[Servercert-wg] Ballot SC 21 - Section 3 of the NetSec Requirements - Voting Period
Tamer ERGUN
tamer.ergun at kamusm.gov.tr
Thu Oct 3 01:43:31 MST 2019
Kamu SM votes YES to Ballot SC21.
Regards,
Tamer
From: Servercert-wg <servercert-wg-bounces at cabforum.org
<mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Ben Wilson via
Servercert-wg
Sent: 27 September 2019 04:46
To: Ben Wilson via Servercert-wg <servercert-wg at cabforum.org
<mailto:servercert-wg at cabforum.org> >
Subject: [Servercert-wg] Ballot SC 21 - Section 3 of the NetSec Requirements
- Voting Period
Ballot SC21: To Revise a Final Maintenance Guideline - the Network and
Certificate Systems Security Requirements section 3.e. to allow for
continuous, automated monitoring; edit section 3.f. to improve wording, and
add section 3.g. to establish a response time for automated alerts.
Purpose of Ballot
The Network and Certificate System Security Requirements committee is
proposing this ballot to revise the current requirements to better allow for
automation and continuous monitoring of systems. The goal of this ballot is
to remove manual efforts that can be less effective and more
resource-intensive than automated monitoring and alerting.
This ballot also adds specific requirements in terms of the timeliness for
addressing alerting from automated monitoring and alerting to ensure the
implementation of automation does not increase the length of time that a
potential issue could go without being detected.
It is proposed by Ben Wilson of DigiCert and endorsed by Trevoli Ponds-White
of Amazon and Fotis Loukos of SSL.com to revise the Network and Certificate
System Security Requirements (Requirements) as set forth in the following
language of Section 3 of the Requirements, to be EFFECTIVE ninety (90) days
after completion of the IPR Review Period:
*- BALLOT BEGINS -*
DELETE SUBSECTIONS e. and f. of SECTION 3 OF THE NETWORK AND CERTIFICATE
SYSTEM SECURITY REQUIREMENTS
AND
INSERT THE FOLLOWING IN SECTION 3:
e. Monitor the integrity of the logging processes for application and
system logs through continuous automated monitoring and alerting or through
a human review to ensure that logging and log-integrity functions are
effective. Alternatively, if a human review is utilized and the system is
online, the process must be performed at least once every 31 days.
f. Monitor the archival and retention of logs to ensure that logs are
retained for the appropriate amount of time in accordance with the disclosed
business practices and applicable legislation.
g. If continuous automated monitoring and alerting is utilized to
satisfy sections 1.h. or 3.e. of these Requirements, respond to the alert
and initiate a plan of action within at most twenty-four (24) hours.
*- BALLOT ENDS -*
The procedure for approval of this ballot is as follows:
Voting (7 days)
Start Time: 23:00 UTC, Thursday, September 26, 2019
End Time: 23:00 UTC, Thursday, October 3, 2019
*** WARNING ***: USE THE PDF ATTACHMENT / GITHUB AT YOUR OWN RISK. THE
REDLINE VERSIONS PROVIDED ARE NOT THE OFFICIAL VERSION OF THE CHANGES AND
THE BALLOT VERSION ABOVE TAKES PRECEDENCE OVER SUCH REDLINE VERSIONS IN
ACCORDANCE WITH SECTION 2.4.1 OF THE FORUM BYLAWS:
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fdocuments%2Fcompare%2Fmaster...tobij%3A25169b17812645641b9843
426eb0af41d8e96ec6&data=02%7C01%7Cvijay%40emudhra.com%7Cff35bde11534488b7cd7
08d742d78627%7C11219a1f9e6240568ee2d013be03405f%7C0%7C0%7C637051365772162410
&sdata=G%2FXKhmYOak4rNXEL8tSA2b3PacOkKhpSnZL2o9o71tw%3D&reserved=0>
https://github.com/cabforum/documents/compare/master...tobij:25169b178126456
41b9843426eb0af41d8e96ec6
Sorumluluk Reddi
Bu e-posta mesaji ve onunla iletilen tum ekler gonderildigi kisi ya da kuruma ozel olup, gizli imtiyazli, ozel bilgiler icerebilecegi gibi gizlilik yukumlulugu de tasiyor olabilir. Bu mesajda ve ekindeki dosyalarda bulunan tum fikir ve gorusler sadece adres yazarina ait olup, TUBITAK / Kamu SM?nin resmi gorusunu yansitmaz. TUBITAK / Kamu SM bu e-posta icerigindeki bilgilerin kullanilmasi nedeniyle hic kimseye karsi sorumlu tutulamaz. Mesajin yetkili alicisi veya alicisina iletmekten sorumlu kisi degilseniz, mesaj icerigini ya da eklerini kullanmayiniz, kopyalamayiniz, yaymayiniz, baska kisilere yonlendirmeyiniz ve mesaji gonderen kisiyi derhal e-posta yoluyla haberdar ederek bu mesaji ve eklerini herhangi bir kopyasini muhafaza etmeksizin siliniz. Kurumumuz size, mesajin ve bilgilerinin degisiklige ugramamasi, butunlugunun ve gizliligin korunmasi konusunda garanti vermemekte olup, e-posta icerigine yetkisiz olarak yapilan mudahale, virus icermesi ve/veya bilgisayar sisteminize verebi
lecegi herhangi bir zarardan da sorumlu degildir.
******************************************
Disclaimer
This e-mail message, including any attachments, is intended only for the use of the individual or entity to whom it is addressed and may contain confidential, privileged, private information as well as the exemption from disclosure. The information and views set out in this email are those of the author and do not necessarily reflect the official position of TUBITAK / Kamu SM. TUBITAK / Kamu SM shall have no liability to any person with regard to the use of the information contained in this message. If you are not the intended addressee(s) or responsible person to inform the addressee(s), you are hereby notified that; any use, dissemination, distribution, or copying of this message and attached files is strictly prohibited. Please notify the sender immediately by e-mail and delete this message and any attachments without retaining a copy. TUBITAK / Kamu SM do not warrant for the accuracy, completeness of the contents of this email and/or the preservation of confidentiality, and shall
not be liable for the unauthorized changes made to this message, viruses and/or any damages caused in any way to your computer system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191003/d1102d3e/attachment-0001.html>
More information about the Servercert-wg
mailing list