOC 9.2
h) Fire alarms installed and working (DOC 9.2)
i) Fire suppression equipment installed and working (DOC 9.4)
j) Burglar/intruder alarms installed and working (DOC 9.3)
1. All [accessible] external windows covered?
2. All external doors covered?
3. Unoccupied areas alarmed at all times?
4. Reception area controlled (DOC 9.6)
k) Air conditioning installed and working (DOC 9.5)
l) Health and safety regulations [insert details of relevant code] applied?
m) (If it houses systems processing confidential information) how easy is it for the public to access the facility?
n) (If it houses systems processing confidential information) how unobtrusive is this to the public? Are there any obvious signs of information processing activities?
o) Are internal directories appropriately classified to restrict access to details of confidential sites?
p) Are hazardous, combustible materials safely stored (at a safe distance from a secure area)?
q) Are bulk supplies of non-confidential items stored outside secure areas?
r) Are necessary fire extinguishers available [insert details of requirements] and tested [insert details of testing regime]?
Distribution: copies of this report are held by the Premises Security Manager and the Information Security Manager.
The Site Security Managers at the CIO are the owners of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
All designated secure areas (see DOC 9.7 and DOC 9.10) on any of the Organization’s premises are subject to controlled access and usage.
All information processing equipment owned or used by the Organization is subject to secure site location and protection requirements.
The requirements are:
a) That equipment is sited so as to minimize [public/unnecessary] access to work areas;
b) Information processing and storage equipment (including faxes, photocopiers and telephone equipment used for confidential information) is sited in secure areas [server/communications rooms/secured offices] so that it is not possible for confidential information to be seen by unauthorized people;
c) Secure areas are subject to the same level of physical perimeter protection as secure sites;
d) Equipment that requires special protection is isolated in the CA [4] Inner Core Room;
e) Controls are implemented to deal with theft (see sub section 9.1 of the Manual), natural or man-made disaster (see sub section 9.1.4 of the Manual).
f) The Organization does not allow smoking inside any of its sites, nor does it allow eating or drinking inside secure areas;
g) Secure areas are monitored for temperature increases above X degrees Celsius and an acceptable limit has been set at X degrees Celsius and the Information Security Manager receives an immediate alert as set out in the OWI for the fire detection system once they are breached.
b) The Site Managers are responsible for ensuring that Heating and Ventilation engineers provide a formal report on the heating, cooling/air conditioning and ventilation requirements of each secure area and each site that contains information processing equipment and for reporting on the adequacy or otherwise of current installations. Shortfalls in requirements are to be treated by escalating their concerns to the Information Security Manager for Risk Assessment, treatment and the creation of an Operation Work Instruction [OWI] as necessary.
c) The Site Managers are responsible for ensuring that all supporting utilities and equipment is inspected (also see DOC 9.7 and DOC 9.8) on a frequency determined by manufacturer’s recommendations [and previous inspections] and that inspection certificates are retained in line with sub section 15.1.3 of the Manual.
a) Electromagnetic shielding for cables;
e) Technical sweeps and physical inspections that are carried out by the Information Security Manager and/or the Security Administrator to ensure that no unauthorized devices are attached to cables.
Scope
The Organization requires, under sub section 9.2.6 of the Manual, that all removable storage media are clean (which means: it is not possible to read or re-constitute the information that was stored on the device or document) prior to disposal.
Responsibilities
The Information Security Manager is responsible for managing the secure disposal of all storage media in line with this procedure when they are no longer required, and is the Owner of the relationship with Al Falwa Cleaning WLL who is the approved contractor for removing shredded documents.
All Owners (see sub section 7.1.2 [32] of the Manual) of removable storage media are responsible for ensuring that these media are disposed of in line with this procedure.
Procedure [ISO 17799 clause 9.2.6]
Hard disks must be cleared of all software and all Organizational confidential and restricted information prior to disposal or re-use, as set out in clause 5 below.
The Information Security Manager is responsible for the secure disposal of storage media and the disposal of all information processing equipment is routed through his/her office. A log (REC 9.1) is retained showing what media was destroyed, disposed of, and when. The asset inventory is adjusted once the asset has been disposed of.
Hard disks are cleaned by the Security Administrator prior to destruction.
Devices containing confidential information are broken and then burnt prior to disposal and are never re-used.
Devices containing confidential information that are damaged are subject to a risk assessment prior to sending for repair, to establish whether they should be repaired or replaced in which case they are destroyed according to this procedure.
Documents containing confidential and restricted information which are to be destroyed are shredded by their owners, using a shredder with an appropriate security classification. These shredders are located in the ISA Town National Smart Card Centre outside the Trust Centre. The waste is removed by the approved contractor.
The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
Yousif Mohammed Ali Muthanna Yousif Mohammed Abdulla
Site Security Manager Site Security Manager
____________________________ ____________________________
On: On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29] Changes to information processing facilities and systems are controlled
Duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of organisational assets
1. Risk Assessment Adlin Hisyamuddin - Information Security Manager, Head PKI [30]
2. Authorisation of Controls Mubarak Abdulla Alhiddi - CSO/CIO
3. Change Initiation Ahmed Essa Abualfath - Computer Security Administrator
4. Change Management Shaikh Salman Mohammed Al-Khalifa – Director General of IT
5. Network Management Khalid Al Othman – Chief, Network
6. Network Administration Khalid Ali Al Jalahma – Network Administrator
7. IT Operations Mohammed Al-Yassi – Director IT Operations
8. Software Development Sameh Abo-El-Ela
9. System Testing Osama Khalid Rafai - Computer Security Administrator
10. Employee Administration Hesham Al-Ghatam - Chief, Personnel & Admin’ Development
11. Asset Purchase Khulood Al-Jassim - Supervisor Administration Service
12. Site/Secure Area Security Adel Khalifa Bu-Alai - Chief of Police in Juffair
13. Site/Secure Area Security Mohammed Hamdan Mohammed - Chief of Police in Isa Town
14. Security Audit Osama Khalid Rafai - Computer Security Administrator
15. PKI Manager Adlin Hisyamuddin - Information Security Manager, Head PKI
16. Physical Site Security Yousif Mohammed Ali Muthanna – Site Security Manager
17. Physical Site Security Yousif Mohammed Abdulla – Site Security Manager
Development, test and operational facilities are separated to reduce the risks of unauthorized access or changes to the operational system
Control objective: to implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements
The Organization ensures that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated and maintained by the third party
The Organisation regularly monitors and reviews the services, reports and records provided by third parties and carries out regular audits
The Organisation manages changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, taking account of the criticality of business systems and processes involved and re-assessment of risks, and the procedures for doing this are contained in DOC 6.8. [32]
Control objective: to minimize the risks of systems failures
Acceptance criteria for new information systems, upgrades and new versions have been established and suitable tests of the system(s) are carried out during development and prior to acceptance, all as specified in DOC 10.10. rotection
Control objective: to protect the integrity of software and information
Detection, prevention and recovery controls to protect against malicious code and appropriate user awareness procedures have been implemented
The execution of mobile code is prohibited in the Trust Centre
Control objective: to maintain the integrity and availability of information and information processing facilities
Back-up copies of information and software are taken and tested regularly in accordance with the agreed back-up policy below
Control objective: to ensure the safeguarding of information in networks and the protection of the supporting infrastructure
Networks are managed and controlled as set out in DOC 10.14, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit
Security features, service levels and management requirements of all network services have been identified and included in the network service level agreement and are managed in line with DOC 10.14.
Control objective: to prevent the unauthorized disclosure, modification, removal or destruction of assets and interruption to business activities
Media are disposed of securely and safely when no longer required, in line with DOC 9.11. [32]
Procedures for the handling and storage of information are set out in DOC 7.6 [32] and DOC 10.15 to protect this information from unauthorized disclosure or misuse
System documentation is protected against unauthorized access, as set out in DOC 10.15.
Control objective: to maintain the security of information exchanged within an organization and with any external entity
Formal exchange policies, procedures and controls are in place to protect the exchange of information through the use of all types of communication facilities
Agreements are established in line with DOC 6.8 [32] for the exchange of information and software between the Organization and external parties
DOC 9.12 [32] sets out how the Organization ensures that media are protected against unauthorized access, misuse or corruption during transportation beyond the Organization physical boundaries
Messaging is outbound only and no inbound email system exists within the CIO Trust Centre
A policy and procedures have been developed and implemented to protect information associated with the interconnection of business information systems.
Control objective: to ensure the security of electronic commerce services, and their secure use
Electronic commerce information passing over public networks is protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification as set out in DOC 10.17.
Information involved in on-line transactions is protected in line with DOC 10.17 to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized message duplication or replay
The integrity of information being made available on a publicly available system is protected in DOC 10.17 to prevent unauthorized modification
Control objective: to detect unauthorized information processing activities
Audit logs recording user activities, exceptions and information security events are produced and kept, in line with DOC 10.18, for a period specified in DOC 15.2 [32] to assist in future investigations and access control monitoring
Procedures for monitoring use of information processing facilities have been established in DOC 10.18 and the results of the monitoring activities are reviewed [regularly]
Logging facilities and log information are protected against tampering and unauthorized access, as required by DOC 10.18
System administrator and system operator activities are logged as required by DOC 10.18
Faults are logged, analysed and appropriate action taken, all in line with DOC 10.18
The clocks of all relevant information processing systems within the organisation are synchronized with an agreed accurate time source as specified in DOC 10.18.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Control objective: to control access to information
[29]
An access control policy has been established, documented in DOC 11.1, and is reviewed when required in the light of business and security needs. In addition, as the Trust Centre protects National Assets, the following are the physical procedures that must be followed every time the Trust Centre in the National Smart Card Centre in Isa Town is accessed.
Administration Area
When access is required to the Administration Area of the Trust Centre, any two of following five members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Administration Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Administration Area unaccompanied by one of the following personnel:
If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.
Outer Core
When access is required to the Outer Core Area of the Trust Centre, all three of following members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Outer Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Outer Core Area unaccompanied by all of the following personnel:
If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.
Inner Core
When access is required to the Inner Core Area of the Trust Centre, all three of following members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Outer Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Inner Core Area unaccompanied by all of the following personnel:
If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.
Setting Access Control on the Idendix System
Access to all areas of the Trust Centre is controlled by the Identix biometric locking system on all of the doors. The system is configured according to the policy set out in sub section 11.1 above. Only two people have the username and password to access this system:
The Identix control system is located in the Administration Area of the Trust Centre and as no one can access this area alone, both people will be monitored by one of the other personnel with access rights to the Administration Area. A change log must be signed by the Director General of IT or the President of the CIO to change the access configuration for any of the doors in the Trust Centre.
No changes to this system are permitted without this change control document signed by the Director General of IT or the President of the CIO.
In addition, as part of the monthly controls checking procedure, the Information Security Manager will check the los on the Identix system, print out these logs and sign them to demonstrate that no unauthorised changes have occurred without authorisation.
Control objective: to ensure authorized users’ access and to prevent unauthorised access to information systems
The allocation and use of privileges is restricted and controlled in DOC 11.3
The allocation of passwords is controlled through a formal management process as set out in DOC 11.3
Management reviews users’ access rights at regular intervals using the formal process as set out in DOC 11.3
Control objective: to prevent unauthorized user access, and compromise or theft of information and information processing facilities
Users are required (in their User Agreements DOC 11.4) to follow good security practices in the selection and use of passwords
Users are required (in their User Agreements DOC 11.4) to ensure that unattended equipment has appropriate protection
The Organisation has adopted a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities and the requirement for compliance [3] with this policy is set out in DOC 11.4.
Control objective: to prevent unauthorized access to networked services
DOC 11.8 sets out the authentication methods that are used to control access by remote users.
Automatic equipment identification is used as set out in DOC 11.8 as a means to authenticate connections from specific locations and equipment
Physical and logical access to diagnostic and configuration ports is controlled as required by DOC 11.8.
Groups of information services, users and information systems are segregated in the network(s) in line with the requirements of DOC 11.7 and 11.8
The Organization has a single shared network which extends across the organizational boundaries; the Organization restricts the capability of users to connect to the network, in line with the access control policy (DOC 11.1) and requirements of the business applications and as set out in DOC 11.8.
Routing controls have been implemented in line with DOC 11.8 for the Organization networks to ensure that computer connections and information flows do not breach the Organization access control policy as applied to the business applications
Control objective: to prevent unauthorized access to operating systems
Access to information systems is controlled by the secure log-on procedure set out in DOC 11.9
All users have a unique identifier (user ID) for their personal and sole use, issued in line with the requirements of DOC 11.3, and [a suitable authentication technique] has been chosen to substantiate the claimed identity of a user
The password management system set out in DOC 11.3 ensures quality passwords
The use of utility programs that might be capable of overriding system and application controls is restricted and controlled as specified in DOC 11.10.
Inactive sessions are shut down in accordance with DOC 11.9 after a defined period of inactivity
Restrictions on connection times are used to provide additional security for high-risk applications, as specified in DOC 11.8.
Control objective: to prevent unauthorized access to information held in application systems
Access to information and application system functions by users and support personnel is restricted in DOC 11.2 in accordance with the access control policy in DOC 11.1
Sensitive systems have a dedicated (isolated) computing environment as provided in DOC 11.9
Control objective: to ensure information security when using mobile computing and teleworking facilities
A formal policy is in place and appropriate security measures have been adopted to protect against the risks of using mobile computing and communication facilities
Is not permitted in the Trust Centre.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Information Systems Acquisition, Development & Maintenance
Control objective: to ensure that security is an integral party of information systems
[29]
Control objective: to prevent errors, loss, unauthorized modification or misuse of information in applications
Data input to applications is provided from an external source and the responsibility of its accuracy is outside this ISMS.
Validation checks are incorporated into applications to detect any corruption of information through processing errors or deliberate acts.
Requirements for ensuring authenticity and protecting message integrity in applications have been identified, and appropriate controls identified and implemented
Data output from an application is validated to ensure that the processing of stored information is correct and appropriate to the circumstances
Control objective: to protect the confidentiality, authenticity or integrity of information by cryptographic means
The Organisation has a policy on its use of cryptographic controls for protection of its information, as set out below
Key management, as documented in DOC 12.2, supports the Organization use of cryptographic techniques
Control objective: to ensure the security of system files
The installation of software on operational systems is controlled by DOC 12.3
Test data is selected, protected and controlled in line with DOC 10.10 [32].
Access to program source code is restricted in line with DOC 10.15 [32]
Control objective: to maintain the security of application system software and information
The implementation of changes is controlled by the use of the formal change control procedures set out in DOC 10.7.
When operating systems are changed, business critical applications are reviewed and tested in line with DOC 10.10 [32] to ensure there is no adverse impact on organisational operations or security.
The Organisation does not seek bespoke modifications to commercial software packages.
Controls are applied to limit the opportunities for information leakage
The Organization does not outsource software development
Control objective: to prevent the damage resulting from exploitation of published technical vulnerabilities
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Control objective: to ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
[29]
Information security events must be reported to the Information Security Manager as quickly as possible, as set out in DOC 13.1
All employees, contractors and third party users of information systems and services are required by DOC 13.1 to note and report to the Information Security Manager any actual or suspected weaknesses in Organizational systems or services
Control objective: to ensure a consistent and effective approach is applied to the management of information security incidents
Management responsibilities and procedures have been established in DOC 13.2 to ensure a quick, effective and orderly response to information security incidents that ensures appropriate corrective or preventative actions, restores normal operations as quickly as possible, and ensures that improvement opportunities are identified and acted upon.
DOC 13.2 requires the Information Security Manager to quantify and monitor the types, volumes and costs of information security incidents.
