Bringing in new Team Members to the Infrastructure Team
In the dim dark past, all team members were the same. Then there was a split into critical and infrastructure. The former were controlled under Security Policy, and the latter were outside (although the sense is that the SP/SM is still a good guide).
For recruitment of infrastructure team members, the board of September 2007 said:
- team to assess the person
- team leader to propose the person
Board to approve. (Actually this part was the ManagementSubCommittee but that group is no longer in existance so it goes back to the board.)
(The support and software teams were the same as the Critical teams.)
- Do we want to continue with Board oversight?
Do we want to borrow any of the SP9.1 approach?
- Do we want to make a distinction between
- the team leader(s) and the teamsters?
- those who access the VMs and those who access the host? The console?
- some VMs are more important than others?
- Is it necessary to insist on a team leader? Or can the group organise itself?
Assuming that the infrastructure is important, it goes up to the Board to say how this is done. To some extent this view is forced on CAcert because of the audit requirements, which basically say that the management of the CA must be in total control of what they are about. So this rules out the more laissez faire approach to things that is commonly seen in other open / net groups.
Most of the force is directed to the critical group. But some of the things that are provided by the infrastructure group are semi-critical in that they form part of the Security Policy. For example, blog, wiki, email are important for communication, and in a disaster recovery exercise, their loss will cause us a great deal of difficulty.
So some degree of concern exists. It isn't likely to be full critical approach, nor is it likely to be full laissez faire of the rest of the net.