Ballot SC021: The Network and Certificate Systems Security Requirements section 3 (Log Integrity Controls)

Ballot overview

• Ballot SC021, titled The Network and Certificate Systems Security Requirements section 3 (Log Integrity Controls), proposed revisions to section 3 of the Network and Certificate System Security Requirements.
• The stated goal was to better allow automation and continuous monitoring of systems, reduce manual effort, and add timeliness requirements for responding to automated alerts.

Voting result

• The ballot page states that the voting period ended and the ballot passed.
• Voting by Certificate Issuers: 24 total votes, 24 yes, 0 no, 0 abstain.
• Voting by Certificate Consumers: 4 total votes, 4 yes, 0 no, 0 abstain.
• The page states that the bylaw requirements for approval and quorum were met.

Proposed requirement changes

• Section 3.e would require monitoring the integrity of logging processes for application and system logs through continuous automated monitoring and alerting or through a human review.
• If human review is used and the system is online, the review must occur at least once every 31 days.
• Section 3.f would require monitoring the archival and retention of logs to ensure logs are retained for the appropriate amount of time in accordance with disclosed business practices and applicable legislation.
• Section 3.g would require that if continuous automated monitoring and alerting is used to satisfy sections 1.h. or 3.e., the alert must be responded to and a plan of action initiated within at most 24 hours.

Timing stated in the ballot

• The ballot text says the revised requirements were proposed to be effective 90 days after completion of the IPR Review Period.
• Discussion period: Thursday, September 19, 2019 at 19:00 UTC through Thursday, September 26, 2019 at 19:00 UTC.