Policy-Discussion

[Daniel Black <daniel AT cacert.org>]

I don't know whether this is or isn't a good time to review the SP but I will 
and here are my notes with suggested text:

2. PHYSICAL SECURITY
2.1. Facility - I'm assuming this is a board decision as to which facility - 
does it need to be specified?

4.1.4 Outsourcing - is blank

See 9.4

4.3. Backup
4.3.2. Frequency - is blank

suggest adding "The frequency of backups will be at the system administration 
team leader's discretion."

4.3.3. Storage - same as 2.1 - who decides on the appropriateness of the 
security here?

5.1 Incidents
5.5. Response - is blank. Suggest...

The response plan is to be determined by the system administration team 
leader.

9.1.4.  Background Check Procedures
9.1.4.2.  Coverage
 - Board

Giving a Background Check on the board would imply that they can be denied a 
position because of this.  This needs to be included in the Rules of 
Association. The policy group doesn't have the authority to change the rules 
of association. Therefore this point should be dropped and proposed to the 
association if desired.

This doesn't have an impact because the board cannot access personal data nor 
can they individually have any access that affects the confidentially of root 
or personal data.

Conflict of interest in the board is the responsibility of the NSW 
Association 
Incorporation  Act. And there's penalties too:
http://www.austlii.edu.au/au/legis/nsw/consol_act/aia2009307/s33.html

A committee member of an association  who ... caus[es] detriment to the 
association is guilty of an offence (Maximum penalty: 240 penalty units or 
imprisonment for 2 years, or both).  1 penalty uni t is $110 (Crimes 
(Sentencing Procedure) Act 1999 No 92 section 17)

9.1.5.  Authorisation
"Board members who are also active in the area should recuse from the vote".

So board members acting or involved in a team who have a good perspective of 
viewing the appropriateness of another potential team member are denied 
voting 
on deliberations? Not a bit issue but it doesn't make good policy sense.

9.4. Outsourcing

"All arrangements must be:  with Members of CAcert that are Assurers, as 
individuals, or  Assured Organisations."

I'm thinking at most this should apply only to critical infrastructure. Do we 
need to find an assured ISP to get bandwidth for example? The rest of the 
criteria here should only be mandatory for to critical infrastructure. I 
doubt 
we could get an ISP agree to the DRP for example.

--
Daniel Black
CAcert

Attachment: smime.p7s
Description: S/MIME cryptographic signature