CYB_300_4-4_Milestone_Joshua_Minnick
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
300
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
5
Uploaded by CommodoreWombatMaster597
CA Server Root Certificate Requirements Checklist (CA-1)
Requirements
A.
Identify information systems that support organizational missions/business functions
B.
Identify and select the following types of information system accounts that support organizational missions/business functions: [
administrative, service
]
C.
Identify authorities from each department for root certificate assignment approval
D.
Secure protocols used, TLS v1.2
E.
Client renegotiation disabled
F.
Account notification to CA authorities:
a.
When user or system accounts are terminated
b.
When individual information system usage changes
c.
When account inactivity is for a period of 90 days
G.
Authorize root certificate assignment for information systems based on:
a.
A valid access authorization
b.
Other attributes as required by the organization or associated missions/business functions
H.
Automatic Certificate Revocation will occur when:
a.
The user’s employment is terminated.
b.
There are significant changes to the user’s job duties.
c.
The certificate is associated with any attempt to access unauthorized data.
d.
Upon the third failed logon attempt.
I.
Encryption will be completed by PKI infrastructure using the AE 256 algorithm.
J.
Certificates will have a validity period of 12 months from the date of issuance. 1
CA-1 Root Certificate Requirements
Requirements
Support organizational missions: Will create the ability to encrypt and decrypt data as needed to ensure the security of propriety information as well as user data and personal information of employees. Will allow users within the organization to securely pass information without fear of interception or detection by anyone outside of the organization or within the organization not holding the proper authorization to view such data.
Parameter CA-1(D): Transport Layer Security will be TLS version 1.3
Parameter CA-1(E): Renegotiation will not be required with the use of TLS version 1.3
Implementation Status (check all that apply):
Implemented
☒
Partially implemented
☐
Planned
☐
Alternative implementation
☐
Not applicable
☐
Control Origination (check all that apply):
Organization
☐
IT system specific
☒
☐
Hybrid (organization and IT system specific)
2
Control Overview
3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Part
Description
Part A
<
The IT department will be responsible for identifying and selecting the types of accounts required to support the application. Examples of account types include individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. A successful control response will need to address the specific requirements fulfilled by each account type in use.>
Part B
<
The IT department will be responsible for select information systems, and who will have responsibilities related to the management and maintenance. A successful control response will need to discuss how information systems are defined within the organization.
>
Part C
<
The IT department will be responsible for identification of individuals responsible for CA assignment approval. A successful control response will need to identify the person responsible for CA assignments.
>
Part D
<
The IT department will be responsible for identifying the transport layer security. A successful control response will need to ensure that the proper communication security is in place.
>
Part E
<
The IT department will be responsible for verifying that the certificate renegotiation is disabled from the client machine. The certificate renegotiation will be initiated only from the server. A successful control response will need to identify that a policy is in place to be audited and maintained.
>
Part F
<
The IT department will be responsible for defining the role of an individual to be notified if any criterion [a, b, or c] is met. A successful control response will identify the individuals and procedures used to enforce those conditions.
>
Part G
<
The IT department will be responsible for the assignment of a certificate if any criterion [a or b] is met. This may include the assignment and revocation of certificates. The individual will be responsible for notifying the person responsible for the certificate authorization. A successful control response will outline the procedure and the communication needed to properly report the issue.
>
Part H
<The IT department will be responsible for the implementation and maintenance of the automatic certificate revocation standards. The IT department will designate at minimum 2 primary users with the proper training and authorization to prepare, implement, and maintain this system. The IT department will also designate at minimum 2 secondary users who can act as replacements in the event either or both primary users are unavailable in an emergency incident. The Human Resources department will also designate at minimum 2 officials within the termination process who will be responsible for notifying the IT department within 24 hours of all terminations or changes in job titles within the organization. All managers within every department will be responsible for verifying with the
IT department within 7 days any employee that has left their department for any reason has been removed from the system. This verification will be completed either by email or 4
5