← Sectigo cases
Bugzilla #1830088
Technical Compliance
Sectigo: Late termination of privileged access to Certificate Systems
RESOLVED
FIXED
Sectigo
AI Summary
Sectigo identified a delay in terminating privileged access for an employee, which was reported during a WebTrust audit. The termination notice was sent after the employee's contract expired, violating the 24-hour requirement set by the NSRs. Following an internal investigation, Sectigo updated its termination procedures and automated parts of its audit checks to ensure compliance. Despite these efforts, a recurrence of the issue was noted, prompting further discussions on restructuring the offboarding process. Ongoing improvements are being made to prevent future occurrences.
Chronology
- Employee X's contract set to expire.
- Discrepancy found in account termination during audit.
- Remediation and investigation completed.
- Recurrence of incident noted.
- Phase 1 of overhaul completed.
- Phase 2 of overhaul completed.
Participants
Martijn Katerbarg
Ben Wilson
External References
Similar Local Cases
Sectigo: CRL validity beyond CPS allowed value
Sectigo: Lack of technical controls for multiparty control access to Secure Zone
Sectigo: Reseller ZeroSSL and Private Key Generation
Firmaprofesional: 2022 - Define Device Obsolescence Process
E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6
Asseco DS / Certum: Forward dating certificates (notBefore in the future)
Let's Encrypt: Failure to audit log subscriber certificate OCSP updates
Firmaprofesional: 2023 - Ensure Timestamp service Logs Integrity