Skip to content.
|Networking government in New Zealand.
You are here: Home » Services » SEEMail » S.E.E. PKI Certificate Policy Version 2.0 » 5. Physical, procedural & personnel security

5. Physical, procedural & personnel security

a name="content">

5.1 Physical Security Controls

112. Any site housing a CA system or administration terminal must

  • Satisfy at least the requirements for a Grade 2 site (as per Security In Government Departments) i.e.:

    • Structural barriers are used to deter the entry of unauthorised persons outside normal working hours; and
    • An approved security guard patrols outside normal working hours in the vicinity of the site and within the perimeter security barrier are irregular intervals at least once every two hours, with random patrols inside the site at least once every four hours; or
    • An approved intruder detection system is installed and maintained by technically qualified and security cleared personnel.

  • Have restricted access to the CA area. All people not on the authorised access list must be escorted and supervised whenever in the area; and

  • Ensure all removable media and paper containing sensitive plaintext information is stored in at least Group IIIA containers (as per Security in the Government Sector).

113. Where CA, RA or Subscriber private keys are stored on a computer or removable media they must be protected at all times from any unauthorised access.

114. All media used for the storage of information such as keys, activation data or CA files is to be sanitised by overwriting or degaussing as described in NZSIT207: Declassification of Storage Media, or destroyed before it is released from a CA's control. When no longer required, paper documents containing operational information should be disposed of or destroyed in a way that makes reconstruction highly unlikely.

115. The Certification Authority must ensure that any facilities used for off-site backup of data or services have the same level of physical access control and monitoring as the primary CA site.

5.2 Procedural Security Controls

116. The Certification Authority must comply with AS/NZS4444 Information Security Management or another approved quality control standard.

5.3 Personnel Security Controls

117. The Certification Authority must

  • Ensure that all CA personnel in operational roles (i.e. those with login or physical access to the CA system and/or database) have achieved an NZ Government CONFIDENTIAL, or equivalent, vetting level. This may be arranged through the S.E.E. Steering Group.

  • Enforce their obligations on staff in regard to Subscriber privacy and service expectations.

  • Ensure that all personnel performing CA or RA duties have received appropriate training in

    • PKI security principles and mechanisms
    • The operation of the CA and/or RA hardware and software
    • All relevant procedures and requirements in this Policy and their Certification Practice Statement

118. The Certification Authority manager must:

  • Authorise any contractors or non-CA personnel requiring access to the CA site

  • Ensure such visitors are escorted during their visit.

  • Ensure such visitors are not permitted physical access to the CA workstation unless required for CA operation and only under supervision


[ Previous | Next ]