[cabf_netsec] Draft Ballot SC 21

Mon Aug 19 08:48:15 MST 2019

"In proposed new 3.g., would "resulting alerts" be overly broad?  Also, will this new requirement burden CAs with additional recordkeeping to demonstrate that they "addressed" alerts within the 7-day requirement?  Which "objectives" of the NCSSRs are monitoring and alerting targeting?  Should we narrow the scope of the proposal?

Currently drafted language:  g. If continuous automated monitoring and alerting is utilized to satisfy any of the objectives of the Network and Certificate System Security Requirements, resulting alerts must be addressed within at most seven (7) days and follow up action instigated in accordance with the CA's incident response procedures."

Thank you for your comments, Ben. The intention of the new 3g was to be applied to significant alerts, such as those additional use cases being added for the updated version of 3e and 1h. Based on your question, I think it is fair point that the scope of alerts might be considered too broad. Please see my adjustment below.

This does add some burden on the CA to address alerts timely, but the goal was to have a net reduction in efforts by removing manual monitoring. I would not expect this to have significant additional burden from a record keeping standpoint, because I would assume these actions are all tracked through a ticketing system as part of an IRP process.

 g. If continuous automated monitoring and alerting is utilized to satisfy any of the objectives of the Network and Certificate System Security Requirements, indicate the specific alerts and the objectives they have been implemented to satisfy. Those alerts shall be classified as high risk. Alerts classified as high risk must be addressed within at most seven (7) days and follow up action instigated in accordance with the CA's incident response procedures.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.

IMPORTANT NOTICES

The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.