Skip to Content.
Sympa Menu

cacert-policy - Re: Modification of SP

Subject: Policy-Discussion

List archive

Re: Modification of SP


Chronological Thread 
  • From: Pieter van Emmerik <pve.cacert AT gmail.com>
  • To: cacert-policy AT lists.cacert.org
  • Subject: Re: Modification of SP
  • Date: Wed, 31 Mar 2010 21:42:46 +0200
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT gmail.com; dkim-asp=none
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; b=M55tVqoH+Tr7Lznaw9+0epKbMCF3lLIlYJ96MauW1izMLhtyjUl8ZQjXDgXdEI635m kxVtjF1Zbzq/Qj0idcJOel622JD+IlzyiCQnlNpKrBNYDYLzibwWgl9apeziELYXuyA5 ygWFrbf4iSSiGKESrt7nFAHlTUv776ILK9XQY=
Hi all,

As the board of CAcert consists of persons elected by members of CAcer association I do not think they should have the requirement of a background check except when they want to get access to critical systems or sensitive information.
They form a political function and as such qualify because the have been elected by association members.
Granting access to sensitive resources is not the same as having access to those resources.
If board members want to have access to critical or sensitive data the of course the also have to be background checked.
Granting access is more a administrative and/or political action.
If in that process no access to critical systems or sensitive data is needed, a background check is unnecessary.
For comparison: in a company which handles secret information, the people handling that secret information will need to have a government issued security clearance, however the management that hires them do not necessarily need to have a security clearance as the do not access classified information themselves.

Op 31-3-2010 17:55, Philipp Dunkel schreef:
Hi all,
you will have indubitably noticed the veto of the CAcert Inc. board of the Security Policy.

In order to remedy the situation I would like to propose the following change to the WIP Security Policy:

alter 9.1.4.2 to read:

  • 9.1.4.2. Coverage
  • A background check is to be done for all critical roles. The background check should be done on all of:
    • Systems Administrator
    • Access Engineers
    • Software Assessor (including Application Engineer)
    • Support Engineer
    • Boardmembers that wish to part-take in decisions on granting access to data or other sensitive resources
this little change would give CAcert Inc. Board Members a choice of either undergoing a background check like every other security sensitive position, or alternatively not part-taking in certain decisions made by CAcert Inc. Due to the fact that it is now up to each member individually, and the CAcert Inc. membership is now free to vote anyone they choose onto the CAcert Inc. Board, the reason given for the veto would be remedied.

I would like to get a discussion on this started and see whether we can remedy the Security Policy and move it back into DRAFT. So please all take part and be merry.

Regards, Philipp


-- 
Pieter van Emmerik
Email: pve.cacert AT gmail.com

CAcert assurer 000419

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.16.

Top of Page