Closed Bug 2008029 Opened 5 months ago Closed 4 months ago

PKIoverheid: TSP CIBG Findings in 2025 ETSI Audit - Incident Report #8 – Human Resources Management

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Patrick.Berg, Assigned: pkioverheid)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Preliminary Incident Report

Summary

  • Incident Description:
    • Minor Non-conformity: Human Resources Management
  • Relevant Policies:
    • ETSI 319 401 (REQ-7.2-07X)
  • Source of incident disclosure:
    • Annual ETSI Audit
Assignee: nobody → Patrick.Berg
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

The full incident report is in its final review stage and will be posted shortly.

Full Incident Report

Summary

  • CA Owner CCADB unique ID: A000068
  • Incident description: The HR onboarding process does not establish a clear link between the terms and conditions and the different Trusted Roles. Also, there is no clear definition of Trusted Roles in the job description and the definition of mandatory training sessions for each trusted role was found to be unclear.
  • Timeline summary:
    • Non-compliance start date: N/A
    • Non-compliance identified date: 26-Sep-2025
    • Non-compliance end date: Ongoing
  • Relevant policies:
    • ETSI 319 401 (REQ-7.2-07X): Information security roles and responsibilities, as specified in the TSP's information security policy, shall be documented in job descriptions or in documents available to all concerned personnel and allocated accordingly.
  • Source of incident disclosure: Finding by CAB during annual ETSI audit.

Impact

  • Total number of certificates: N/A
  • Total number of "remaining valid" certificates: N/A
  • Affected certificate types: N/A
  • Incident heuristic: N/A
  • Was issuance stopped in response to this incident, and why or why not?: N/A (see "additional considerations" below)
  • Analysis: N/A
  • Additional considerations: CIBG only operates legacy S/MIME-capable CAs but has never issued actual S/MIME-capable end-entity certificates. CIBG only issues certificates for use in the CIBG healthcare ecosystem.

Timeline

  • 26-Sep-2025: Auditor identifies finding
  • 23-Oct-2025: Created Corrective Action Plan
  • 06-11-2025: Corrective Action Plan Approved by auditor

Related Incidents

N/A

Root Cause Analysis

  • Contributing Factor 1: Limited awareness of HR consequences related to TSP-specific role definition of "Trusted Role" within the wider CIBG organization
    • Description: Although the roles described in the TSP's information security policy are documented in job descriptions, these were translated to general roles which exist in the CIBG-wide HR process
    • Timeline: See main timeline.
    • Detection: Audit finding by CAB.
    • Interaction with other factors: No.
    • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: N/A
  • What didn’t go well: N/A
  • Where we got lucky: N/A
  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Include Trusted Role in HRM process and retrofit in existing vacancy texts, including training, other specific requirements. Add these to the annual review process as well. Correct Root Cause #1 Check 2026-01-16 In progress
After big updates in standards, or when changing auditors, trigger a pre-audit inquiry with the auditor on expectations regarding which information should be part of which document. Prevent Root Cause #1 Check 2025-12-01 Completed

Appendix

N/A

Assignee: Patrick.Berg → pkioverheid

All action items have been closed. A Report Closure Summary will be posted shortly.

Report Closure Summary

  • Incident description: The HR onboarding process does not establish a clear link between the terms and conditions and the different Trusted Roles. Also, there is no clear definition of Trusted Roles in the job description and the definition of mandatory training sessions for each trusted role was found to be unclear.
  • Incident Root Cause(s): Although the roles described in the TSP's information security policy are documented in job descriptions, these were translated to general roles which exist in the CIBG-wide HR process.
  • Remediation description: Trusted Role are now included in the HRM process and were retrofit in existing vacancy texts, including training and other specific requirements. The documents have been added to the annual review process. After big updates in standards, or when changing auditors, a pre-audit inquiry is triggered with the auditor on expectations regarding which information should be part of which document.
  • Commitment summary: CIBG commits to maintaining oversight of HRM and personnel training compliance. Progress on training is periodically monitored, ensuring that training requirements remain fulfilled and audit evidence is consistently available. The implementation of trusted roles in het general HR onboarding process and training has been added as a specific topic in the upcoming internal audit.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-02-06.

Whiteboard: [ca-compliance] [audit-finding] → [close on 2026-02-06] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Whiteboard: [close on 2026-02-06] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.