certSIGN: Findings in 2023 ETSI Audit for certSIGN ROOT CA G2 - Audit Incident Report
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: gabriel.petcu, Assigned: gabriel.petcu)
Details
(Whiteboard: [ca-compliance] [audit-finding] Next update 01-Nov-2023)
Steps to reproduce:
Findings reported in the LSTI Audit Attestation for certSIGN LSTI_AAL_1612-300_V1.0 from 2023-05-11.
All the findings were considered by the auditors as minor nonconformities.
Actual results:
Issue #1: Optimize retrieval of logs (ETSI EN 319 401 REQ-7.10-01)
Issue #1 Description: Logs are centralized into the SIEM server. However, it could be observed, after various attempts performed during the audit, that the logs related to the certificate's lifecycle (certificate creation or revocation events, showing information that could allow to establish a link with the subjects, such as the DN), were difficult to retrieve from this server.
Issue #1 Root Cause of Issue: complexity of various PKI systems and considerable number of devices with different scopes without proper tagging due to historical reasons.
Issue #1 Remediation Plan for this Issue:
Analysis – by mid of April 2023
Selection of solutions – by mid of May 2023
Implement pilots – by end of July 2023
Test & conclude – by end of October 2023
Implement final solution & validate – by end of 2023
Issue #1 Status: On-going. Analysis activities had been performed according to the remediation plan.
Issue #2: Increase integrity protection on long term logs (ETSI EN 319 401 REQ-7.10-02)
Issue #2 Description: Long term retention of logs (cold archive logs) is provided from a filesystem on a Linux server, on which integrity is ensured via simple hashes. This mechanism does not guarantee an efficient preservation of the integrity of these logs.
Issue #2 Root Cause of Issue: The logs are backed-up on different systems with separated access rights and the risk analysis was validated and approved with the residual risk.
Issue #2 Remediation Plan for this Issue: Update the Policy and procedures for periodic storing the logs on external media (Blue Ray, tape, …). The procedure for the annual review includes the review of the implemented policies and procedures.
Issue #2 Status: Completed. Information Security Policy was updated (to v2.2); internal monitoring & logging procedures had been updated, also the Procedure for the annual review of Policies & Procedures.
Issue #3: Generic link in the CPS (ETSI EN 319 401 REQ-6.1-01)
Issue #3 Description: The TSA Practice Statements (§7.6.3) claims that the TSU certificate is published on the repository (https://www.certsign.ro/repository), which is not the case (the TSU certificate could be found on the following URL: https://www.certsign.ro/ro/resurse/lantul-de-incredere-g2/).
Issue #3 Root Cause of Issue: The links in the CPS were all directing to the main Repository where the visitor may choose many other directions to browse
Issue #3 Remediation Plan for this Issue: Update the Practice Statement with the exact link to each resource. The procedure for the annual review will include the review of the links published in each CPS.
Issue #3 Status: Completed. TSA2 CPS/CPP Updated : certSIGN TSA 2 - Certification Practice Statement; also updated is the internal Procedure for the annual review of Policies & Procedures.
Issue #4: Incorrect value in SAN extension (ETSI EN 319 411-1 GEN-6.6.1-02)
Issue #4 Description: The value contained in the SAN extension of the OCSP certificate does not fit with the value specified in the CPS (office@certsign.ro)
Issue #4 Root Cause of Issue: Wrong evidence presented to the auditor.
Issue #4 Remediation Plan for this Issue: Present the valid OCSP certificate that has the proper value
Issue #4 Status: Completed. The correct certificate was sent to the auditor as evidence.
Issue #5: Lack of a process description in the CPS. (ETSI EN 319 401 REQ-6.1-01)
Issue #5 Description: The certSIGN Qualified CA CPS does not cover all cases encountered under the scope of this hierarchy. Qualified certificates not delivered on a QSCD (e.g., p12) are not addressed.
Issue #5 Root Cause of Issue: Incorrect assessment of the coverage of all processes in the CPS.
Issue #5 Remediation Plan for this Issue: Update the Qualified CA CPS with the missing information. The procedure for the annual review will include a review done by personnel not involved in writing the CPS content.
Issue #5 Status: Completed. Qualified CA CPS updated to v2.35.
Issue #6: Inconsistency of Risk coverage (ETSI EN 319 401 REQ-7.3.1-02)
Issue #6 Description: The asset list shows class 5 assets (high importance), a column mentions the need for log collection, but the column "effective log collection" is set to "NO". No explanation and no plan to reconcile the need and the state are identified, thus potential residual risks could appear from this status.
