CYB_300_4-4

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

300

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

3

Uploaded by JusticeJellyfishPerson10226

Report
CA Server Root Certificate Requirements Checklist (CA-1) CYB 300 2023 November 19 Requirements Identify information systems that support organizational missions/business functions Identify and select the following types of information system accounts that support organizational missions/business functions: [ administrative, service ] Identify authorities from each department for root certificate assignment approval Secure protocols used, TLS v1.2 Client renegotiation disabled Account notification to CA authorities: When user or system accounts are terminated When individual information system usage changes When account inactivity is for a period of 90 days Authorize root certificate assignment for information systems based on: A valid access authorization Other attributes as required by the organization or associated missions/business functions Automatic Certificate Revocation and some of the following reasons Superseded: This is used when there has been a change in the information associated with the user. KeyCompromise: This is when both the certificate and private key have been compromised. CertificateHold: This refers to a temporary suspension or revocation of a certificate. AffiliationChanged: This is invoked when an employee's certificate is revoked upon leaving the company. PrivilegeWithdrawl: This is utilized to revoke the privileges of an employee. Unspecified: This is used as a default revocation reason when no specific reason is provided. The PKI encryption that will be used is the following. a.We will use PKI for symmetrical and asymmetrical encryption for the messages. The recommended duration for certification validity should be one to three years,
with a maximum limit of five years. CA-1 Root Certificate Requirements Requirements Support organizational missions: < IT defined > Parameter CA-1(D): < IT-defined transport layer security> Parameter CA-1(E): < IT-defined client renegotiation policy> Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Organization IT system specific Hybrid (organization and IT system specific) Control Overview Part Description Part A < The IT department will be responsible for identifying and selecting the types of accounts required to support the application. Examples of account types include individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. A successful control response will need to address the specific requirements fulfilled by each account type in use.> Part B < The IT department will be responsible for select information systems, and who will have responsibilities related to the management and maintenance. A successful control response will need to discuss how information systems are defined within the organization. > Part C < The IT department will be responsible for identification of individuals responsible for CA assignment approval. A successful control response will need to identify the person responsible for CA assignments. > Part D < The IT department will be responsible for identifying the transport layer security. A successful control response will need to ensure that the proper communication security is in place. > Part E < The IT department will be responsible for verifying that the certificate renegotiation is disabled from the client machine. The certificate renegotiation will be initiated only from the server. A successful control response will need to identify that a policy is in place to be audited and maintained. > Part F < The IT department will be responsible for defining the role of an individual to be notified if any criterion [a, b, or c] is met. A successful control response will identify the individuals and procedures used to enforce those conditions. >
Part G < The IT department will be responsible for the assignment of a certificate if any criterion [a or b] is met. This may include the assignment and revocation of certificates. The individual will be responsible for notifying the person responsible for the certificate authorization. A successful control response will outline the procedure and the communication needed to properly report the issue. > Part H <The revocation of certificates will be the shared responsibility of the IT department and department heads from various departments. In situations where an employee is terminated, managers are expected to initiate the certificate revocation process. In the event of multiple failed login attempts, certificates will be automatically revoked, and users will need to reach out to their manager or the IT department to have their certificates reinstated.> Part I <The encryption of certificates will be the responsibility of the IT department, which should employ Public Key Infrastructure (PKI) to encrypt data effectively.> Part J <The task of defining the validity periods for certificates will be under the purview of the IT department. To maintain a secure environment, it is imperative to assign a restricted validity period for certificates, after which they should be updated.>
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

CYB_410_6-2_ProjectOne_Branden_Knight.docx
CYB_410_2-2_Activity_Branden_Knight.docx
Delivery Cluster Task 1 FAQs Marking Criteria.docx
Johnson _ Assignment5.docx
week 4.docx
CYB_220_7-2.docx
CYB_300_3-2.docx
CYB_240_3-2.docx
CYB 240 Project One Milestone.docx
Johnson _ Assignment3.docx
Johnson _ Assignment2.docx
week 2.docx