In all information security incidents, irrespective of whether or not a follow-up action against a person or organization involves legal action (either civil or criminal), evidence is collected, retained and presented as set out in DOC 13.5 to conform to the rules for evidence laid down in the laws of the Kingdom of Bahrain.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29]
Control objective: to counteract interruptions to business activities, to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption
Events that can cause interruptions to business processes are identified as set out in DOC 14.2, along with the probability and impact of such interruptions, and the risk assessment process (DOC 4.4 [32]) is extended to apply to business continuity risks. These risk assessments drive the business continuity planning framework (DOC 14.3)
The Organisation’s Business Continuity Plan is developed in line with DOC 14.1 and is set out in DOC 14.3. It enables the Organisation to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes
A single framework (as described in DOC 14.1) of business continuity plans is maintained to ensure that the plan and all its sub-plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance
Business continuity plans are tested and updated regularly, in line with the requirements of DOC 14.4, to ensure that they are up to date and effective
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007
____________________________ _______________________________
Change history
Issue 1 08 November, 2007 Initial issue
Control objective: to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements
[29]
All relevant statutory, regulatory and contractual requirements and the Organization approach to meet these requirements have been explicitly defined, documented and are kept up to date for
each information system and the Organization
Appropriate procedures have been implemented to ensure compliance with legislative, regulatory and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.
The Organization procedure, set out in DOC 15.2 protects important records from loss, destruction and falsification, in accordance with statutory, regulatory, contractual and business requirements
Data protection and privacy are ensured as required and, where applicable, contractual clauses
Users are be deterred from using information processing facilities for unauthorized purposes.
Cryptographic controls are used in compliance with all relevant agreements, laws and regulations, as set out in DOC 12.2 [32].
Control objective: to ensure compliance of systems with organizational security policies and standards [10]
Managers ensure that all documented security procedures and work instructions within their area of responsibility are carried out correctly to achieve compliance with security policies and standards
Information systems are regularly checked for compliance with security implementation standards, and the Organization procedures for managing technical compliance checking are set out in DOC 15.4
Control objective: to maximize the effectiveness of and to minimize interference to/from the information systems audit process
Audit requirements and activities involving checks on operational systems are carefully planned as set out in DOC 15.5 and agreed with appropriate management to minimize the risk of disruptions to business processes.
Access to information systems audit tools are protected as required in DOC 15.5 to prevent any possible misuse or compromise
The Organization’s entire ISMS is within the scope of this procedure.
Responsibilities
All personnel connected with the Trust Centre are responsible for ensuring and checking for procedural compliance.
The Information Security Manager is responsible for planning and commissioning technical compliance checking.
Procedure
Management review [ISO 17799 clause 15.2.1]
Technical Compliance Checking [ISO 17799 clause 15.2.2]
ISO 27001 Auditor
The Organization’s information assets and whole ISMS are within the scope of this procedure.
Responsibilities
The Information Security Manager is responsible for planning systems audit activities. The Information Security Manager is responsible for authorizing audit activity to occur.
Procedure [ISO 17799 clause 15.3.1]
Audit controls
The audit regime and the specific audit requirements will be documented and identified as part of the initial internal audit and will be identified and documented here, once completed. You should refer to the guidance of ISO 17799 clause 15.3.1 in drafting your procedure for this activity.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29] The Information Security Manager is the Owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above.
A current version of this document is available to all members of staff on request.
This manual was approved by the Board of the CIO Trust Centre on 08 November, 2007 and is issued on a version controlled basis under the signature of the Director General of IT.
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Issue 2 [issue date]
Issue 3 [issue date]
Issue 4 [issue date]
[29] Operational Roles
Adlin Hisyamuddin
Information Security Manager, Head PKI
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [34]
Mubarak Abdulla Alhiddi
CSO/CIO
Ahmed Essa Abualfath
Computer Security Administrator
+973 1 772-6731
+973 3 968-7334
aabualfath@cio.gov.bh [35]
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [36]
Khalid Al Othman
Chief, Network
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [37]
Khalid Ali Al Jalahma
Network Administrator
+973 1 772-6729
kaljalahma@cio.gov.bh [38]
Mohammed Al-Yassi
Director IT Operations
Sameh Abo-El-Ela
Development Manager
cssoshg@cio.gov.bh [39]
Osama Khalid Rafai
Computer Security Administrator
+973 1 772-6325
+973 36099167
osamarf@cio.gov.bh [37]
Hesham Al-Ghatam
Chief, Personnel & Admin’ Development
+973 1 787-8177
alghatamhe@cio.gov.bh [40]
Asset Purchase
Khulood Al-Jassim
Supervisor Administration Service
+973 1 772-6760
aljassimk@cio.gov.bh [41]
Adel Khalifa Bu-Alai
Chief of Police in Juffair
+973 3 981-1055
Mohammed Hamdan Mohammed
Chief of Police in Isa Town
+973 3 980-8096
Operational Controlling Roles
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [36]
Mohammed Al-Amer
President of CIO
+973 1 787-8101
+973 3 967-2222
malamer@cio.gov.bh [42]
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [36]
Mubarak Abdulla Alhiddi
CSO/CIO
Khalid Al Othman
Chief, Network
+973 1 772-6767
alothmank@cio.gov.bh [43]
Khalid Ali Al Jalahma
Network Administrator
+973 1 772-6729
kaljalahma@cio.gov.bh [38]
Adlin Hisyamuddin
Information Security Manager
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [34]
Ahmed Essa Abualfath
Computer Security Administrator
+973 1 772-6731
+973 3 968-7334
aabualfath@cio.gov.bh [35]
Osama Khalid Rafai
Computer Security Administrator
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [37]
Khalid Ali Al Jalahma
Network Administrator
+973 1 772-6729
kaljalahma@cio.gov.bh [38]
Saud Abdulaziz Bahzad
Smart Card Support
+973 3 903-3319
soudbah@cio.gov.bh [44]
Sameh Abo-El-Ela
Smart Card Technical
+973 1 772-6704
+973 3 6439376
cssoshg@cio.gov.bh [39]
Isa Town Card Issuer No. 1 - to be selected by Adlin
Isa Town Card Issuer No. 2 - to be selected by Adlin
Key Ceremony Roles
Adlin Hisyamuddin
Information Security Manager, Head PKI
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [34]
Osama Khalid Rafai - Computer Security Administrator
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [37]
Elham Moh’d Saleh
Director Technical Resources
+973 17878017
elhama@cio.gov.bh [45]
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [36]
Mubarak Abdulla Alhiddi
Senior Population Inspector – Supervisor
+973 39655366
monamj@cio.gov.bh [46]
Yousif Abdulla Ashoor
Senior Population Inspector – Clerk
+973 39457566
yashoor@cio.gov.bh [47]
Ahmed Abdulmonem Alshami
Smart Card Support
+973 39537089
alshamyah@cio.gov.bh [48]
Razan Abdulrahman Al Khalifa
Smart Card Support
+973 39456565
razanaak@cio.gov.bh [49]
Shaikh Salman Mohammed Al-Khalifa
+973 3 968-9898
smalkhalifa@cio.gov.bh [36]
Mubarak Abdulla Alhiddi
Ahmed Al Mahmood
Director of Population Registry
+973 39672677
aalmahmood@cio.gov.bh [50]
HSM Configuration Roles
Adlin Hisyamuddin
Information Security Manager, Head PKI
+973 1 772-6732
+973 3 986-7661
adlinh@cio.gov.bh [34]
Osama Khalid Rafai - Computer Security Administrator
+973 1 772-6325
+973 3 609-9167
osamarf@cio.gov.bh [37]
Elham Moh’d Saleh
Director Technical Resources
+973 17878017
elhama@cio.gov.bh [45]
Mubarak Abdulla Alhiddi
Ahmed Al Mahmood
Director of Population Registry
+973 39672677
aalmahmood@cio.gov.bh [50]
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29] |
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
13/12/2006 |
|
Safe |
Chubb |
Europe |
SN |
PKI DC |
|
5000 |
|
OWI |
20/12/2006 |
|
HSM |
nCipher |
netHSM |
|
PKI DC |
|
11000 |
|
OWI |
30/9/2007 |
|
HSM |
nCipher |
netHSM |
|
PKI DC |
|
11000 |
|
OWI |
14/1/2007 |
|
Server |
UK |
APW |
|
PKI DC |
|
1238 |
|
OWI |
01/01/2005 |
|
2 |
|
|
|
PKI DC |
|
|
|
OWI |
01/01/2005 |
|
|
Somke |
Fire |
NA |
PKI DC |
|
120 |
|
OWI due |
01/01/2005 |
|
Fire |
Fike |
FM 200 |
341861.2 |
PKI DC |
|
15000 |
|
OWI due |
01/01/2005 |
|
Air |
Clivet |
VR-DX |
|
PKI DC |
|
20000 |
|
OWI due |
01/12/2006 |
|
Backup |
YOKO |
|
HKA |
PKI DC |
|
300 |
|
OWI due |
01/01/2005 |
|
Light |
|
|
|
PKI DC |
|
|
|
OWI |
01/12/2006 |
|
Door |
Alpro |
NA |
NA |
PKI DC |
|
2000 |
|
OWI due |
13/12/2006 |
|
Door |
Trimec |
TS2001 |
NA |
PKI DC |
|
456 |
|
OWI due |
|
|
||||||||||
08/01/2007 |
|
Server |
Dell |
PE2950 |
CBXGK2J |
PKI DC |
|
1814 |
|
OWI |
08/01/2007 |
|
Server |
Dell |
PE2950 |
9WCHK2J |
PKI DC |
|
1814 |
|
OWI |
08/01/2007 |
|
Server |
HP |
|
|
PKI DC |
|
1814 |
|
OWI |
08/01/2007 |
|
Server |
HP |
|
|
PKI DC |
|
1814 |
|
OWI |
13/12/2006 |
|
Switch |
Cisco |
|
|
PKI DC |
|
817 |
|
OWI |
13/12/2006 |
|
|
|
X505 |
|
PKI DC |
|
13973 |
|
OWI |
|
|
KBM |
N/C |
N/C |
N/C |
N/C |
N/C |
N/C |
N/C |
N/C |
|
|
KBM |
N/C |
N/C |
N/C |
N/C |
N/C |
N/C |
N/C |
N/C |
01/01/2005 |
|
2 |
|
|
|
PKI DC |
|
|
|
OWI |
01/01/2005 |
|
2 |
|
|
|
PKI DC |
|
|
|
OWI |
01/01/2005 |
|
2 |
|
|
|
PKI DC |
|
|
|
OWI |
13/12/2006 |
|
Server |
UK |
APW |
47170 |
PKI DC |
|
1238 |
|
OWI |
13/12/2006 |
|
Server |
UK |
APW |
47166 |
PKI DC |
|
1238 |
|
OWI |
01/01/2005 |
|
Fire |
Fike |
FM 200 |
341861.2 |
PKI DC |
|
15000 |
|
|
01/01/2005 |
|
|
Somke |
Fire |
NA |
PKI DC |
|
15000 |
N/C |
N/C |
13/12/2006 |
|
Motion |
Texecom |
Mirage |
NA |
PKI DC |
|
33 |
|
|
01/01/2005 |
|
Light |
|
|
|
PKI DC |
|
|
|
OWI |
01/01/2005 |
|
Air |
Clivet |
VR-DX |
|
PKI DC |
|
20000 |
|
|
01/01/2005 |
|
Backup |
YOKO |
|
HKA |
PKI DC |
|
300 |
|
|
13/12/2006 |
|
CCTV |
|
|
63121040 |
PKI DC |
|
285 |
|
|
13/12/2006 |
|
Door |
Alpro |
NA |
NA |
PKI DC |
|
2000 |
|
|
13/12/2006 |
|
Door |
Trimec |
TS2001 |
0 |
PKI DC |
|
456 |
|
|
|
|
||||||||||
13/12/2006 |
|
Access |
Identix |
V20 UA |
390600348 |
PKI DC |
|
2520 |
|
|
13/12/2006 |
|
Access |
Identix |
V20 UA |
30700024 |
PKI DC |
|
2520 |
|
|
13/12/2006 |
|
Access |
Identix |
V20 UA |
500303254 |
PKI DC |
|
2520 |
|
|
13/12/2006 |
|
DVR |
|
|
61210298 |
PKI DC |
|
477 |
|
|
01/12/2006 |
|
Remote |
|
|
|
PKI DC |
|
25 |
|
|
13/12/2006 |
|
Monitor |
|
|
6300145 |
PKI DC |
|
117 |
|
OWI |
01/12/2006 |
|
Coaxial |
|
|
|
PKI DC |
|
|
|
OWI |
13/12/2006 |
|
PC |
Acer |
Veriton |
|
PKI DC |
|
405 |
|
OWI |
00/01/1900 |
|
|
Acer |
|
|
PKI DC |
|
35 |
|
OWI |
00/01/1900 |
|
Mouse |
Acer |
Mouse |
|
PKI DC |
|
10 |
|
OWI |
13/12/2006 |
|
Monitor |
Acer |
AC713B |
|
PKI DC |
|
125 |
|
OWI |
13/12/2006 |
|
Switch |
SMC |
|
|
PKI DC |
|
|
|
OWI |
13/12/2006 |
|
Door |
Trimec |
TS2001 |
NA |
PKI DC |
|
456 |
|
|
13/12/2006 |
|
Exit |
ALPRO |
NA |
NA |
PKI DC |
|
88 |
|
|
13/12/2006 |
|
Power |
|
12V 5 |
NA |
PKI DC |
|
116 |
|
OWI |
13/12/2006 |
|
Alarm |
Veritas |
Excel |
NA |
PKI DC |
|
74 |
|
|
13/12/2006 |
|
LCD |
Texecom |
Premier |
NA |
PKI DC |
|
50 |
|
|
13/12/2006 |
|
Dialer |
Texecom |
Speech |
NA |
PKI DC |
|
63 |
|
|
13/12/2006 |
|
Siren |
Texecom |
Odyssey |
NA |
PKI DC |
|
18 |
|
|
13/12/2006 |
|
CCTV |
|
|
63121034 |
PKI DC |
|
285 |
|
|
14/12/2006 |
|
Fully |
|
|
|
PKI DC |
|
|
|
|
13/12/2006 |
|
Access |
Identix |
V20 UA |
|
PKI DC |
|
2520 |
|
|
13/12/2006 |
|
|
Khind |
EM2004G |
|
|
|
|
|
|
|
|
||||||||||
13/12/2006 |
|
Server |
UK |
APW |
0 |
Juffair |
|
1238 |
|
OWI |
08/01/2007 |
|
Server |
Dell |
PE2950 |
41WHK2J |
Juffair |
|
1814 |
|
OWI |
|
08/01/2007 |
||||||||||
13/12/2006 |
|
Switch |
Cisco |
|
|
Juffair |
|
817 |
|
OWI |
13/12/2006 |
|
|
|
X505 |
|
Juffair |
|
13973 |
|
OWI |
|
|
KBM |
|
|
|
Juffair |
|
|
|
OWI |
|
|
KBM |
|
|
|
Juffair |
|
|
|
OWI |
01/01/2005 |
|
Network |
|
|
|
Juffair |
|
|
|
OWI |
01/01/2005 |
|
Fire |
EMI |
AFA |
NA |
Juffair |
|
|
|
|
01/01/2005 |
|
|
EMI |
Fire |
NA |
Juffair |
|
|
|
|
01/01/2005 |
|
Light |
|
|
|
Juffair |
|
|
|
|
01/01/2005 |
|
Air |
Denco |
DM5 |
NA |
Juffair |
|
|
|
|
01/01/2005 |
|
Backup |
Pearl |
|
800390 |
Juffair |
|
|
|
|
The Information Security Manager is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners
This document was issued by the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
14/01/2007 |
|
OS |
Microsoft |
Windows Server 2003 |
1 |
PKI DC |
|
|
|
|
20/09/2007 |
|
OS |
RedHat |
Enterprise Linux 5 |
3 |
PKI DC |
|
|
|
|
07/10/2007 |
|
Digi-CA™ |
Digi-Sign |
Xp |
1 |
PKI DC |
|
97,000 |
|
|
|
|
||||||||||
14/01/2007 |
|
Access Control |
Identix |
4.6.1.0 |
1 |
PKI DC |
|
|
|
|
14/01/2007 |
|
CCTV control |
Infinova |
V.1.00.09 |
1 |
PKI DC |
|
|
|
|
14/01/2007 |
|
OS |
Microsoft |
XP Pro |
1 |
PKI DC |
|
|
|
|
15/01/2007 |
|
AntiVirus |
Trend Micro |
OfficeScan 8.0 |
1 |
PKI DC |
|
|
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
20/09/2007 |
|
OS |
RedHat |
Enterprise Linux 5 |
2 |
PKI DC |
|
|
|
|
|
|
SMTP |
Microsoft |
Exchange 2003 |
1 |
Juffair |
|
|
|
|
|
|
DNS (*.gov.bh) |
RedHat |
Enterprise Linux 4 |
1 |
Juffair |
|
|
|
|
|
|
DNS (*.gdn) |
Microsoft |
Windows Server 2003 |
1 |
Juffair |
|
|
|
|
The Information Security Manager is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners
This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The [Information Security Manager] is the owner of this document and is responsible for ensuring that it is maintained by the relationship owners
This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.
