CYB 300 4-4 Milestone Two Checklist
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
300
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
5
Uploaded by LieutenantGoosePerson210
CA Server Root Certificate Requirements Checklist (CA-1)
Requirements
A.
Identify information systems that support organizational missions/business functions
B.
Identify and select the following types of information system accounts that support
organizational missions/business functions: [
administrative, service
]
C.
Identify authorities from each department for root certificate assignment approval
D.
Secure protocols used, TLS v1.2
E.
Client renegotiation disabled
F.
Account notification to CA authorities:
a.
When user or system accounts are terminated
b.
When individual information system usage changes
c.
When account inactivity is for a period of 90 days
G.
Authorize root certificate assignment for information systems based on:
a.
A valid access authorization
b.
Other attributes as required by the organization or associated missions/business
functions
H.
Automatic Certificate Revocation with one of the listed reason codes as the following
conditions are met
1.
Key Compromise
: The private key that was supposed to be linked with
the certificate has been stolen and is now in the possession of an
unauthorized person
2.
CA Comprise
: the location of the CA’s private key has been
compromised and is now in the hands of an unauthorized person.
3.
Affiliation Change
: User’s connection to the organization that was
mentioned has undergone recent transitions. The dismissal of an
employee or their resignation.
4.
Superseded
: User has been provided with a replacement certificate as a
result of a malfunctioning CAC/smart card, lost passcode, and or
changes in their legal name.
5.
Cessation of Operation
: If the CA has been deactivated, it is to no longer
be used
6.
Certificate Hold
: A revocation that is temporary and will occur when the
CA wont vouch for the certificate at the current time
7.
Unspecified
: It is possible to revoke a certificate even if there isn’t a
reason code provided.
I.
Public Key Infrastructure will be encrypted using:
1.
Symmetric encryption which will use DES,3DES,AES, or RC4 and one
single key to encrypt and decrypt.
1
2.
Asymmetric Encryption when Diffie-Hellman or RSA algorithm is used,
the public key is used for encryption and the private key will be used for
decryption.
J.
A certificates typical expiration is within 3 years and no more than 5.
CA-1 Root Certificate Requirements
Requirements
Support organizational missions: <
IT defined
>
Parameter CA-1(D): <
IT-defined transport layer security>
Parameter CA-1(E): <
IT-defined client renegotiation policy>
Implementation Status (check all that apply):
Implemented
☒
Partially implemented
☐
Planned
☐
Alternative implementation
☐
Not applicable
☐
Control Origination (check all that apply):
Organization
☐
IT system specific
☒
☐
Hybrid (organization and IT system specific)
2
Control Overview
3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Part
Description
Part A
<
The IT department will be responsible for identifying and selecting the types of accounts
required to support the application. Examples of account types include individual, shared,
group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary,
and service. A successful control response will need to address the specific requirements
fulfilled by each account type in use.>
Part B
<
The IT department will be responsible for select information systems, and who will have
responsibilities related to the management and maintenance. A successful control response
will need to discuss how information systems are defined within the organization.
>
Part C
<
The IT department will be responsible for identification of individuals responsible for CA
assignment approval. A successful control response will need to identify the person
responsible for CA assignments.
>
Part D
<
The IT department will be responsible for identifying the transport layer security. A
successful control response will need to ensure that the proper communication security is in
place.
>
Part E
<
The IT department will be responsible for verifying that the certificate renegotiation is
disabled from the client machine. The certificate renegotiation will be initiated only from the
server. A successful control response will need to identify that a policy is in place to be
audited and maintained.
>
Part F
<
The IT department will be responsible for defining the role of an individual to be notified if
any criterion [a, b, or c] is met. A successful control response will identify the individuals and
procedures used to enforce those conditions.
>
Part G
<
The IT department will be responsible for the assignment of a certificate if any criterion [a
or b] is met. This may include the assignment and revocation of certificates. The individual
will be responsible for notifying the person responsible for the certificate authorization. A
successful control response will outline the procedure and the communication needed to
properly report the issue.
>
Part H
<When any requirements (A through G) are met, the IT department will be responsible to
place the Automatic Certificate Revocation in place. To ensure documentation of reason code
with decision to revoke certificate is required to provide justification for the decision.>
Part I
<Encryption will be handled by IT department. Recommended to use both symmetric and
asymmetric encryption methods to maintain security for the PKI. IT teams will need to
organize automatic backup and recovery systems for the keys, as well as maintaining the
location of the keys. >
Part J
<The IT department will be responsible for establishing expiration date that will be printed.>
4
5