Incident i20150725.1

History Log

1. Incident Response Team

2. Incident Description

While handling a security incident, the software team had troubles to reach a key person because the key persons list was missing.

3. Containment Actions

A software team member filled a dispute which is handled as a20150725.1.

4. Root Causes

CAcert's Security Policy requests in § 6.4 that Board maintains a Key Persons List with all contact information necessary, to operate CAcert or restore operations of CAcert after an incident. The detailed information about this list are listed on the Key People Contacts wiki page. It "shall" be update latest every three month and accessible at any time to all people on the list.

According to the Committee's Diary of FY 2014/2015, arbitration requested an up-to-date Key Persons List from Board. Board could not provide this list and started to collect the required data. This took until August 2014. At the time, the incident happened, the list was not distributed to the accordant person. It seems, that only two people had access to this list at that time.

Investigation on this topic is complicated, because several board meetings of the FY 2014/2015 board are missing.

further investigation running

Finding

Based on the Key People Contacts wiki page, the list should be only used in the case of a disaster recovery and should not have been used in a security incident situation, the availability of the list to members of the list must be granted by Board.

At least the boards of FY 2013/2014 and FY 2014/2015 did not provide and up-to-date Key Persons List to the persons concerned. Both boards did not comply with the rules of Security Policy § 6.4.

5. Permanent Corrective Actions

6. Verify Corrective Actions

7. Preventive Actions

8. Approval & Closure

Approved

Date closed