Signature: Date:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The [Information Security Manager] is the owner of this document and is responsible for ensuring that it is maintained by the relationship Owners
This document was issued by the [Information Security Manager] on [date] and is issued on a version controlled basis.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
External Parties: Information Security Procedure
According to DOC 6.8 [32] / DOC 6.8 [32] of this Manual, the Organization maintains the security of its information processing facilities and information assets in relation to external parties. All external parties who need to access any Organizational information assets are subject to this procedure. The Organization has (or may have) external party agreements with the following categories of organizations, all of whom are covered by this procedure; risks may be assessed for external parties as individual organizations or as categories, depending on the level of risk involved:
a) Service providers
b) Managed security services
c) Customers
d) Outsourcing suppliers (facilities, operations, IT systems, data collection, call centres, others)
e) Consultants and auditors
f) Developers and suppliers of IT systems and services
g) Cleaning, catering and other outsourced support services
h) Temporary personnel, placement and other (casual) short-term appointments
a) The information processing facilities and information assets the external party will access;
b) The type of access the third party will have – physical access and/or logical access (identifying the assets that will be accessed), whether the access is taking place on-site or off-site and the exact location from which access will be made;
c) The value and classification (see sub section 7.2 [32] of the Manual) of the information that will be accessed;
d) The information assets that the external party are not intended to access and which may required additional controls to secure;
e) The external party’s personnel (see sub section 8.1 [32] of the Manual), including their contractors and partners, who will or might be involved;
f) How external party personnel are to be authenticated (see Section 11 [32] of the Manual);
g) How the external party will process, communicate and store information;
h) The impact to the external party of access not being available when required, or of inaccurate or misleading information being entered, received or shared;
i) How the Organization’s information security incident management procedure (see Section 13 [32] of the Manual) will be extended to incorporate information security incidents involving the external party;
j) Any legal, regulatory or other contractual issues that should be taken into account with respect to the external party;
k) How the interests of other stakeholders might be affected by any decisions.
a) The information security policy (sub section 5.1.1 of the Manual);
b) The controls identified as required through the risk assessment process (see 4 [32]), which may include procedures and technical controls;
c) A clear definition and/or description of the product or service to be provided, and a description of information (including its classification) to be made available;
d) Requirements for user and administrator education, training and awareness (see sub section 8.2.2 [32] of the Manual);
e) Provisions for personnel transfer;
f) Description of responsibilities regarding software and hardware installation, maintenance and de-commissioning;
g) Clearly defined reporting process, reporting structure, reporting formats, escalation procedures and the requirement for the external party to adequately resource the compliance [3], monitoring and reporting activities;
h) A specified change management process (see sub section 10.1.2 [32] in the Manual);
i) Physical controls, including secure perimeters (see Section 9 [32] of the Manual);
j) Controls against malware (see sub section 10.4 [32] of the Manual);
k) Access control policy (see Section 11 [32] of the Manual);
l) Information security incident management (see Section 13 [32] of the Manual) and agreement violation management procedures;
m) The target level for service and security, unacceptable service and security levels, definition of verifiable performance and security criteria, monitoring and reporting;
n) The right to monitor and audit performance (including of the third party’s processes for change management, vulnerability identification and information security incident management), to revoke activities, and to use external auditors;
o) Service continuity requirements;
p) Liabilities on both sides, legal responsibilities and how legal responsibilities (including data protection and privacy) are to be met;
q) The protection of IPR and copyright;
r) Controls over any allowed sub-contractors;
s) Conditions for termination/re-negotiation of agreements, including contingency plans.
The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
A current version of this document is available to PKI team members of staff on the corporate intranet.
This procedure was approved by the Information Security Manager on 08 November, 2007 and is issued on a version controlled basis under his signature
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
[29] Scope:
The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the HSM in place at CIO
Responsibility & Asset Ownership:
[Please Indicate – probably Information Security Manager] is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the {Indicate – probably Information Security Manager] is the owner of the assets covered in this OWI.
Details of the Operating Work Instruction:
The nCipher net HSM is a hardware platform for providing cryptographic services to enhance the security of a variety of applications - from PKI [30] and authentication systems to Web services and SSL protected communications. The net HSM acts as a network-attached resource for secure cryptographic processing, providing an alternative deployment scenario to the traditional approach of dedicated HSMs on individual servers. By allowing multiple servers to securely access a single HSM to perform cryptographic functions, overall equipment costs can be reduced and system management simplified. Whilst dedicated HSMs are appropriate for security applications and servers that demand guaranteed availability and/or processing power, many deployments encompass multiple servers, either in a single site or across a wide
geographic area, where a shareable, network connected HSM is a perfect solution.
The CIO uses the nCipher HSM device (herein referred to as “HSM”) to securely generate and store the private keys for the CAs it operates.
The HSM device has been designed to remove any daily administration responsibilities from the administering users. The daily administration duties of the HSM device are reduced to a minimum and are internally performed by a self automated system management control mechanisms, that reside inside the HSM device. On a scheduled basis, CIO users appointed as administrators of the HSM device, are required to inspect the HSM operations by checking the log report accessible on the front panel screen of the HSM device.
The daily operating duties of the HSM are limited to the cryptographic signing operations and on periodic basis, the HSM device may be used by the CIO to generate fresh cryptographic keys when a new CA [4] is created. In the event of a new CA creation, the generation of new private keys is performed in a secure environment, video recorded, documented, witnessed and notarized thus assuring, that highest security is in place.
The device has a text based interface provided through the flat screen residing on the front panel of the HSM device.
All features and functionalities provided by the HSM device are documented and described in the hardware installation, administration and operation manuals available to CIO personnel.
Since this is a hardware device, no maintenance is required to keep the device in an ongoing operational state. The supplied hardware documentation available to CIO personnel describes all features and functionalities provided by the HSM device, including installation guides, configuration instructions and error correction.
The HSM device is located in the CIO’s highly secured data centre: ISA Town, which has two independent power supply sources, one from an external power supplier and the second from the CIO’s internal power generator. The power provided to the HSM device is isolated from other power segments inside the data centre building, thus meeting the independency and failover requirements in the event of any power failure or circuit overload.
The HSM deployment architecture includes a multi two HSM devices configured for High Availability. This mechanism balances the usage of network and hardware resources between two HSM devices and thus provides greater system performance and fail over support. The diagram below illustrates the current CIO’s deployment architecture of the Digi-CA™ [2] PKI System, with which the two HSM devices have been configured for operation:
Both HSM devices are placed in a dedicated, CISCO firewall/switch protected network segment. The CA core network in ISA Town, to which the HSMs are connected, is isolated from other corporate networks inside CIO and physical access to the Inner and Outer Core rooms as presented on the above diagram, is strictly protected with biometric devices and video camera monitoring performed 24 hours per day throughout the entire year.
The HSM devices, which are located in the Inner Core room inside the ISA Town Data Centre building, are the central cryptographic operation processing units for the CA System deployed inside CIO. Each HSM is connected to a dedicated back-end server hosting the relevant CA System components and both of the back-end servers have been configured for High Availability and provide a failover mechanism to the operation of CA System. The HSM provides the following main functionalities:
Each of the above functionalities is documented in the hardware manual available to CIO administering and operating personnel.
The installation and configuration of the HSM devices inside the CIO has been completed with the accordance to the hardware installation manual available to the CIO personnel. The manual provides a step by step instruction set allowing the administering users to correctly install and configure an HSM device. Upon successful installation of each device, a manual device operation check was run by the administering user to ensure the device has been installed and configured correctly and is up and running. For this purpose, a HSM support toolkit provided by the device vendor was used. Before the system was switched into a production environment, a set of test private keys was generated to ensure the HSMs are operating correctly. After each test, the HSM log was inspected to verify whether each operation was accomplished correctly.
The set of testing operations for CA AMC included:
All operations have been performed with the accordance to the hardware administration and operation manual available to CIO personnel.
CIO expects Digi-CA™ HSM to store up to 100 private keys of either 1024 bits, 2048 bits or 4096 bits size and sign around 100 000 Digital Certificates [14] in total, provided the current deployment architecture and allocated hardware capacity for the CA System. The maximum number of digital certificates issued per day will not reach 10 000. The CA System deployment architecture is expected to support 24/7/365 availability and currently there is no requirement for CIO to have an online disaster recovery centre. In an event of an irrecoverable major system or hardware failure, all disaster recovery activities will be carried out manually by the CIO appointed administering personnel, by recreating the CA System environment or loading configuration to a HSM device from backup resources. The above performance requirements have been measured, confirmed and tested by the CA System software and HSM hardware vendors and they meet the CIO requirements stated above.
The HSM device provides extended system operation control mechanisms, that automatically raise an alert when a critical exception error is encountered during the operations of the device. The alert is immediately logged in the HSM log. The HSM log is accessible to CIO appointed administering users from the flat screen residing on the front panel of the device or from the operating system command prompt of the server connecting to the HSM device. All exception error log entries are reported by HSM device using a unique error number and associated descriptive text, that informs the inspecting user about the type of the error and why it was generated. This architecture provides CIO administering users with an easy mechanism for identifying the source for the error and allows immediate correction of the problem. For irrecoverable or unidentified errors, CIO administering users should contact the hardware vendor to obtain further assistance.
The HSM administering users should perform regular inspections of HSM log to verify the correctness of its operations.
To ensure, that HSM devices are not vulnerable to any attacks or exploits, CIO appointed administering personnel should perform a weekly CA System network scans searching for possible new vulnerabilities.
The CISO network devices used inside the CA System network, such as firewalls and switches are equipped with network Intrusion Detection Systems [IDS], which constantly monitor all network traffic within the CA System network and immediately alert all administering users in an event of an intrusion attempt. These devices are configured by default to automatically disable any connectivity for a potential attacker. Administering users should additionally analyze the IDS reports on a weekly basis to attempt to identify any suspicious communication directed to any of the CA System Services or HSM devices.
Physical access to the CA System core location, where HSM devices are placed, should be protected with biometrics and should be divided into multiple access points excluding the existence of a single access point. CIO has assigned its secure Data Centre in ISA Town to install both HSM devices. This location provide security guarding of the building entrance, camera monitoring of entire building, biometric access to Data Centre IT operations rooms and book logging for all entries and exists.
Network access to the CA System, where HSM devices reside, is divided into two general segments: public and private. While the public segment can be accessed by any one through Internet, private segment is strictly secured for internal communications only and disabled for external access. In the CIO deployment architecture of the CA System, public access is allowed only to the Services located in the Juffair Data Centre building and it includes RA Registration Service, Time-Stamping [17] Service and OCSP [16] Service. The HSM devices are accessible only to the CSP Service installed on two dedicated back-end servers residing in the Outer Core room inside the ISA Town Data Centre building. For authentication purposes, hardware cryptographic devices are installed on each of the back-end servers to ensure that no other server can connect to any of the HSM devices. All communication to the HSM devices is encrypted using strong cryptography standards and a cryptographic authentication mechanisms are in place to ensure that only authorized Services can access the HSM device resources.
The HSM devices use industry standard cryptography, encryption mechanisms and hardware cryptographic devices for secure communications, such as AES encryption and nCipher nToken PCI devices, therefore ensuring, that no man-in-the-middle attack can succeed and no unauthorized party can obtain sensitive data or spoof the identity of the accessing Service. The operating core of the CA System, where HSMs are located, is isolated from any external networks such as Extranets or Internet and access to HSM devices is only possible after successful authentication using strong cryptographic mechanisms. Leaving the devices with no write-access from Internet or any external networks, makes enough protected against unwanted application and computer viruses circling throughout the Internet. The physical and network isolation of the HSM devices along with strict network access control policies in place, significantly reduce the possibility of an injection of a computer virus or an application commonly referred to as a Trojan Horse. Given the architecture of the device, it is not possible to inject any third party application code without prior cryptographic authentication to the device.
The CIO currently does not require an online disaster recovery solution and relies on multi service High Availability configuration of the CA System and failover configuration of two HSM devices. In an event of a failure of one HSM device, a second device will be used instead.
In an event of irrecoverable failure, the HSM devices will either be re-initialized or replaced with new hardware and system environment will be rebuild from scratch and HSM configuration data will be restored from the most recent backup stored on a dedicated backup server. The HSM hardware manual documents the process of hardware installation and CIO administering personnel should refer to the manual for instructions related to hardware installation and recovery from a major HSM failure.
The reinstallation and recovery of the HSM device should take no more than 48 hours. During the outage period Digital Certificates issued by the CA System, which uses the HSM devices, will remain valid and therefore the event will not affect the business continuity of the CIO nor will it cause any damage to End Entities to whom certificates are issued.
The preliminary calculation of device capacity utilization of the was performed by the CIO during the project initialization phase and therefore a sufficient capacity and hardware resources were allocated to the CA System upon installation, allowing the HSM hardware to continue an uninterrupted operations utilizing the necessary capacity for around 100 private keys and signing around 100 000 digital certificates in total. During the maintenance period, CIO appointed administering users will inspect the hardware performance logs once per 6 months and produce a report based on which the CIO will decide whether an additional hardware resource allocation or hardware replacement is required.
The hardware, network and physical location resources dedicated for the CA System have been completely separated by the CIO from any of its other network and application layer segments. Both HSM devices, that the CA System is using, are solely dedicated to the operation of the CA infrastructure and therefore do not interact nor interfere with any other network and software solutions, applications and facilities deployed inside CIO. The operations of the HSM devices does not have any technical impact on any of the areas of the CIO’s daily operations.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Scope:
The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Digi-Ca in place at CIO
Responsibility & Asset Ownership:
[Please Indicate – probably Information Security Manager] is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the {Indicate – probably Information Security Manager] is the owner of the assets covered in this OWI.
