A network firewall must protect network access to the CA system. The network firewall limits services allowed to and from the CA system to those required to perform CA functions.
Protection of the CA system is provided against known network attacks. All unused network ports and services are turned off.
Any boundary control devices used to protect the network on which PKI systems are hosted deny all but the necessary services to the CA system.
The CA, network, and all connected ancillary equipment hosted and operated are scanned no less than once per month using recognized tools designed to detect network and system vulnerabilities. The scanning tools are updated prior to each scan with the latest vulnerability signatures. Scans are performed inside the environment, and from outside the environment to identify vulnerabilities that must be mitigated. Identified vulnerabilities are remediated in accordance with the Entrust security remediation standard and patch management standard.
All CA systems and all connected ancillary equipment hosted and operated by Entrust have active virus protection and mitigation as defined in the Entrust malware protection standard.