Issue #6 Root Cause of Issue: Obsolete file of the asset inventory without the latest updates.
Issue #6 Remediation Plan for this Issue: A review will be made to see if the need of log collection remains for all the assets identified, followed by an analysis of capabilities to really collect the logs. For all assets, the need and capability of collection will be validated, and the log collection will be updated. The annual review of the asset inventory will make sure no such situation will remain untreated.
Issue #6 Status: Completed. Analysis done and asset inventory updated.
Issue #7: Alarm missing on open door (ETSI EN 319 411-1 OVR-6.4.2-02)
Issue #7 Description: At the time of the audit, no alarm is set if the High security room containing the CAs, the offline root CAs, remain open.
Issue #7 Root Cause of Issue: Alarm configuration error
Issue #7 Remediation Plan for this Issue: The security officer will check weekly that the alarm functions as expected.
Issue #7 Status: Completed. The acoustic alarm of the open door was already reenabled.
Issue #8: High security zone vulnerability (ETSI EN 319 411-1 OVR-6.5.7-04)
Issue #8 Description: Access to the datacenters is only granted to CERTSIGN trusted roles, and access to the core PKI room needs dual access from trusted roles. But there is one exception: The security guard of the building, who is not a CERTSIGN staff, owns a badge that can access everywhere, including into the PKI core room containing the CAs. This situation is known from the CISO but is not mentioned as an accepted residual risk in the Risk Analysis, and no mitigation is defined to reduce this risk.
Issue #8 Root Cause of Issue: Missing the known risk from the Risk Analysis
Issue #8 Remediation Plan for this Issue: Update the Risk Analysis accordingly. Dual control will be installed for access to the data center. The second control will be a keyboard where a PIN must be entered. Each employee will have their own code. The building's employees will not receive their code, but they will be informed that in cases of emergency requiring entry to the data center, they will have to call a given phone number where they will receive the access code. After the event, the code will be changed.
Issue #8 Status: On-going. Updating the Risk Analysis and planning for the dual control solution.
Expected results:
6 from the 8 findings had been already closed.
2 from the 8 findings are on-going, according to the remediation plan for each.
We will update this ticket on any changes to the remediation plans and on completion of remediation actions.
|
||
Updated•11 months ago
|
|
|
||
Updated•11 months ago
|
|
Assignee | |
Comment 1•11 months ago
|
||
Issue #1 update: the team is preparing for a pilot implementation. We are on schedule, according to the remediation plan. Status: On-going.
Issue #8 update: the card readers with PINs had been installed. The associated procedure had been updated, approved and distributed. The risk analysis was updated. Status: Completed.
7 from the 8 findings had been closed.
1 from the 8 findings is stillon-going, according to the remediation plan.
We will continue to update this ticket on any changes to the remediation plan and on completion of remediation actions.
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 2•8 months ago
|
||
Issue #1 update: the pilot was finalized. Working on testing and drawing conclusions for optimizations.Status: On-going.
7 from the 8 findings had been closed.
1 from the 8 findings is still on-going, according to the remediation plan.
We will continue to update this ticket on any changes to the remediation plan and on completion of remediation actions.
|
|
||
Comment 3•7 months ago
|
||
Please provide a status on your efforts to remediate the final unresolved finding.
|
|
Assignee | |
Comment 4•7 months ago
|
||
Issue #1 update: Ongoing testing
7 from the 8 findings had been closed.
1 from the 8 findings is still on-going, according to the remediation plan.
We will continue to update this ticket on any changes to the remediation plan and on completion of remediation actions.
|
|
||
Comment 5•7 months ago
|
||
Can you provide a timeline of when you will be complete? Then I will indicate a "Next Update" on the whiteboard. Otherwise, we will expect weekly updates.
|
|
Assignee | |
Comment 6•7 months ago
|
||
Issue #1 timeline:
Implement final solution - 31-Oct-2023
Validate and close - 10-Nov-2023
|
|
||
Updated•7 months ago
|
|
|
Assignee | |
Comment 7•6 months ago
|
||
Issue #1 timeline:
Final solution - implemented
Validate and close - 10-Nov-2023
|
|
Assignee | |
Comment 8•5 months ago
|
||
Issue #1 validated and closed as planned.
We have no additional remediation items and consider the audit findings resolved unless there are further questions.
|
|
||
Comment 9•5 months ago
|
||
I will close this on Friday, 17-Nov-2023, unless there are any issues raised.
|
|
||
Updated•5 months ago
|
Description
•