Details of the Operating Work Instruction:
Digi-CA™ PKI System (herein referred to as: “CA System”) is the complete Certificate Authority [CA] system deployed inside Central Informatics Organization [CIO], which required to have its own CA to provide enhanced communication security and identity assurance to its own organization and to Bahraini Citizens. The CA System issues the Digital Certificates, in conformance with RFC 3280 standard, that are used by the CIO personnel and Bahraini Citizens for two factor authentication, electronic signatures and email protection. The CA System also issues Digital Certificates, that are used by the CIO to introduce client-to-device and device-to-device authentication using public key cryptography.
The CIO uses CA System to create multiple instances of unique CAs in a single CA System installation. The Digi-CA™ model imposes delegation of trust downwards from Root CAs to their Subordinate Certification Authorities [Sub-CAs]. The same installation of Digi-CA™ also enables any of these CAs to be cross signed by an external third party CA and any number of CAs can have any number of cross signed Subordinate CAs. This CA model is a requirement for CIO, which intends to deliver unique CA services to various governmental departments inside the Kingdom of Bahrain and to the Bahraini Citizens.
The daily administration duties of the CA System are reduced to a minimum and are internally performed by a self automated system management control mechanisms, that reside inside the CA System. On a scheduled basis, CIO users appointed as administrators of the CA System, are required to inspect the CA System operations by checking the log report and the service status report, which are both accessed through a web based CA Administration Management Console [CA AMC] or alternatively can be viewed directly from the Operating System command prompt console.
The daily operating duties of the CA System are limited to the issuance, revocation or suspension of Digital Certificates to the requesting entities, Bahraini Citizens, government institutions or CIO personnel. CIO users appointed as Registration Authority [RA] Operators can issue, revoke, suspend and de-suspend digital certificates by accessing a web based RA Management Console [RA MC] GUI.
All features provided by GUI management interfaces of the CA system, such as CA AMC and RA MC consoles, are logically grouped and easy to access upon successful authentication through an intuitive graphical menu. The CIO users appointed as administrators and operators, can easily access relevant console features without having great prior knowledge of PKI technology or CA System architecture.
The software manual provided by the CA System software vendor delivers the necessary documentation needed to administer and operate the CA system. CIO users should refer to this manual to identify the meaning of all CA System and individual console functionalities, the scope of their administering and operating responsibilities as well as deployment and configuration guidelines.
The maintenance of the CA System has been made easy to perform by the software vendor to an extend where a non technical personnel, having basic understanding of the software manual, can perform the necessary activities to correctly maintain the system to allow its uninterrupted operations. Daily duties of CIO users appointed as system administrators have been reduced to weekly inspections of the correct system operations. The necessary administering activities can be performed on a weekly basis by an authenticated personnel only, using a web based CA AMC GUI, through which users can view status reports of various CA System services and inspect the CA System logs to verify the correctness of its operations. All reporting information produced by the CA System provides a unique identifying number for a reported event as well as its intuitive and easy to understand textual description. The log reporting feature introduces different type of log entries, therefore it is easy for the CIO personnel to distinguish log entries between informational messages, critical errors and warning alerts. This enables CIO personnel with the ability to correctly inspect the system operations and troubleshoot any errors encountered during the CA System operations.
The CA System clearly distinguishes the roles and responsibilities of individual users, therefore administering the system is explicitly separated from the operating activities, which do not require from the appointed CIO personnel any technical knowledge related to the CA System administration as well as any knowledge in cryptography or Public Key Infrastructure industry standards. By following processes driven by the CA System, operating users can easily issue, revoke, suspend and de-suspend digital certificates. All administering and operating procedures are clearly documented in the CA System manual provided by the software vendor.
The Digi-CA™ PKI System software suite is a multi application component based PKI system for managing cryptographic keys, Digital [X.509] Certificates and supplemental PKI related services. Each application component (herein referred to as “Service”) provides a series of defined functionalities to other PKI application components of the system, as well as to administering and operating parties, as well as to end entities, to whom certificates are issued. This CA System is built with the following modules:
a. CA Application Server [CA APS]
b. Cryptographic Service Provider [CSP]
c. Time-Stamp Gateway Server [TSA Gateway]
d. Online Certificate Status Protocol Gateway Server [OCSP Gateway]
e. CA Administration Management Console [CA AMC]
f. Registration Authority [RA] Management Console [RA MC]
g. Registration Authority [RA] Registration Service [RA RS]
e. CA Database Server [CA DB]
All of the CA System components are located in the CIO’s highly secured data centres: ISA Town and Juffair, which both have two independent power supply sources, one from an external power supplier and the second from the CIO’s internal power generator. The power provided to the CA System is isolated from other power segments inside the data centre buildings, thus meeting the independency and failover requirements in the event of any power failure or circuit overload.
The CA System deployment architecture includes a multi server Service distribution model for each PKI application component provided by the CA System. This mechanism balances the usage of network and hardware resources between several server devices and thus provides greater system performance and fail over support. The diagram below illustrates the current CIO’s deployment architecture of the Digi-CA™ PKI System:
Each Service of the CA System is placed in a dedicated, CISCO firewall/switch protected network segment. The CA core network in ISA Town is isolated from other corporate networks inside CIO and physical access to the Inner and Outer Core rooms as presented on the above diagram, is strictly protected with biometric devices and video camera monitoring performed 24 hours per day throughout the entire year.
The CA Administration Management Console [CA AMC], which is installed on two dedicated back-end servers located in the Outer Core room inside the ISA Town Data Centre building, is a central CA management panel GUI for CIO users appointed as CA Administrators and CA Operators. The two back-end server hosting the CA AMC has been configured for High Availability and provide a failover mechanism to the operation of CA AMC component. The console provides the following main functionalities:
Each of the above functionalities is documented in the CA System manual available to CIO administering and operating personnel.
The RA Management Console [RA MC], which is installed on a dedicated front-end server located in the Outer Core room inside the ISA Town Data Centre building, is a central RA management panel GUI for CIO users appointed as RA Administrators and RA Operators. The front-end server hosting the RA MC provides the first point of access for the RA Operations Centre, from where RA Administrators and RA Operators can access the console features. This Service has been also installed on two front-end servers, configured for High Availability, located inside the Juffair Data Centre building, to provide – if necessary - a failover support as a second access point for the RA Operations Centre, from where RA Administrators and RA Operators can access the console. The RA MC console provides the following main functionalities:
Each of the above functionalities is documented in the CA System manual available to CIO administering and operating personnel.
The RA Registration Service [RA RS], which is installed on a dedicated front-end server located in the Outer Core room inside the ISA Town Data Centre building, is a central panel GUI for certificate subscribers [End Entities], to whom digital certificates are issued. The front-end server hosting the RA RS provides the first point of access for the RA Operations Centre, from where End Entities can access the Service features. This Service has been also installed on two front-end servers, configured for High Availability, located inside the Juffair Data Centre building, to provide second access point for End Entities, who can access the Service through the Internet. The RA RS console provides the following main functionalities:
Each of the above functionalities is documented in the CA System manual available to CIO administering and operating personnel.
The CA Application Server, which is installed on two dedicated back-end servers located in the Outer Core room inside the ISA Town Data Centre building, is an internal module of the CA system and is self-operated, meaning it does not provide or require any user management or user access functionalities. Only a CIO appointed administering personnel acting as the operating system super user can stop or start this service. The Service is registered by the administering user through the CA AMC. This Service can be accessed only by another CA System Service, that was previously registered within the CA system.
Cryptographic Service Provider is an internal module of the CA system, which is installed on two dedicated back-end servers, configured for High Availability, located in the Outer Core room inside the ISA Town Data Centre building. This Service is self-operated and does not provide or require any user management or user access functionalities. Only a CIO appointed administering personnel acting as the operating system super user can stop or start this Service. The Service is registered with the CA System by administering user through the CA AMC. This Service is not accessible to any user or other Service of the CA System.
Time-Stamp Service Gateway Server is a user accessible Service of the CA System, which is installed on two dedicated front-end servers, configured for High Availability, located in the Juffair Data Centre building. This Service is self-operated and does not provide or require any user management functionalities. It however authenticates, using a username and password, all individual subscribed users being the Citizens of Bahrain or any other Time-Stamping Service subscribed users against the CA Database before access to the Service can be provided to the user. Only a CIO appointed administering user acting as the operating system super user can stop or start this Service. The Service is registered with the CA System by the administering user through the CA AMC. This Service has been designed to be accessed by public Internet community as well as by CIO personnel.
Online Certificate Status Protocol Gateway Server is a user accessible Service of the CA System, which is installed on two dedicated front-end servers, configured for High Availability, located in the Juffair Data Centre building. This Service is self-operated and does not provide or require any user management functionalities. It however provides an open access to end users requiring OCSP service, as defined in the RFC 2560 standard. This Service has been designed to be accessed by public Internet community as well as by CIO personnel.
The CA Database is a SQL based database server, which is installed on two dedicated back-end servers, configured for High Availability, located in the Outer Core room inside the ISA Town Data Centre building. This Service is self-operated and provides the central storage facility for CA System managed data. Access to the CA DB resources is possible only to authenticated Services of the CA System and to the CIO appointed personnel acting as the super user of the operating system, who can access database for low level operations from the operating system command prompt. Each Service or administering user accessing the database resources must pass two factor authentication [13]:
The CA DB does not store any security critical data such as CA or End Entity private cryptographic keys and therefore it is not considered as a critical security point in the overall architecture of the deployed CA System. The CA DB data is backed up regularly on a daily basis and the backup data is automatically stored on a dedicated backup server residing in the ISA Town Data Centre building.
The installation of the CA System inside the CIO has been completed with the accordance to the software installation manual available to the CIO personnel. The manual provides a step by step instruction set allowing the administering users to correctly install and configure each of the CA System Services. Upon successful installation of each Service, a manual Service operation check was run by the administering user to ensure the Service has been installed correctly and is up and running. For this purpose, the Service Status Reporting of the CA AMC was used. Before the system was switched into a production environment, a set of test activities were performed to ensure entire CA System is operating correctly. After each test, the CA System log was inspected to verify whether each operation was accomplished correctly.
The set of testing operations for CA AMC included:
The set of testing operations for RA MC included:
The set of testing operations for RA RS included:
Test set of testing operations for CA APS in combination with Time-Stamping Gateway included:
Test set of testing operations for CA APS in combination with OCSP Gateway included:
All operations have been performed with the accordance to the CA System manual available to CIO personnel.
CIO expects Digi-CA™ System to issue around 100 000 Digital Certificates in total, provided the current deployment architecture and allocated hardware capacity. The maximum number of digital certificates issued per day will not reach 10 000. The CA System deployment architecture is expected to support 24/7/365 availability and currently there is no requirement for CIO to have an online disaster recovery centre. In an event of an irrecoverable major system failure, all disaster recovery activities will be carried out manually by the CIO appointed administering personnel, by recreating the CA System environment from backup resources. The above performance requirements have been measured, confirmed and tested by the CA System software vendor and they meet the CIO requirements stated above.
The CA System provides extended system operation control mechanisms, that automatically raise an alert when a critical exception error is encountered during the operations of any of the system Services. The alert is immediately logged in the CA System log and delivered through an SMTP messaging system to all registered administering users. The CA system log is accessible to CIO appointed administering users from a web based management console [CA AMC] or from the operating system command prompt. All exception error log entries are reported by CA System using a unique error number and associated descriptive text, that informs the inspecting user about the type of the error, the Service that generated it and the line of the application code, at which the error has occurred. This architecture provides CIO administering users with an easy mechanism for identifying the source for the error and allows immediate correction of the problem. For irrecoverable or unidentified errors, CIO administering users should contact the software vendor to obtain further assistance.
The CA System administering users should perform regular inspections of CA System log to verify the correctness of its operations.
To ensure, that CA System Services are not vulnerable to any attacks or exploits, CIO appointed administering personnel should perform a weekly CA System network scans searching for possible new vulnerabilities.
The CISO network devices such used inside the CA System network, such as firewalls and switches are equipped with network Intrusion Detection Systems [IDS], which constantly monitor all network traffic within the CA System network and immediately alert all administering users in an event of an intrusion attempt. These devices are configured by default to automatically disable any connectivity for a potential attacker. Administering users should additionally analyze the IDS reports on a weekly basis to attempt to identify any suspicious communication directed to any of the CA System Services.
Physical access to the CA System core location should be protected with biometrics and should be divided into multiple access points excluding the existence of a single access point. CIO has assigned its secure Data Centre in ISA Town and Juffair to host the CA System. Both locations provide security guarding of the building entrance, camera monitoring of entire building, biometric access to Data Centre IT operations rooms and book logging for all entries and exists.
Network access to the CA System is divided into two general segments: public and private. While the public segment can be accessed by any one through Internet, private segment is strictly secured for internal communications only and disabled for external access. In the CIO deployment architecture of the CA System, public access is allowed only to the Services located in the Juffair Data Centre building and it includes RA Registration Service, Time-Stamping Service and OCSP Service. The remaining Services of the CA System are using strong cryptography standards for encrypting the communication from User-to-Service as well as Service-to-Service and a cryptographic authentication mechanisms are in place to ensure that only authorized identities can access relevant system resources.
The CA System uses industry standard cryptography and encryption mechanisms for secure communications, such as Secure Socket Layer [51] and Transport Layer Security protocols between Service, therefore ensuring, that no man-in-the-middle attack can succeed and no unauthorized party can obtain sensitive data or spoof the identity of the accessing user or device. The operating core of the CA System is isolated from any external networks such as Extranets or Internet and access to individual CA System Services is only possible after successful authentication using strong cryptographic mechanisms, such as SSL Client Authentication. Leaving the system with no write-access to Internet or any external networks, makes enough protected against unwanted application and computer viruses circling throughout the Internet. The physical and network isolation of the CA System along with strict network access control policies in place, significantly reduce the possibility of an injection of a computer virus or an application commonly referred to as a Trojan Horse.
The CIO currently does not require an online disaster recovery solution and relies on multi service High Availability configuration of the CA System. Each of the CA System Services has been distributed to two dedicated servers configured for High Availability to enable support for failover in an event of a failure of one server.
In an event of irrecoverable failure, the CA System will be rebuild from scratch and configuration and database data will be restored from the most recent backup stored on a dedicated backup server. The CA System software manual documents the process of system installation and CIO administering personnel should refer to the manual for instructions related to system installation and recovery from a major system failure.
The reinstallation and recovery of the entire CA System should take no more than 48 hours. During the outage period Digital Certificates issued by the CA System will remain valid and therefore the event will not affect the business continuity of the CIO nor will it cause any damage to End Entities to whom certificates are issued.
The preliminary calculation of drive capacity utilization of the CA System was performed by the CIO during the project initialization phase and therefore a sufficient capacity and hardware resources were allocated to the CA System upon installation, allowing it to continue an uninterrupted operations utilizing the necessary capacity for around 100 000 digital certificates. During the maintenance period, CIO appointed administering users will inspect the utilization process of the drive capacity and hardware resources once per 6 months and produce a report based on which the CIO will decide whether an increase of the drive capacity or additional hardware resource allocation or hardware replacement is required.
The hardware, network and physical location resources dedicated for the CA System has been completely separated by the CIO from any of its other network and application layer segments. All hardware and software components, that the CA System is using, are solely dedicated to its operation and therefore do not interact nor interfere any other network and software solutions, applications and facilities inside CIO. The operations of the CA System does not have any technical impact on any of the areas of the CIO’s daily operations.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Scope:
The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Monitors, Mice and Keyboards in use within the framework of the PKI CA.
Responsibility & Asset Ownership:
The Network Manager is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the Network Manager is the owner of the assets covered in this OWI.
