Audit Logging Procedures

Types of Events Recorded

Significant security events in the CAs are automatically time-stamped and recorded as audit logs. Audit logs are archived periodically. Where these events cannot be electronically logged, the CA shall supplement electronic audit logs with physical logs as necessary.

The foregoing record requirements include, but are not limited to, an obligation to record the following events:

  • CA Certificate key lifecycle events, including:

    • CA Private Key generation, backup, storage destruction, and recovery

    • CA certificate requests and CA certificate revocation;

    • Cryptographic device lifecycle management events;

  • Subscriber Certificate lifecycle management events, including:

    • Certificate issuance requests and revocation requests;

  • Generation of CRLs; Security events, including:

    • Successful and unsuccessful PKI system access attempts;

    • PKI and security system actions performed;

    • Entries to and exits from the facility housing the HSM.

Frequency of Processing Data

The audit logs are continuously monitored by a Security Information and Event Management (SIEM) system. Policy violations and other significant events generate alerts that are reviewed by operations and security teams for malicious activity.

Retention Period for Security Audit Data

The audit logs are retained on the PKI system for at least three months. Audit logs are periodically archived in accordance with section 5.5.

Protection of Security Audit Data

Audit logs remain stored on the PKI systems until archived in accordance with section 5.5. Only Trusted Role personnel have access to the PKI systems.

Audit Log Backup Procedures

Audit logs are periodically archived in accordance with section 5.5.

Audit Collection System

Audit collection processes are integral to the system and cover its entire time of deployment. Should it become apparent that an automated audit system has failed, the Operational Authority will be notified and consider suspending operation until the audit capability can be restored.

Notification to Event-Causing Subject

No stipulation.

Vulnerability Assessments

Vulnerability scans are conducted monthly to identify system weaknesses and any patching requirements for operating systems and supporting infrastructure. Identified vulnerabilities will be analyzed and addressed in accordance with Entrust's Patch and Vulnerability Management Standards.

Risk Assessments

Risk assessment is performed annually that:

  1. Identifies foreseeable internal and external threats that could result in unauthorized access, disclosure, misuse, alteration, or destruction of any Certificate data or Certificate management processes;

  2. Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Certificate data and Certificate management processes; and

  3. Assesses the sufficiency of the policies, procedures, information systems, technology, and other arrangements that the CA has in place to counter such threats.

Based on the risk assessment, a security plan is developed, implemented, and maintained consisting of security procedures, measures, and products designed to achieve the objectives set forth above and to manage and control the risks identified during the risk assessment. The security plan includes administrative, organizational, technical, and physical safeguards appropriate to the sensitivity of the Certificate data and Certificate management processes. The security plan also takes into account then-available technology and the cost of implementing the specific measures, and implements a reasonable level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.