Closed Bug 2008027 Opened 2 months ago Closed 29 days ago

PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #6 – Access Control Management

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Patrick.Berg, Assigned: pkioverheid)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Preliminary Incident Report

Summary

  • Incident Description:
    • Minor Non-conformity: Access Control Management
  • Relevant Policies:
    • ETSI 319 401 (Clause 7.4)
  • Source of incident disclosure:
    • Annual ETSI Audit
Assignee: nobody → Patrick.Berg
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

The full incident report is in its final review stage and will be posted shortly.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000068
  • Incident description: Some compliance issues were found in Access Control management. Some inconsistencies were found in the document used for Access Control Management, such as an error in the number of trusted roles, as well as an error in a formula used for the definition of conditions. Also, although requests for revocation of trusted roles contain a deadline, in the revocation process there are no measures to assure that the deadline is met. Lastly, not all historical versions of the Access Control Management document were available.
  • Timeline summary:
    • Non-compliance start date: N/A
    • Non-compliance identified date: 26-Sep-2025
    • Non-compliance end date: Ongoing
  • Relevant policies:
    • ETSI 319 401 (Clause 7.4)
  • Source of incident disclosure: Finding by CAB during annual ETSI audit.

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: N/A (see "additional considerations" below)
  • Analysis: N/A
  • Additional considerations: CIBG only operates legacy S/MIME-capable CAs but has never issued actual S/MIME-capable end-entity certificates. CIBG only issues certificates for use in the CIBG healthcare ecosystem.

Timeline

  • 26-Sep-2025: Auditor identifies finding
  • 23-Oct-2025: Created Corrective Action Plan
  • 06-11-2025: Corrective Action Plan Approved by auditor

Related Incidents

N/A

Root Cause Analysis

  • Contributing Factor 1: Insufficient QA on the Access Control document

    • Description: Over time during its many updates several mistakes were introduced which stayed unnoticed due to insufficient QA. No approval was needed for changes the Access Control document missing the scrutiny needed for QA.
    • Timeline: See main timeline.
    • Detection: Audit finding by CAB.
    • Interaction with other factors: No.
    • Root Cause Analysis methodology used: N/A

  • Contributing Factor 2: Document Management process with limited scope

    • Description: At the moment, a formal document management process has only been drawn up for the Certification Practice Statement (CPS), as this is specifically required by ETSI. Availability of historical versions is the Access Control document is only done through a quarterly snapshot (source information used for this document is available).
    • Timeline: See main timeline.
    • Detection: Audit finding by CAB.
    • Interaction with other factors: No.
    • Root Cause Analysis methodology used: N/A

  • Contributing Factor 3: No direct link between CIBG's termination of employment and transfer process and the Access Control process

    • Description: At the moment, termination of employment and transfer information is not automatically shared within the Access Control process which can lead to stale entries.
    • Timeline: See main timeline.
    • Detection: Audit finding by CAB.
    • Interaction with other factors: No.
    • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: N/A
  • What didn’t go well: N/A
  • Where we got lucky: N/A
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Expand formal document management process to also include the Access Control document and its QA Prevent Root Cause #1, #2 Check 2025-12-19 Completed
Automated pushes of termination of employment and transfer information into the Access Control process Prevent Root Cause #3 Check 2026-01-09 In progress

Appendix

N/A

Assignee: Patrick.Berg → pkioverheid

All action items have been closed. A Report Closure Summary will be posted shortly.

Report Closure Summary

  • Incident description: Some compliance issues were found in Access Control management. Some inconsistencies were found in the document used for Access Control Management, such as an error in the number of trusted roles, as well as an error in a formula used for the definition of conditions. Also, although requests for revocation of trusted roles contain a deadline, in the revocation process there are no measures to assure that the deadline is met. Lastly, not all historical versions of the Access Control Management document were available.
  • Incident Root Cause(s): Over time during its many updates several mistakes were introduced which stayed unnoticed due to insufficient QA. No approval was needed for changes the Access Control document missing the scrutiny needed for QA. At the moment of observation, a formal document management process has only been drawn up for the Certification Practice Statement (CPS), as this is specifically required by ETSI. Availability of historical versions is the Access Control document is only done through a quarterly snapshot (source information used for this document is available). At the moment of observation, termination of employment and transfer information is not automatically shared within the Access Control process which can lead to stale entries.
  • Remediation description: The formal document management process has been expanded to also include the Access Control document and its QA. The Access Control management process has been expanded and automated pushes of termination of employment that transfer that information into the Access Control process are now in place, assuring timely processing.
  • Commitment summary: In addition to the remediation description CIBG commits to adding to the internal audit plan the checking of timely access control processing.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-02-06.

Whiteboard: [ca-compliance] [audit-finding] → [close on 2026-02-06] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 29 days ago
Resolution: --- → FIXED
Whiteboard: [close on 2026-02-06] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.