Details of the Operating Work Instruction:
A. Monitors
Monitors are to be plugged into a PC or Server for which it has been allocated (cross referenced in the asset list). Monitors should be switched to power saving mode when not used.
Monitors are to be kept clean of dust and users may not leave drink or food beside monitors.
Monitors are not under warranty. No specific support contract is in place to replace monitors within agreed periods of time should the monitor become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to unplug a monitor used in another machine (PC or Server) to plug it back into the machine whose assigned monitor is faulty. When replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager.
Monitors may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.
B. Mouse
CIO use a number of various models of “mouse”. Each mouse is to be plugged into a PC or Server for which it has been allocated (cross referenced in the asset list).
Each mouse is to be kept clean of dust and users may not leave drink or food beside mouse.
No mouse is under supplier warranty. No specific support contract is in place to replace mouse units within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to unplug a mouse used in another machine (PC or Server) to plug it back into the machine whose assigned mouse is faulty. When replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager.
Mouse units may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.
C. Keyboard
CIO use a number of various models of keyboards. Each keyboard is to be plugged into a PC or Server for which it has been allocated (cross referenced in the asset list).
Each keyboard is to be kept clean of dust and users may not leave drink or food beside keyboards.
Keyboards are not under supplier warranty. No specific support contract is in place to replace keyboards within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to unplug a keyboard used in another machine (PC or Server) to plug it back into the machine whose assigned keyboard is faulty. Once replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager.
Keyboards may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.
Please note that anti-spyware software approved by the Information Security Manager must be ran on the network at least [once a month] to ensure that no keyloggers are present on the network as this could compromise the overall security of the PKI infrastructure.
D. KBM
CIO use KBMs to allow one monitor to be used for a number of designated server(s) or PC(s). Each KBM is to be plugged into the PCs or Servers for which it has been allocated (cross referenced in the asset list).
Each KBM is to be kept clean of dust and users may not leave drink or food beside keyboards.
KBMs are not under supplier warranty. No specific support contract is in place to replace them within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network manager whether it might be appropriate to plug monitors directly into a PC or server. Once replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager. When replacement units are delivered and implemented, existing units should be returned to their original place.
KBMs may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.
E. Coaxial Cables & Network Points
CIO use coaxial cables and network points as referenced in the Asset List. These items are not under supplier warranty. No specific support contract is in place to replace them within agreed periods of time should they become faulty. [SUPPLIER] can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network manager whether it might be appropriate interchange Coaxial Cables or Network Points (where applicable). Once replacement units are delivered and implemented, existing units should be returned to their original place. Any such decision and associated action must be documented and signed off by the Information Security Manager and the Network Manager. When replacement units are delivered and implemented, existing units should be returned to their original place.
Cables and Network Points may not be taken out of the CA rooms without prior approval from the Information Security Manager under any circumstances whatsoever.
Additional Notes pertaining to the Operational Working Instructions:
Keyboards, Monitors and Mouse units are delivered by vendors with users manuals either with dedicated Sections related to each asset or with a full users manual allowing for customization of the configuration. Where applicable such manuals are available in the manuals folder.
Other than at the initial installation stage, no specific testing of the assets is required. Basic performance criteria consist in making sure that monitors, keyboards and mouse units function properly and allow interaction with the PC(s) or server(s) these assets are allocated to.
No specific training is provided to users in relation to the assets covered in this OWI as most users intuitively know how to use basic functionality.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Switch Catalyst 2960 OWI
Scope:
The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Switch Catalyst 2960 in use within the framework of the PKI CA (namely for PKI DC and Juffair).
Responsibility & Asset Ownership:
The Network Manager is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the Network Manager is the owner of the assets covered in this OWI.
Details of the Operating Work Instruction:
A. Integration and Initial Set-up
The Cisco Switch Catalyst 2960 should be implemented using the guidelines of the software guidance guide produced by Cisco. The switch is configured using Cisco command line access.
Switches are line between machines and a network access point the unit needs to be powered up and is already working in transparent mode.
The unit can be configured either by using CLI (Command Line Interface). All of the following needs to be fully configured:
Initial Configuration and Settings
The switch is configured to 4 different subnets:
Subnet 1
10.10.19.0/26
10.10.19.1 – First IP
10.10.19.63 – Broadcast
Subnet 2
10.10.19.64/26
10.10.19.65 – First IP
10.10.19.127 – Broadcast
Subnet 3
10.10.19.128/26
10.10.19.129 – First IP
10.10.19.191 – Broadcast
Subnet 4
10.10.19.192/26
10.10.19.193 – First IP
10.10.19.255 - Broadcast
Performance Features
Policy and Configuration Instructions:
The Network Manager in co-operation with the Information Security Manager decides on the policy implemented on the Cisco Switch Catalyst appliances. The policy is then implemented and saved with a back-up of the latest policy to saved in CIO Juffair to allow for Disaster Recovery purposes.
Item Policy Rule Description Justification
1 Switch Authentication Rule User Authentication at Switch User Management to guarantee confidentiality
The policy which is implemented must be fully documented and updated on a regular basis within this document.
Alert Escalations and IOS Updates:
The Cisco Switch Catalyst 2960 allows the Network Administrator to create rules for alerts to be a configured to be sent to either the Network Manager and the Information Security Manager. CIO to include details of escalation rules here-switch is transparent, no logging, escalation rules.
Update of the Cisco IOS must be done regularly and performed by the Network Manager as and when the latest IOS for the switch is made available from Cisco; must be agreed with the Information Security Manager and IT Operations Manager.
CISCO IOS Software Release 12.2(25)SEB.
In terms of performance monitoring, the Cisco Switch 2960 should be ample for the requirements of CIO at present. However should service be degraded and performance be impacted CIO should review the logs of the Cisco Catalyst 2960 to check that the bandwidth and performance capabilities of the units are not maxed out. If so configuration might be changed or a requirement for a clustered Cisco Catalyst environment to improve performance should also be envisaged, to be decided by the Network Manager and Information Security Manager to be submitted for approval according to the rules of this ISMS.
B. Subscription and Advance Replacement Instructions:
Cisco Catalyst 2960 units are covered under subscription with Fakhro Electronics with 1 year warranty. This ensures that the IOS version is regularly available for updates. Fakhro Electronics can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be interchange Cisco 2960s or to use a third party Switch to continue operations instead of the original Cisco Catalyst 2960. When replacement units are delivered and implemented, the configuration of the original unit must be implemented and tested as per the initial implementation. All associated actions must be documented and signed off by the Information Security Manager and the Network Manager.
Additional Notes pertaining to the Operational Working Instructions:
The Cisco Catalyst 2960 units are to be kept clean of dust and users may not leave drink or food beside the appliances.
Cisco Catalyst 2960 units may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.
Cisco Catalyst 2960 units are delivered by vendors with users manuals either with dedicated Sections related to each asset or with a full users manual allowing for customization of the configuration. The main reference guide for the Cisco 2960 is entitled Catalyst 2960 Switch
Software Configuration Guide. CIO uses all the best practice guidelines available for these units in the guide. The guide is included in the series of manuals which are available in the manuals folder.
No specific training is provided to users in relation to the assets covered in this OWI as most users intuitively know how to use basic functionality. However CIO have a number of Cisco trained professionals to CCNA levels which allows CIO to perform a number of administration duties with internal staff and without requiring external assistance.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Tipping Point X505 OWI
Scope:
The purpose of this document is to provide full Operating Work Instructions for the use, maintenance and support of the Tipping Point X505 in use within the framework of the PKI CA (namely for PKI DC and Juffair).
Responsibility & Asset Ownership:
The Network Manager is responsible for ensuring that this OWI is fully implemented and regularly updated to reflect any changes in the environment at CIO. As per the asset list the Network Manager is the owner of the assets covered in this OWI.
Details of the Operating Work Instruction:
F. Integration and Initial Set-up
The Tipping Point hardware firewall and IPS appliance(UTM) is easy to install and very intuitive to set-up. Once plugged in line between a switch and a network access the unit needs to be powered up and is already working in transparent mode.
The Tipping Point Unit can support mixed environments irrespective of topology or IP addressing scheme. We have implemented the following mode of the UTM:
- NAT (including Virtual Server and PAT)
The UTM is configured with the following:
Interface 1 – External (Connected to CIO Isa Town main core switch)
Interface 2 – Frontend (Connected to Switch Subnet 2)
Interface 3 – Backend (Connected to Switch Subnet 3)
Interface 4 – HSM (Connected to Switch Subnet 4)
Tipping Point testing is carried out initially to ensure that the solution works transparently and allows legitimate traffic through and does show in its logging interface the number of attacks being stopped or simply logged. Each type of attack will generate an alert which can be sent via multi channel such as SMS or e-mail to the Network Manager and/or Information Security Manager.
Policy and Configuration Instructions:
The Network Manager in co-operation with the Information Security Manager decides on the policy implemented on the Tipping Point appliances. The policy is then implemented and saved with a back-up of the latest policy to be saved in CIO Juffair to allow for Disaster Recovery purposes.
The units allow for the following features to be implemented.
User Set-up
The Network manager will set-up accounts for themselves and the Information Security Manager.
Client and Server Protection
Spyware and Peer-to-Peer Protection
Multiple Security Zones
Flexible Policy Engine
Unified control of multiple services:
Encryption and Authentication
On-box and external RADIUS database
URL Filtering
Web Content Filtering
Annual subscription includes:
TippingPoint Isa Town
Item Policy Rule Description Justification
from internal or third-party certificate
authorities Allows CIO to ensure that certificates created by Digi-CA are let through the Tipping Point Allows for secure communication of CA certs to relevant parties
TippingPoint Firewall Juffair
Item Policy Rule Description Justification
from internal or third-party certificate
authorities Allows CIO to ensure that certificates created by Digi-CA are let through the Tipping Point Allows for secure communication of CA certs to relevant parties
The policy which is implemented must be fully documented and updated on a regular basis within this document.
Secure Management and & Alert Escalations:
The TippingPoint X505 is supported by the TippingPoint Security Management System (SMS), an enterprise-class management platform, which provides intuitive management for multiple TippingPoint IPS or X505 devices. The TippingPoint SMS arrives with factory-installed software for simplistic installation. CIO use the standard web based configuration so that the Network manager can perform installation and maintenance routine tasks and to allow the Information Security Manager to access the logs and policy where applicable.
The SMS is to be used to create rules for alerts to be a configured to be sent to either the Network Manager [NM] and the Information Security Manager [ISM]. Currently the rules are not agreed and the NM & ISM have identified this as a risk that will be addressed, documented and provided in this Manual in time for the second update of the manual on 14 November, 2007
The X505 is configured to send email notification when a High Level alert is detected by it.
Red Hat Isa Town
Item Issue Escalation patch Action Item / Remediation
Red Hat Juffair
Item Issue Escalation patch Action Item / Remediation
CIO to complete tables for each implementation PKI DC and Juffair. Information included in the example shown is for guidance purposes only.
In terms of performance monitoring, the Tipping Point x505 should be ample for the requirements of CIO at present. However should service be degraded and performance be impacted CIO should review the logs of the Tipping Point to check that the bandwidth and performance capabilities of the units are not maxed out. If so configuration might be changed or a requirement for a clustered Tipping environment to improve performance should also be envisaged, to be decided by the Network Manager and Information Security Manager to be submitted for approval according to the rules of this ISMS.
Subscription and Advance Replacement Instructions:
Tipping Point is covered under subscription with Fakhro Electronics with 1 year subscription. This ensures that the database of attacks for which Tipping Point scans is fully up to date. Fakhro Electronics can be contacted as per the details on the suppliers register to organize replacement unit(s). In the meantime, users may decide in conjunction with the Information Security Manager and Network Manager whether it might be appropriate to continue operations without Tipping Point Protection. When replacement units are delivered and implemented, the configuration of the original unit must be implemented and tested as per the initial implementation. All associated actions must be documented and signed off by the Information Security Manager and the Network Manager.
Additional Notes pertaining to the Operational Working Instructions:
The Tipping Point units are to be kept clean of dust and users may not leave drink or food beside the appliances.
Tipping Points units may not be taken out of the CA rooms without prior approval from the information security manager under any circumstances whatsoever.
Tipping Point units are delivered by vendors with users manuals either with dedicated Sections related to each asset or with a full users manual allowing for customization of the configuration. Where applicable such manuals are available in the manuals folder.
Full activity and log reports are available out of the box for Tipping Point and should be produced on a monthly basis by the Network Manager and sent to the Information Security Manager for review. Should the Information Security Manager request changes to the policy this must be done in accordance to the change control procedure.
No specific training is provided to users in relation to the assets covered in this OWI as most users intuitively know how to use basic functionality.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Motion Detector, Alarm, Power Supply & Siren OWI
Operating Work Instructions – Alarm Control Panel, Speech Dialler, Siren, Power supply, LCD Keypad and Motion Sensors
Scope:
This document covers the Operating Work Instructions for the Alarm Control Panel, Dialer, Siren, Power supply and LCD Keypad located throughout the datacenter in Isa Town.
Responsibilities:
The safe is the responsibility of the Physical Security Section of CIO’s Information Security Section.
Details of Operating Work Instructions:
a. 12 zones panel, 2 partitions, 32 user codes, 4 outputs relay modules, 8 programmable outputs with 12 V battery for backup
a. 32 character LCD display, 4 voice message(each up to 32 seconds), 8 voice message, 4 trigger input
a. Remote keypads with standard 32 character LCD display and a speaker driver unit for programmable volume control, surface mount
a. The access code for the alarm is held by Physical Security Section personnel only and is changed regularly.
b. The alarm has a 20 second window from alarm is armed OR when an intruder detected inside the Data centre.
c. If the access code is failed to be entered in 20 seconds, the siren on the outside of the building will sound and flash. The speech dialler will then call the numbers stored in memory in the following order:
i. Physical Security Personnel 1
ii. Physical Security Personnel 2
iii. Head of PKI
iv. CA Administrator
d. The dialler will keep on dialling the numbers above in order until it is answered.
a. In case of failure, contact Mantech 17730459.
.
Ownership:
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Backup Air Conditioning Unit OWI
Scope:
This document covers the Operating Work Instructions for the Backup Air Conditioning Unit located throughout the PKI Data centre in Isa Town.
Responsibilities:
The backup air conditioning unit is the responsibility of the PKI Section of CIO’s Information Security Section.
Details of Operating Work Instructions:
a. In case of any malfunction of the air conditioning units, the Vendor shall be informed for any replacements (Ref: Doc 7.1B)
Ownership:
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Dust & Fire Protection OWI
Operating Work Instructions – Fire/Dust Detection & Fire Suppression System
Scope:
This document covers the Operating Work Instructions for the Fire/Dust Detection & Fire Suppression System located throughout the PKI Data centre in Isa Town.
Responsibilities:
The safe is the responsibility of CIO’s Administration Department.
Details of Operating Work Instructions:
a. Somke Fire/Dust Detectors (located on the ceiling void, roof and under the raised floorings)
b. Fike Corporation Single Hazard Panel(SHP) – Alarm/System Control Panel
c. FM 200 Gas tank and release nozzles
a. When a fire is detected, the alarm siren will immediately sound, after 90 seconds the FM 200 gas will be released.
b. The release of the gas can be delayed by 1 minute by pressing a button on the SHP panel.
c. The SHP has a battery backup, in case of power failure.
d. For support, contact Al Moayyed Trading and Contraction 17700777.
Ownership:
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Access Control System OWI
Scope:
This document covers the Operating Work Instructions for the Access Control in PKI Data centre in Isa Town.
Responsibilities:
The access control is the responsibility of the Physical Security Section of CIO’s Information Security Section.
