Closed Bug 1902310 Opened 4 months ago Closed 3 months ago

Sectigo: Trusted Role Access provided prior to completion of onboarding process

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: martijn.katerbarg, Assigned: martijn.katerbarg)

Details

(Whiteboard: [ca-compliance] [policy-failure])

Preliminary Incident Report

Summary

During our annual WebTrust audit, our auditors became aware that access was granted to a set of CA Systems for two employees prior to the completion of a full background check as well as for three further employees prior to the completion of their validation training.

We are currently gathering all details on this incident and will provide a full incident report no later than Friday June 21st.

Incident Report

Summary

During our annual WebTrust audit, our auditors became aware that access was granted to a set of Certificate Systems for two employees prior to the completion of a full background check as well as for three separate employees prior to the completion of their validation training.

As we do not intend to provide the names of employees, we will refer to them as Employee #1 through Employee #5.

Our CPS requires background checks to be completed, as do the EVGs. Our CPS reads:

All trusted personnel, except those working for external RAs, have background checks before access is granted to Certificate Systems. These checks may include, but are not limited to, verification of the individual’s identity using a government issued photo ID, credit history,
employment history, education, character references, social security number, criminal background, and a Companies House cross-reference to disqualified directors.

In the case of employees #1 and #2, we completed social security number verification and verification of identity using a government issued photo ID prior to providing access, but we did not complete criminal background checks until after providing access. While this technically meets the requirements as stated in our CPS, we intend for background checks to include a criminal background check.

While the EVGs do require background checks to be completed including “Verify the Trustworthiness of Such Person”, that language starts by calling out when it is applicable: “Prior to the commencement of employment of any person by the CA for engagement in the EV Processes”. We do not grant permissions for processing EV Certificates to newly onboarded employees. As such, this requirement was not affected.

Regarding Validation Training, we provide training through both the “buddy-system” as well as recorded training and assessments, called the Validation Training Exam Course. While training through the buddy-system was completed for all employees, we only have the eye-witness accounts of this as evidence. The formal Validation Training Exam Course, which is recorded partially for audit purposes, was not completed until after we granted access.

Our audit firm intends to call out these errors as findings in our upcoming report. Therefore, we are reporting them here for the community to observe and track.

Impact

Lack of clear evidence to prove training was completed prior to account creation has lead to a finding during our annual WebTrust audit.

We have opted to open a regular Incident Report, rather than an Audit Incident Report, as the official audit report is not yet delivered.

Timeline

All times are UTC.

2023-03-29:

  • We complete verification of identity through government issued photo ID for Employee #1 and #2.
  • A criminal background check is requested for Employee #1 and #2.

2023-04-05:

  • Preliminary criminal background report is delivered for Employee #2.

2023-04-18:

  • 08:27 Certificate System account is created for Employee #1.
  • 08:28 Certificate System account is created for Employee #2.

2023-04-24:

  • Final criminal background report is delivered for Employee #2.

2023-05-10:

  • Final criminal background report is delivered for Employee #1.

2023-06-21:

  • 08:00 Start date of Employee #3 in a Validation capacity. Buddy-system training starts same day.

2023-07-03:

  • 14:49 Certificate System account is created for Employee #3.

2023-09-06:

  • 04:30 Start date of Employee #4 in a Validation capacity. Buddy-system training starts same day.

2023-09-11:

  • 13:23 Our internal audit report for Q2-2023 is completed. The report highlights that accounts for Employee #1 and #2 were created prior to completion of the criminal background check. Internal audit determines this to be a violation of internal policy and registers it against our security policies. We determine it is not a violation of our CPS as written.

2023-09-20:

  • 04:30 Start date of Employee #5 in a Validation capacity. Buddy-system training starts same day.
  • 12:03 Certificate System account is created for Employee #4.

2023-09-28:

  • 10:30 Certificate System account is created for Employee #5.

2023-11-28:

  • Validation Training Exam Course is completed by Employee #3 as part of annual training.

2024-03-13:

  • Validation Training Exam Course is completed by Employee #4 as part of annual training.

2024-03-14:

  • Validation Training Exam Course is completed by Employee #5 as part of annual training.

2024-06-12:

  • 16:16 Our auditors raise an issue with validation training not having been completed on time for Employees #3 through #5.

Root Cause Analysis

These discrepancies come down to a lack of sufficient evidence registration, combined with a gap in onboarding procedures for employee onboarding, system access requests, and account provisioning.

Our current onboarding process relies on multiple internal parties:

  • HR for completion of background checks and training assignments.
  • IT and/or Compliance for Certificate System account creation (depending on the requested system).
  • An employee’s direct manager for a System Access Request (SAR).

In the past, receiving a SAR has reliably indicated that all training and checks have been completed. This, however, did not prove true in the instances listed here. On more than one occasion a manager requested account access as part of the onboarding process prior to the completion of training, while those responsible for the creation itself did not always confirm the training and background checks had been completed.

We are declaring this an incident because of the lack of evidence. While our official Validation Training Exam Course provides detailed training to employees on a per-validation level and per-certificate type, we continue to believe that training through the buddy-system is a lot more effective. Through this training, new employees sit together with one of their peers for several days, getting to know our systems, our products, and our procedures. Simultaneously they get familiar with the system itself. This more hands-on approach has proven to be valuable, and we believe continuing this is in everyone’s best interest.

The problem with this buddy-system however, is that it does not directly track which trainings have been given. We will return to this in our action items.

We did not foresee this scenario in the design and implementation of our onboarding processes, and therefore we have not previously built in a mechanism to more formally track buddy system training.

Lessons Learned

What went well

  • Validation training using the “buddy-system” occurred prior to account creation, meaning no unauthorized and no untrained personnel obtained access.
  • We did perform background checks before onboarding new employees. However, they weren’t as thorough as we want them to be.

What didn't go well

  • We did not register validation training using the “buddy-system”, resulting in a lack of clear evidence.

Where we got lucky

  • Criminal background check reports delivered after account creation did not report any findings.

Action Items

Action Item Kind Due Date
Update and enforce policies for account creations on Certificate Systems, to make sure background checks and trainings have been completed prior to account creation. Prevent Completed
Setup internal page for the registration of buddy-system training sessions for evidence collection Prevent 2024-07-01

Appendix

Details of affected certificates

Certificate issuance was not affected by this incident.

Assignee: nobody → martijn.katerbarg
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [policy-failure]

The final action item in our incident report was completed today, completing our handling of this incident.

We continue to monitor this bug for any questions and/or comments.

Ben, there don't appear to be any questions or comments. Can we close this bug?

Flags: needinfo?(bwilson)

I'll close this on Wed. 10-Jul-2024 unless there are issues or questions to discuss.

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.