Details of Operating Work Instructions:
a. Identix Fingerscan V20 UA
b. Dimensions : Length: 6-1/2”, Width 6-3/4”
c. Enrollment time : <5 seconds
d. Verification time : <1 second
e. FAR/FRR: variable, configuration dependant
f. Template size: 512 bytes
g. Allowable Finger Rotation: =/1 18 degrees
h. Power: 12V DC, unregulated
i. Weight: 2lbs
j. Transaction Storage: 8000 (minimum buffering)
k. Communications: RS485, Wiegang, RS232;optional gateway-supported Ethernet or modem
l. Baud rate: 9600 to 57600 bps
m. Template storage: 512 or optional 5000 and 32000 template memory
n. Door controls: Lock output, tamper switch, 3 auxiliary outputs, 4 auxiliary inputs
o. Card reader input: Wiegand, proximity, magnetic stripe (serial), smartcard (serial), barcode(serial)
p. Card reader emulation output: Wiegand
q. Timezones: 30
r. Operating temperature: -10 to 50 degrees Celsius
s. Display: 2 line, 16 characters
t. Options: User memory expansions: 5000 and 32000 templates, LCD display, integrated proximity card reader, dial up modem, Ethernet communications (10BAST-t), and Fingerlan IV
a. Entry would require a Physical security personnel and another person ie. all rooms require dual access.
b. A Physical Security personnel MUST be present in all room which requires access.
c. A user can use either his/her access code or an access card with his/her fingerprint to access.
a. In case of power failure, access would not be available but the door lock will be powered.
b. In case of network failure between reader and Fingerlan pc, the reader would still be able to provide access with templates stored on the reader itself.
c. For support, contact Mantech 17730459.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Telephone OWI
Scope:
This document covers the Operating Work Instructions for the fully functional telephone located in the Outer Core room in PKI Data centre in Isa Town.
Responsibilities:
The fully functional telephone is the responsibility of the CIO’s Administration Department.
Details of Operating Work Instructions:
a. Should the telephone fails, the telephone line can be connected directly to the alarm.
b. If the telephone line is down, please contact Batelco on 17881111
c. If the telephone line is down due to error in wiring, contact Techoland on 17271714.
Ownership:
This document is owned by CIO’s Administration Department.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Safe OWI
Scope:
This document covers the Operating Work Instructions for the Safe located in the Safe room in PKI Data centre in Isa Town.
Responsibilities:
The safe is the responsibility of the PKI Section of CIO’s Information Security Section.
Details of Operating Work Instructions:
a. The digital combination for the safe door and the safe door key will be held by different individuals. If needed, the combination lock can also be set to require 2 user inputs instead of it. Current setting is set to 1.
b. One personnel will hold the common key to all deposit boxes while and individual responsible for the safe deposit box will hold the individual key.
a. In case of fire, the safe is rated to withstand fires up to 2 hours
b. If the batteries to the combination lock have not been changed in time and the tension does not suffice to cancel the lock’s blocking feature, a new 9V ALKALINE battery can be pressed to the contacts on the entry pad.
c. The code the safe remains active even as the power supply fails.
d. For support, contact Mantech 17730459.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Door Exit Push Buttons & Door Latch OWI
Scope:
This document covers the Operating Work Instructions for the Door Exit Switches and Door Latches in the PKI Data centre
Responsibilities:
The items are the responsibility of the PKI Section of CIO’s Information Security Section.
Details of Operating Work Instructions:
a. The door latch is held magnetically via power from the Data centre. In case of power failure, the battery in the Access control is to provide power to the latch until power supply is restored.
b. In case of any failures, contact Mantech 17730459.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
CCTV OWI
Scope:
This document covers the Operating Work Instructions for the CCTV Cameras, DVR Remote Control ,Monitor, Digital Video Recorder (DVR) and coaxial cables located in the Outer Core room in PKI Data centre in Isa Town.
Responsibilities:
The safe is the responsibility of the Physical Security Section of CIO’s Information Security Section.
Details of Operating Work Instructions:
a. CCTC Camera – Infinova V1466F-3895A14 CCTV, Vandal resistant x 3
b. DVR - Infinova V3010/4L Digital Video Recorder,4 Channels 80 GB Hard disk
c. Monitor - Infinova V1322T/14 14” Digital Color Monitor 1 channel
d. Coaxial cables - LOT
a. Entrance to the Outer Core room
b. Entrance to the Inner Core room
c. Entrance to the Safe Room.
a. Access to the DVR is protected via a PIN code. PIN code can be entered using keypad on the DVR or via the remote.
b. The DVR is also accessible via Infinova’s Remote Monitoring Software.
c. Setup of the DVR can be done either via the DVR or by using the Remote Monitoring Software.
a. In case of lost feed from cameras, please contact Mantech 17730459 for support.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Light Fittings & Switches OWI
Scope:
This document covers the Operating Work Instructions for the Lights fitting and switches located throughout the PKI Data centre in Isa Town.
Responsibilities:
The lights fitting and switches is the responsibility of the PKI Section of CIO’s Information Security Section.
Details of Operating Work Instructions:
a. In case of any breakage/malfunction of the lights fittings and switches, the Vendor shall be informed for any replacements (Ref: Doc 7.1B)
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
Appendix IV – Place Organizational Chart here
[29] All future assets used in the Trust Centre must conform to the following, as applicable:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[1]
7.10 PKCS#11
7.11 PKCS#12
7.12 PKCS#15
[1] Digi-CA uses a PKCS#11 API standard to perform Cryptographic functions using either HSM devices or using its own Cryptoki application based layer.
[1] Digi-CA™ fully supports the PKCS#12 standard and implements it for key and certificate distribution.
[1] This standard has been formed to define smart card standards [10] for key & certificate storage and Digi-CA™ [2] complies with this standard, as the Digi-Card™ smart cards provided for use with the Digi-CA™ are compliant with this standard because they have been designed by the vendors in accordance with the PKCS#15 standard.
[52] For compliance reasons, certain CA systems must conduct a Key Ceremony before issuing any Digital Certificates. Trust Centres and Government projects are two examples where a key ceremony may be required in order to comply with local laws or international standards.
The entire Key Ceremony and is described in this manual. There are typically three phases of the Key Generation Ceremony and these are sub divided and described in the following sub sections:
[53] The Root CA, that is at the top of the hierarchy of the CA environment, as well as Subordinate CAs residing on a lower level of the CA hierarchy, are created using the Key Ceremony. The Key Ceremony is conducted and supervised by the Key Ceremony Administrator with an optional support of Key Generation Ceremony Administrator and the procedure is carried out with the following primary responsibilities:
To meet these responsibilities, the Key Ceremony Administrator is involved in every phase of the CA life cycle. The six phases of the CA life cycle are described in the following sub sections:
2.Definition
3.Preparation
4.Creation
5.Activation
6.Maintenance
7.Recertification
[53] During this phase of the Key Generation Ceremony, a new Key Access Component Card Set, commonly referred to as Operator Card Set, can be created and bound to a cryptographic device’s security infrastructure.
Depending on the organization preference and/or regulatory requirements, all of the generated keys (or alternatively only a specified subset of generated keys, subject to the type of CA that they will be assigned too) may require protection from unauthorized access and may also require encryption using an encryption key that is divided into a specified number of components. These are referred too as Secret Components and once created they are stored on Key Access Component Cards.
If you choose to protect any keys with a set of Key Access Component Cards, you will need to create the new Key Access Component Card Set using the features provided by your cryptographic device vendor (e.g. HSM or other device). This will usually require you to define the card set configuration, such as the total number of cards in a card set and a minimum number of cards required to access the key (if you enable this option), to recover any lost card of the card set (if you enable this option), to recover lost PIN codes, that protect access to each card (if you enable this option) and finally - to recover a private key itself (if you enable this option).
Before a card set can be created, a sufficient number of Card Holders, that is individual persons holding the Key Access Component Holder responsibilities, should be appointed and attend the ceremony. Choose your Card Holders carefully and wisely and ensure they meet Trusted Employee requirements and other personnel related policies within you or your customer’s organization.
Each Card Holder, will need to be supplied with a special smart card, provided by the cryptographic device vendor. During the process of creation of a new Key Access Component Card Set, each Card Holder will be requested to insert the card into the smart card reader interface connected directly to the cryptographic device and enter and confirm a new PIN code they wish to protect their cards with. They must memorize their PIN codes and also store these securely in a well protected place such as safe. Before the process is completed, the Key Ceremony Administrator will also need to enter a Name for the newly generated card set in order to be able to identify it when the particular card set is needed in future use.
Upon successful creation of the new Key Access Component Card Set, the event should be documented in the Key Ceremony Notes Document, that should clearly display the Name assigned to the new Key Access Component Card Set, full name of each Card Holder, their personal details allowing the company, for which the keys are generated for, to easily contact each Card Holder when needed, and finally - the serial numbers of the smart cards they hold. The Key Ceremony Administrator should also ensure, that each Card Holder signs a dedicated Key Access Component Holder Document (a separate document for each Card Holder), which lists all of the Cart Holder responsibilities, their personal details and the Serial Number of the Key Access Component Card they hold.
[53] During this phase of the Key Generation Ceremony, the necessary number of key pairs is generated, subject to the number of CAs that will be created during the Key Ceremony. All private keys are securely generated and saved in an encrypted format on a cryptographic device, most often a hardware device such as Hardware Cryptographic Module commonly referred to as HSM. Public key request files are also saved into a hard disk drive, CD disc, USB flash drive or a diskette.
At this stage, the key pairs are given a Common Name and as an option, a unique key identifier file is named and saved into a hard disk, USB flash drive or a diskette. These values identify the key and will allow the Key Ceremony Administrator to properly setup the cryptographic tools to access the key at a later stage of the Key Ceremony and in future frequent use if necessary.
In order to generate a key pair on a cryptographic device, a command prompt based
cryptographic device support software in combination with Digi-CA™ Cryptographic Toolkit can be used. Subject to your or your customer preference, or regulatory requirements as well as supported algorithms by the Digi-CA™ PKI System and the cryptographic device in use, the Key Generation Administrator needs to ensure, that he has correctly defined the following values describing the type and the size of each private and public key pair:
b. Key Size provided as an integer number of bits [i.e. 2048]
Ensure, that these values are known to the Key Generation Administrator in advance and that your own or your customer’s company understands their meaning, usage limitations and security risks in respect to the current cryptographic security norms and standards [10] for commercial use.
If you intend to protect a particular key with a set of Key Access Component Cards, ensure all Key Access Component Holders are present at the ceremony, have their cards ready for use and confirm that they remember or have access to the PIN codes necessary to read data on the cards. If an Key Access Component Card Set key protection feature is enabled during this phase, configured number of Card Holders will be requested to insert the card into the smart card reader interface connected directly to the cryptographic device and enter the PIN code they used to protect their cards with. Once the last required card is loaded, the cryptographic device will automatically generate the requested key data based on the specified key type algorithm and bit size and output relevant data such as certificate request containing the associated public key and as an option, a unique key identifier file to an appointed location on a hard drive disk, CD disc, USB Flash Drive or a diskette.
At the end of the key generation process, you need to ensure, that the event is documented in the Key Ceremony Notes Document and, that it clearly displays that keys are not only correctly associated with a specific company, for which the key or keys are generated for but also correctly associated with the CA, for which these were generated for. For example, ACME Certification Authority could be assigned to 2048 bit RSA PrivateKey1, etc.
After the Key Ceremony, the CA Operator uses the .x509 certificate file, generated during the ceremony, to map the private key stored on the cryptographic device to the new CA infrastructure.
The above process for generating keys can be completed using a cryptographic device working in a production environment and it does not disrupt the operations of other CAs maintained in your Digi-CA™ PKI System environment. This also enables the CA Operator to bring new CAs online easily, without taking existing CAs offline.
Using Key Generation Ceremony, a new key pair is generated whenever a new Root or Subordinate CA is created. Typically, firstly a Root CA is created and used to sign any new Level 1 Subordinate CA in the CA hierarchy and so on.
[53] During the definition phase of the CA, the Key Ceremony Administrator coordinates and supervises work to define the CA, how to name it, how to use it, what type of hierarchy to choose, and other attributes and requirements of the CA and associated PKI [30] environment. This can be done by using the Preset Certificate Specification Template provided in Appendix II.
There are several other items that must be considered when defining the Key Ceremony and these are explained in the following sub sections:
2. Key Map
3. Key Access Component Holders
4. Key Ceremony Script
5. Video Recording
6. Archive Collateral
[53] The naming document must be completed for all new CAs. Information provided in the naming document precisely describes the CA you are creating for your own organization or for your customer. Because this document is a critical tool in the creation of the CA, it is imperative that the parameters identified in the naming document are carefully defined. The Digi-Sign’s Digi-CAST2™ Consulting Team can support the Key Ceremony Administrator and work with the customer to correctly set these parameters.
Important Note: The Key Ceremony Administrator is responsible for generating the Naming Document and ensuring that its is signed by appropriate representatives or by the customer, to whom the CA is generated for.
The naming document is a critical tool used to prepare for a Key Ceremony. With the naming document in hand, the ceremony is scheduled, the Key Ceremony Script is written and the ceremony attendees are decided upon. The naming document consists of four sections and space for the customer signature (see Appendix II: Preset Certificate Specification template). The information in each section differs, depending on the CA type and unique customer specifications. The typical two types of CAs you create in key ceremonies are:
Elements of the naming document are different for each of these CAs. These differences are summarized in the following table:
[53] The four sections of the Naming Document are explained in the following sub sections:
Section II- Operational Period
Section III - Distinguished Name
Section IV - Certificate Format & Extensions
[53] The second part of this section lists the Distinguished Name of the New Issuing Authority. The New Issuing Authority is the new CA that you create. There are several common attributes that may be required or optional subject to your preferred choice and regulatory requirements:
[53] To track the assignment of pre-generated Keys, a Key Map is maintained and updated before and after every Key Ceremony you conduct (see Appendix III for a sample Key Map template). This file contains the following information that is explained in the sub sections below:
This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the date of the Key Ceremony and precise UTC time of assignment is entered in this field.
This field identifies the cryptographic device and the pre-generated (or generated at the beginning of this ceremony) private key residing within your cryptographic device. The device is usually identified by a unique device serial number that the device vendor has assigned to it. If provided by the vendor of your device, you may also enter the integrity key identifier value, that provides an increased level of device identity assurance. As next items in this section, you enter the Common Name and optionally a unique key identifier file name and the checksum byte string of the identifier file for your pre-generated key stored within the cryptographic device. As a last item in this section and if the additional Key Access Component Card based protection was enabled for the generated key, you enter the Name of the Key Access Component Card Set, which was used to protect access to the key. When the key pair is assigned to a new CA, these values will be cross-checked by the appointed Key Ceremony Attendees, to ensure they match the real values, that the Key Ceremony Administrator is using during the ceremony key related activities.
This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the Distinguished Name [DN] of the new CA is entered in this field of the spreadsheet.
This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the DN of the Issuing CA is entered in this field of the spreadsheet.
This is the name of the file containing the public key and the certification [10] request generated during the Key Ceremony. The request file assigns the CA to a pre-generated key.
This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a certificate for the new CA is created and once this is done the name of the certificate file is entered in this field of the spreadsheet.
This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a validity period will be assigned to the new CA and is entered here once completed.
[53] To track the assignment of pre-generated Keys, a Key Map is maintained and updated before and after every Key Ceremony you conduct (see Appendix III for a sample Key Map template). This file contains the following information that is explained in the sub sections below:
This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the date of the Key Ceremony and precise UTC time of assignment is entered in this field.
This field identifies the cryptographic device and the pre-generated (or generated at the beginning of this ceremony) private key residing within your cryptographic device. The device is usually identified by a unique device serial number that the device vendor has assigned to it. If provided by the vendor of your device, you may also enter the integrity key identifier value, that provides an increased level of device identity assurance. As next items in this section, you enter the Common Name and optionally a unique key identifier file name and the checksum byte string of the identifier file for your pre-generated key stored within the cryptographic device. As a last item in this section and if the additional Key Access Component Card based protection was enabled for the generated key, you enter the Name of the Key Access Component Card Set, which was used to protect access to the key. When the key pair is assigned to a new CA, these values will be cross-checked by the appointed Key Ceremony Attendees, to ensure they match the real values, that the Key Ceremony Administrator is using during the ceremony key related activities.
This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the Distinguished Name [DN] of the new CA is entered in this field of the spreadsheet.
This field remains blank until the pre-generated key pair is assigned to a new CA. Once the key pair is assigned, the DN of the Issuing CA is entered in this field of the spreadsheet.
This is the name of the file containing the public key and the certification [10] request generated during the Key Ceremony. The request file assigns the CA to a pre-generated key.
This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a certificate for the new CA is created and once this is done the name of the certificate file is entered in this field of the spreadsheet.
This field remains blank until the pre-generated key pair is assigned to a new CA. During the Key Ceremony a validity period will be assigned to the new CA and is entered here once completed.
[53] A CA’s private key is a valuable item because its possessor may activate the CA at any time. To protect against any misuse, Key Access Component Card Sets are created and are required to access the private key.
These Card Sets are formed with a defined number of Key Access Component Cards, that are protected with PIN numbers and store encryption key elements [components] necessary to decrypt the private key and gain access to it in order to bring it into online state inside the cryptographic device. Individuals, that posses the Key Access Component Cards used to protect particular keys are called Key Access Component Holders and the organization that owns the CA must track and record accurate information about Key Access Component Cards and Key Access Component Holders so that a complete list maintained at all times.
[53] The Key Ceremony Administrator ensures that every Key Ceremony and every ceremony related activity is secure and auditable. This means that there must be an unbroken evidentially path demonstrating that your Certificate system is operated in accordance with the methods and procedures described in your organization’s Certificate Practice Statement [26]. In addition to the witnessed script, video record of key ceremonies and logging protocols provide further documentation of the CA creation process. Each of these is explained in the following sub sections:
An Archive Folder must be compiled for every Key Ceremony. The folder should include the Naming Document, the witnessed Key Ceremony Script, the Key Access Component Holder Documents, the Attestation Letters and the Key Map. After the ceremony, the Archive Folder is stored in the secure storage area. This Folder and the video recording provide the primary record of all key ceremonies performed by the organization.
The Archive Folder documents the Key Ceremony and provides evidence of the secure manner in which the CA was created. The Archive Folder is divided into three parts as described in the following sub sections:
2.Key Map
3.Key Access Component Holder Documents
4.Attestation Letter
[53] Once everything is defined and understood the preparation for the Key Ceremony can be considered. This involves preparing the people that will attend, the keys that will be generated and the documentation that is required. These are explained in the following sub sections:
3.11.2.2 Notary Public or Equivalent
In preparing for the Key Ceremony, personnel from your Customer’s organization must attend. It is essential to remember at all times that Digi-CA™ is a security product. Throughout the entire Key Ceremony and beyond, every action must occur in a manner that conveys that care has been taken to ensure the highest possible level of security.
A notary public is an official, public witness whose job it is to identify people who are about to sign a document and to witness that signing. A properly credentialed notary public or some person who is authorized by local law to serve as an official, public witness, observes the witness(es) signing the Attestation Letter and then certifies the witnesses’ signatures.
Once everything necessary to define and prepare for the new CA is completed, the CA is created in a Key Ceremony. This is a set of formal and highly secure procedures that creates a CA. The Root CA should be stored securely and remain in offline state, while Subordinate CAs can be put online for frequent use. There are a number of actions, that should occur on the day of the Key Ceremony and they are explained in the following sub sections:
2.Pre-Check
3.Briefing
4.Ceremony
5.CA Creation
6.Conclusion
7.Post-Check
[53] Key Access Component Retrieval is only required if you are using existing Key Access Components from a previous Key Ceremony and this is decided when the Ceremony Script is being written. Existing Key Access Components are needed each time a CA is being created from a previously generated key, if the key was access protected. The Key Access Component Holders must then be present so that the Key Ceremony Administrator and the Key Access Component Holders can enter the safe room together and retrieve the required smart cards containing Key Access Components (key elements necessary to decrypt the private key and bring it online). The Key Access Component Holders will provide their smart cards as required during the Key Ceremony.
A final check of the Key Ceremony room should be undertaken prior to the arrival of the attending personnel. This could include assisting with the recording equipment, arranging seating and other activities but should always include a check, that the following items are present, will function properly and are usable:
Before the ceremony, the Key Ceremony Administrator, or a Digi-Sign Digi-CAST2™ consultant, meets with the attendees and explains what a Key Ceremony is and what will be occurring during the ceremony. The briefing will include:
The actual Key Ceremony has several vital components that must be understood by everyone that attends the ceremony. There are four parts to the ceremony and the following sub sections explain the components:
[53] On the day of the ceremony, many people become involved in making the ceremony a success. The following identifies the tasks performed on the ceremony day, the time frame, the responsible party, and other participants involved in each task. The following table shows the responsibilities on the day of the Key Ceremony:
Time Frame Task Responsible Party Other Participants
30 minutes-1 hour before ceremony begins Key Access Component retrieval, Video camera setup Key Ceremony Administrator Key Access Component Holders, access personnel, Videographers
15 minutes before ceremony Final check of the ceremony room Key Ceremony Administrator
15 minutes before ceremony Customer briefing Digi-CAST2™ Consultant or Key Ceremony Administrator Customer
Start of ceremony Ceremony introduction Key Ceremony Administrator Key Ceremony Administrator, Key Access Component Holders, and other ceremony participants
During ceremony Create the customer’s CA(s) Key Ceremony Administrator Key Access Component Holders, witnesses, and customer (optional)
End of ceremony Ensure that all ceremony material is properly distributed Key Ceremony Administrator Key Access Component Holders and access personnel
Immediately after ceremony ends Ensure that the archive book and appropriate key management files are updated and stored Key Ceremony Administrator Access personnel Notary Public
After entering the room, follow these steps:
Upon successful completion of the final check, the ceremony room is ready for the ceremony participants. Next, make sure all the participants are present and in their proper location. The participants should be arranged as follows:
[53] The Key Ceremony is a formal procedure in which the CA is created. The security of the procedure must be auditable and evidentially. The ceremony script is the most important tool to ensure compliance [10] with established security procedures. When each ceremony step is documented, witnessed and attested to, you have created your organization’s strongest proof against claims of non-compliance or security compromise. For this reason, the script must be followed exactly as it is written.
During the Key Ceremony, the script will be read aloud for each step. Reading the script aloud helps the ceremony participants follow along, but more importantly, it provides a verbal narrative to accompany the video recording of the event. As each step is completed, the section of the script for that step is initialed by the witnesses.
Important Note: Situations that cause temporarily digression from the script may arise. Any such digression must be thoroughly documented, so that these situations do not compromise the security of the process.
To properly document digressions, notations are made in the script that describe the problem, when it occurred, and what was done to fix the problem. The script is initialed by everyone in attendance.
If the ceremony is particularly long, the participants can take a break from the proceedings. If this occurs, the script has a notation added indicating the time of the break. Another notation indicating the time the proceedings resumed is also made in the script. During the entire break, two trusted employees must remain in the room. The videographers continue recording throughout the break.
Following the ceremony introduction, the scripted steps to create the CA begin. The script is followed exactly so that the witnesses can initial each and every step as it is performed. The following sub sections describe the ceremony activities that will be in the script:
2.Generating Event
3.Signing Event
4.Distribution Event
[53] The initializing event must be built into the script when creating a Root CA or when conducting a Key Generation Ceremony. In the Initializing Event, the Key Access Component Card Set is created (Key Access Component Cards). The Initializing Event provides critical security to protect the private key assigned to the new CA. This event is of paramount importance during the ceremony, and these procedures must be adequately documented in the script.
[53] The Key Ceremony script then lists the steps that will be performed at the conclusion of the ceremony. Before anyone leaves the room all copies of the signed Key Ceremony Script, the Key Access Component Holder Documents, the Attestation Letters and the Video Recordings must be placed in the Archive Folder and sealed.
At this point, the CA is created but it is not yet activated. This is the next event that occurs after the Key Ceremony and is the CA Activation event.
Text needed here
[53] The first component in ensuring a properly configured CA is the naming document. Its formal title is the New Issuing Authority Naming Application. This document contains the information necessary to properly configure a CA:
After the Digi-CAST2™ Consultant and the customer have defined the Customer’s CA, the
Digi-CAST2™ Consultant will give you a copy of the completed naming document that has
been signed by both the Digi-CAST2™ Consultant and the Customer. You will use the information in the naming document to create the CA. Detailed information about the naming document is available in Chapter 4, "Key Ceremony Preparation".
[53] We have a requirement, that the generation of new RSA keys and creation of new Certification Authorities (CAs) must be witnessed by a third party auditor and appointed witnesses. We must therefore generate fresh keys which have been witnessed in the prescribed manner and use these keys to create new Certification Authorities (CAs).
The keys we generate today will be new keys, having no existing keys residing on the HSM device we are about to use during this ceremony. There are therefore no existing keys residing in the HSM device should this note be relevant to any party participating in this ceremony.
It is important to note, that the Key Generation and Certificate Signing operations occur entirely within the HSM device which uses a FIPS 140 approved pseudo random-number generator, which is seeded periodically from a random bit-value accumulator fed with an unpredictable input from an electronic noise source.
The prime number generator used in RSA key pair generation is entirely within the HSM and is covered by FIPS 140.
The software and the procedures were tested to ensure, that the keys were valid, and that the import and export procedures were working as required.
The source code was examined to ensure that its operation was correct.
[53]
Issue |
|
Subject Dn |
Issue Dn |
.req |
.509 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[53] An IBM compatible computer (hereafter referred to as "the computer") was set up in a room providing strict personnel access control, security camera monitoring [and electronic isolation from any computer networks].
2. The computer has a hard disk which has been pre-prepared with a fresh installation of a [Red Hat Enterprise Linux, version 5.0] operating system, the requisite HSM driver, nToken authentication PCI device, HSM device Support Software and the
Digi-CA™ PKI System, both acting as the Cryptographic Operation Control Software. The software was tested for correct operation prior to the Key Ceremony by using an HSM reserved for backup purposes.
3. The Key Access Component Cards are going to be distributed to appointed Key Access Component Holders during a later event of this ceremony. It is however important to note, that Key Access Component Holders are the only holders possessing PIN codes necessary to access the data stored on these smart cards. Before this step can be completed, each appointed Key Access Component Holder must now write down their new PIN code on a dedicated PIN paper sheet and put the PIN paper sheet with the written PIN code into an envelope, indicating their full personal name. Each envelope is to be placed on the Inventory Table and remain not sealed for the duration of the entire Key Ceremony. All attending Witnesses must ensure, that Key Access Component Holders are inserting their PIN Code paper sheets into correct envelopes, that indicate their full personal name.
Key Ceremony Administrator should now place a sufficient number of empty Key Access Component Cards on top of the envelopes containing PIN Code paper sheets. It is important to note, that the video camera should constantly record all activities related to access to the Key Access Component Cards and envelopes containing PIN Code paper sheets.
The Key Ceremony Administrator is now going to note the new Name for the newly configured Key Access Component Card Set, the Serial Number of each Key Access Component Card, that is about to be used and the details of each Key Access Component Holder (below) in this script. All attending Key Ceremony Witnesses must ensure, that the date entered into the script, the full personal name of each Key Access Component Holder and the Serial Number of the Key Access Component Card they are about to use is correct. They also must place their signature where indicated (below) in this section of the script.
Key Access Component Card Set
Name: …………………………………………………………………………………………………………………
Key Access Component Holder #1
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #2
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #3
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #4
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #5
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
[53] The first HSM device (designated #1) was removed from production and connected to the computer prior to this ceremony and the event was monitored and supervised by an appointed company’s Head of Security.The Cryptographic Operation Control Software is now about to be used to cause the numbered (in section 3 above) operations to occur in the following sequence: 5.
During this phase of the Key Generation Ceremony, a new Key Access Component Card Set is created and bound to our HSM device security infrastructure. The card set configuration we choose is as follows:
b. Minimum number of smart cards required to access the private key: 3
c. Minimum number of smart cards required to recreate any lost smart card: 3
d. Minimum number of smart cards required to recover lost PIN codes: 3
e. Minimum number of smart cards required to recover a private key: 3
During this step, one of the HSM Security Administrators present at the ceremony will be requested by the Key Generation Ceremony Administrator to insert his Administrator’s Smart Card into the smart card reader interface of the HSM device in order to authorize the creation of a new Key Access Component Card Set. This is required by the HSM device, which operates in FIPS 140-2 level 3 modes.
Further during step, each appointed (in previous step) Key Access Component Holder will be requested to actively participate in the ceremony. The Key Generation Ceremony Administrator will require each Key Access Component Holder to separately follow the steps below:
a. Access their PIN envelope, that were previously placed on the Inventory Table
b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet
c. Confirm to memorize their PIN code
d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table
e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device
f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter and confirm their memorized PIN Code.
g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.
The above sequence of steps will be repeated for each appointed new Key Access Component Holder.
All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step.
The new card set will be subsequently used during this ceremony to encrypt and protect access to relevant private keys we are about to generate. The encryption key elements [components] are now stored on each PIN protected Key Access Component Card, which will be required to access newly generated and access protected private keys at any time.
[53] During the Key Access Component Card Set Configuration, at least two people from the Key Ceremony Attendees list of personnel were present at all times. No other personnel were permitted access to the room. The Cryptographic Operation Control Software required a PIN code to be entered before the software could communicate with any smart card (holding encryption key component [Key Access Component Card]) used during the Key Access Component Card Set configuration.
[53] The previous step left the HSM device #1 configured for use with our newly generated keys. The encryption key elements [components] are stored on several PIN protected smart cards, herein referred to as "Key Access Component Cards", which are required to access these keys at any time. The smart cards are currently visible on the Inventory Table and during the later phase of this ceremony will be distributed to the Key Access Component Holders, who are the only holders possessing PIN codes necessary to access the data stored on these smart cards.
We note, that there is no need to delete our encrypted keys from the hard disk within the computer as these keys are strongly encrypted by the HSM device and additional encryption key, that was divided into key elements (components) within a key set. If the key repository data was stolen, it would be useless without the HSM decryption key and additional encryption key elements (components) distributed to Key Access Component Holders inside the PIN protected Key Access Component Cards. The encrypted keys stored within the repository are in offline state and the computer with the hard drive storing the encrypted repository data will be kept safe in an isolated room with strict personnel and network access controls in place as well as video camera monitoring maintained 24 hours per day throughout the year.
All witnesses attending this part of the ceremony must ensure, that the date entered into this script is correct and the checksum values presented on the computer screen upon sequential execution of the checksum calculation commands, that are performed on private key data stored inside the repository as well as on the backup media, and the values written below by the Key Ceremony Administrator, exactly match. They also must place their signatures where indicated (below) in this section of the script.
Date: …………………………………………
Key 1
Common Name: ………………………………………………………………………………………………………
Checksum: …………………………………………………………………………………………………………………
Key 2
Common Name: ………………………………………………………………………………………………………
Checksum: …………………………………………………………………………………………………………………
…
Key N
Common Name: ………………………………………………………………………………………………………
Checksum: …………………………………………………………………………………………………………………
Witnessing Attendees’ Signatures:
[53] The removable media disks holding backup copies of our keys will now be separated placed into sealed envelopes and sent to be held at separate bank deposit facilities immediately after this ceremony. [53] 4. Since the private key we are about to use is encrypted and access protected, the Key Ceremony Administrator will require any 3 (three) Key Access Component Holders from the previously created Key Access Component Card Set, to separately follow the steps below:
b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet
c. Confirm to memorize their PIN code
d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table
e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device
f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter their memorized PIN Code.
g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.
The above sequence of steps will be repeated for the number of Key Access Component Holders, that are selected by the Key Ceremony Administrator.
All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step.
Furthermore, all Witnesses must ensure, that the correct private key is used during this step. This can be achieved by cross-checking whether the private key identifier file name along with the file system path, are both entered correctly by the Key Ceremony Administrator in the command prompt. These must match the private key details stored in the Key Map Document. The private key should be dedicated for use only with the new Root CA we created today hence the cross-check.
5. The previous step left the private key used to sign the newly created Root CA Certificate offline. It also permanently associated that private key with the new Root CA we created.
6. The Root CA Signing is now declared complete.
[53] An IBM compatible computer (hereafter referred to as "the computer") was set up in a room providing strict personnel access control, security camera monitoring [and electronic isolation from any computer networks].During this step, the Key Ceremony Administrator, using the Cryptographic Operation Control Software, will create new Subordinate CA and assign it to a dedicated private key that was previously generated during this ceremony. The newly created Subordinate CA will be signed by the Root CA that was created earlier during this ceremony.
To complete this process, the Key Ceremony Administrator will use a Naming Document, that contains the details of the new Subordinate CA we are about to sign, to create a certificate profile configuration file, containing various certificate related information such as: Subject Distinguished Name, Validity Period, Signature Algorithm, Certificate Serial Number and Certificate extensions. The certificate profile configuration file will be used by the Cryptographic Operation Control Software to create the new Subordinate CA certificate.
All attending Witnesses must ensure, that the certificate details entered into the certificate profile configuration file by the Key Ceremony Administrator, match the details contained in the Naming Document used during this ceremony. The new Subordinate CA Certificate details must be taken from the section of the Naming Document specifically dedicated for the correct Subordinate CA, for which the Subordinate CA Certificate is created.
Key Ceremony Administrator will capture and store during this step any relevant informational output produced on the computer screen by the Cryptographic Operation Control Software in the Key Map Document.
[53] Upon directing the Cryptographic Operation Control Software to sign the new Subordinate CA Certificate, the private key of the Root CA will need to be loaded to the HSM securely protected operational memory.b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet
c. Confirm to memorize their PIN code
d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table
e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device
f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter their memorized PIN Code.
g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.
The above sequence of steps will be repeated for the number of Key Access Component Holders, that are selected by the Key Ceremony Administrator.
All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step. Furthermore, all Witnesses must ensure, that the correct Root CA private key is used during this step. This can be achieved by crosschecking whether the private key identifier file name along with the file system path, are both entered correctly by the Key Ceremony Administrator in the command prompt. These must match the Root CA private key details stored in the Key Map Document. The correct Root CA private key should be used hence the crosscheck.
It also permanently associated an existing private key, that was generated earlier during this ceremony with the new Subordinate CA we created.
During the Signing Event, at least two people from the Key Ceremony Attendees list of personnel were present at all times. No other personnel were permitted access to the room. The Cryptographic Operation Control Software required a PIN code to be entered before the software could communicate with any smart card (holding encryption key component [Key Access Component Card]) used during the Signing Event.
[53] During this phase of the ceremony, the Key Ceremony Administrator will request each Key Access Component Card Holder to place their Key Access Component Cards in their PIN envelopes place the envelopes sealed on the Inventory Table.
8. Key Ceremony Conclusion
[53] All copies of the signed Key Ceremony Script are now going to be placed in the Archive Folder.
9. Key Ceremony Attendees Present
Name Title Company Signature
[This page printed blank to allow notes to be made]
[53] I am:
_______________________________________________________________________
CA Owner Organization Name:
___________________________________________________________
CA Owner Organization’s Address:
___________________________________________________________
CA Owner Organization’s Telephone Number:
___________________________________________________________
I confirm that I am in receipt of the following Component(s):
Description Details:
_________________________________________________________________________
_________________________________________________________________________
I confirm that:
I have understand that I am an official Component Receipt Shareholder.
I must keep my Component information secret.
I will only reveal my Component information at scheduled Key Ceremony events.
Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.
Signature: ___________________________________ Date: ____________________
I attest that:
I have validated the identity of this Key Access Component Holder
Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.
Notary Signature: _____________________________ Date:____________________
[53] I am:
_______________________________________________________________________
Organization Name:
___________________________________________________________
Organization Address:
___________________________________________________________
Telephone Number: ___________________________________________________________
Professional License and/or Association Number(s):_________________________
This letter of attestation is being provided on behalf of the following entity:
CA Owner Organization’s Name:
________________________________________________________________
CA Owner Organization’s Address:
________________________________________________________________
CA Owner Organization’s Telephone Number:
________________________________________________________________
I attest that:
Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.
Signature: ___________________________________ Date: ____________________
Notary Signature: _____________________________ Date: ____________________
Appendix III – Entry/Exit Log
________________________________________________________________
CA Owner Organization’s Address:
________________________________________________________________
CA Owner Organization’s Telephone Number:
________________________________________________________________
For compliance reasons, certain CA systems must prepare and document a complete set of WebTrust policies and procedures. Trusted Third Party [TTP] Certificate Authority [CA] (also known as 'Trust Centre') organisations and specific Government projects are two examples where WebTrust policies and procedures may be required in advance of conducting the WebTrust Audit.
There are typically three phases of the WebTrust implementation and these are sub divided and described in the following sub sections:
The CA’s management will make assertions along the following lines:
Management has assessed the controls over its CA operations. Based on that assessment, in ABC Certification Authority, Inc. (ABC-CA) Management’s opinion, in providing its certification authority (CA) services at [location], ABC-CA, during the period from [Month, day, year] through [Month, day, year]:
For an initial representation, the historical period covered should be at least two months or more as determined by the practitioner. For established CAs and CA functions, two months may be quite sufficient, while for new CAs and CA functions, the practitioner may believe that a longer initial period would be more appropriate. For subsequent representations, the period covered should begin with the end of the prior period, to provide continuous representation. Reports should be issued at least every 12 months. In some situations, given the business needs or expectations of relying parties, the practitioner may believe a shorter subsequent period would be more appropriate.
To have a basis for such assertions, the CA’s management should have made a risk assessment and implemented appropriate controls for its CA operations. The WebTrust for Certification Authorities criteria and illustrative controls provide a basis for a risk assessment and a minimum set of CA controls.
An independent, objective, and knowledgeable practitioner will perform tests of these representations under professional standards and provide a professional opinion, which adds to the credibility of management’s representations.
Comparison of a WebTrust for Certification Authorities Examination With Service Auditor Reports:
Professional standards currently exist for auditors to report on controls of third-party service providers (a service auditor’s engagement). Guidance for these engagements is set out in the Statement on Auditing Standards [SAS] No. 70 [SAS-70], Service Organizations, as amended.
WebTrust for Certification Authorities engagement differs from a service auditor’s engagement in a number of ways, including the following:
In addition, this approach maintains consistency in the professional standards used for the Suitable Trust Services Criteria and Illustrations.
To obtain the WebTrust seal of assurance, the CA must meet all the WebTrust for Certification Authorities principles as measured by the WebTrust for Certification Authorities criteria associated with each of these principles. In addition, the entity must engage a practitioner to provide the WebTrust service, and obtain an unqualified report from such practitioner.
Once the seal is obtained, the CA will be able to continue displaying it on its Web site provided the following are performed:
The WebTrust seal of assurance for the CA will be managed by a seal manager along the following lines:
To verify whether the seal displayed on a CA's Web site is authentic, the customer can:
To be understandable to the ultimate users—the subscriber and relying party—the following principles have been developed with the relying party in mind, and, as a result, are intended to be practical and non-technical in nature.
The second principle is—The certification authority maintains effective controls to provide reasonable assurance that:
Effective key management controls and practices are essential to the trustworthiness of the public key infrastructure. Cryptographic key management controls and practices cover CA key generation; CA key storage, backup, and recovery; CA public key distribution (especially when done in the form of self-signed “root” certificates); CA key escrow (optional); CA key usage; CA key destruction; CA key archival; the management of CA cryptographic hardware through its life cycle; and CA-provided subscriber key management services (optional). Strong key life cycle management controls are vital to guard against key compromise that can damage the integrity of the public key infrastructure.
The user certificate life cycle is at the core of the services provided by the CA. The CA establishes its standards and practices by which it will deliver services in its published CPS and CPs. The user certificate life cycle includes the following:
Effective controls over the registration process are essential, as poor identification and authentication controls jeopardize the ability of subscribers and relying parties to rely on the certificates issued by the CA. Effective revocation procedures and timely publication of certificate status information are also essential elements, as it is critical for subscribers and relying parties to know when they are unable to rely on certificates that have been issued by the CA.
The third principle is—The certification authority maintains effective controls to provide reasonable assurance that:
The establishment and maintenance of a trustworthy CA environment is essential to the reliability of the CA’s business processes. Without strong CA environmental controls, strong key and certificate life cycle management controls are severely diminished in value. CA environmental controls include CPS and CP management, security management, asset classification and management, personnel security, physical and environmental security of the CA facility, operations management, system access management, systems development and maintenance, business continuity management, monitoring and compliance, and event journaling.
To provide more specific guidance on meeting the WebTrust for Certification Authorities principles, the WebTrust for Certification Authorities criteria have been developed. These provide a basis against which a CA can make a self-assessment of its conformity with the criteria, and a consistent set of measurement criteria for practitioners to use in testing and evaluating CA practices.
The WebTrust for Certification Authorities criteria are presented under the three principles listed above (Principle 1, CA Business Practices Disclosure; Principle 2, Service Integrity, including key and certificate life cycle management controls; and Principle 3, CA Environmental Controls.
Each principle contains a series of criteria that the CA’s management asserts it has achieved. Depending on the scope of services provided by the CA, a number of the criteria may not be applicable. Criteria considered optional, depending on whether the CA provides the related services, are key escrow, certificate renewal, certificate suspension, the use of integrated circuit cards (ICCs), and the provision of subscriber key management services. If any of these services are provided by the CA, the criteria are applicable and must be tested by the practitioner. If any of these services are not provided by the CA, the criteria are not applicable and no modification of the standard report is necessary. In some situations, some RA services may be performed by another party that is not controlled by the CA, and therefore those activities are not included in the examination of the CA. In these circumstances the standard report should be modified to specify the exclusion of the specific RA activities from the scope of the examination.
This may be accomplished by reference to the CA’s business practice disclosures in which the CA specifies which RA activities it does not control. In all instances some RA activities will be performed by the CA and should be tested by the practitioner for compliance with the controls disclosed under Principle 1 and the criteria specified in Principle 2. In performing a WebTrust for Certification Authorities engagement, the practitioner must gain an understanding of the CA’s business model and services provided to determine which control criteria may not be applicable. For each of the disclosure and control criteria, there is a detailed list of illustrative disclosures and control procedures that might be followed by the CA to meet the related criteria. The illustrative disclosures and controls do not necessarily need to be in place for a criterion to be met in a given business circumstance and alternatives may be sufficient.
The CA Business Practices Disclosure criteria were derived primarily from the Internet Engineering Task Force’s (IETF) Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices FrameworkRequest For Comments Draft (RFC 2527), which has been incorporated into Annex A of the draft ANSI X9.79 standard. For specific key and certificate life cycle management (Principle 2) and CA environmental illustrative controls (Principle 3), in which the CA’s implemented controls may vary depending on the CA’s business practices, such illustrative controls refer to specifically required CA business practices disclosures included in Principle 1 [55].
Links:
[1] https://www.digi-sign.com/downloads/download.php?id=digi-ca-pdf
[2] http://www2.digi-sign.com/digi-ca
[3] http://www2.digi-sign.com/compliance/list+standards
[4] http://www2.digi-sign.com/certificate+authority
[5] http://www2.digi-sign.com/en/digi-cast
[6] http://www2.digi-sign.com/http
[7] http://www2.digi-sign.com/electronic+identification
[8] http://www2.digi-sign.com/en/about/announcements/qualified+certificates
[9] http://www2.digi-sign.com/service/digi-cast
[10] http://www2.digi-sign.com/compliance/introduction
[11] http://www2.digi-sign.com/href
[12] http://www2.digi-sign.com/digi-ca/time+stamp
[13] http://www2.digi-sign.com/two+factor+authentication
[14] http://www2.digi-sign.com/digital+certificate
[15] http://www2.digi-sign.com/digi-id
[16] http://www2.digi-sign.com/digi-ca/administrator/online+certificate+status+protocol
[17] http://www2.digi-sign.com/digi-ca/administrator/time+stamp
[18] https://www.digi-sign.com/downloads/download.php?id=digi-bill-pdf
[19] http://www2.digi-sign.com/compliance/cwa+15580
[20] http://www2.digi-sign.com/compliance/cwa+15588
[21] http://www2.digi-sign.com/compliance/cwa+15581
[22] http://www2.digi-sign.com/compliance/cwa+15582
[23] http://www2.digi-sign.com/compliance/etsi/101+861
[24] http://www2.digi-sign.com/compliance/etsi/102+023
[25] http://www2.digi-sign.com/compliance/cwa+15579
[26] http://www2.digi-sign.com/repository/certificate+practice+statement
[27] https://www.digi-sign.com/downloads/download.php?id=cio-digi-cast-pdf
[28] http://www2.digi-sign.com/compliance/iso/27001
[29] https://www.digi-sign.com/downloads/download.php?id=digi-cast-pdf
[30] http://www2.digi-sign.com/public+key+infrastructure
[31] http://www2.digi-sign.com/service/digi-cast/asset+management
[32] http://www2.digi-sign.com/service
[33] http://www2.digi-sign.com/compliance
[34] mailto:adlinh@cio.gov.bh
[35] mailto:aabualfath@cio.gov.bh
[36] mailto:smalkhalifa@cio.gov.bh
[37] mailto:osamarf@cio.gov.bh
[38] mailto:kaljalahma@cio.gov.bh
[39] mailto:cssoshg@cio.gov.bh
[40] mailto:alghatamhe@cio.gov.bh
[41] mailto:aljassimk@cio.gov.bh
[42] mailto:malamer@cio.gov.bh
[43] mailto:alothmank@cio.gov.bh
[44] mailto:soudbah@cio.gov.bh
[45] mailto:elhama@cio.gov.bh
[46] mailto:monamj@cio.gov.bh
[47] mailto:yashoor@cio.gov.bh
[48] mailto:alshamyah@cio.gov.bh
[49] mailto:razanaak@cio.gov.bh
[50] mailto:aalmahmood@cio.gov.bh
[51] http://www2.digi-sign.com/ssl+certificate
[52] https://www.digi-sign.com/downloads/download.php?id=digi-ca-admin-pdf
[53] http://www2.digi-sign.com/downloads/digi-ca-admin-manual
[54] http://www.webtrust.org/abtseals.htm
[55] http://www2.digi-sign.com/en/digi-cast/webtrust/first+principal