I provide brief explanations for the 2018 audit findings as follows:
> * The following non-conformities were listed in the 2018 BR attestation
> statement . (they are not defined as “major” or “minor”):
This is the non EV attestation letter for the new ECC root in 2018-12-13 based on the point in time audit for the new service
> ** The TSP shall remove irrelevant and confusing information from each
> policy (e.g. explanation of how to create policy codes) [ETSI EN 319
> 401, REQ-6.1-01]
Microsec issues several types of certificates based on different certificate policies. One CP and CPS document typically contains the requirements for a number of similar certificate types by using slightly different policies.
These policies can be classified by using 5 main parameters.
Microsec introduced a five-character short reference code to be able to refer to a given policy easily. This short reference code is used in the CP and CPS documents to mark those requirements, which are related only to a specific policy. This code is used also in the CA system of Microsec to identify configuration settings.
The meaning of this classification was included in the CP and CPS documents to help the Subscribers understand it.
To fulfil the requirement of the auditor, Microsec terminated the usage of some policies regarding electronic signature and moved this description to the Appendix of the CP and CPS documents.
> ** The TSP shall clearly indicate which kind of documents are necessary
> for the application procedures of different types of certificates. [ETSI
> EN 319 401, REQ-6.1-01]
This finding refers to the 2018 version of the webpage of Microsec, which listed all the public documents on one page, like the following list presently:
The names of the documents are meaningful, and the documents are grouped, but due to the high number of the offered services, it was not easy to find all the relevant documents for a specific service or service package based on this page.
To fulfil this finding of the auditor, Microsec developed a web page to help the users find the corresponding documents more easily. You can see this page on the following link:
This lists the most frequently used services and service packages. After selecting the proper service or package the web page shows all the corresponding public documents.
Clients and relying parties can find all the current and previous versions of our public documents on these sites. If a draft document is available which will take effect soon, it is also indicated by giving the planned effect date.
> ** The TSP shall maintain such asset list which can support the daily
> operation and does not cover unnecessary elements (e.g. mouse, keyboard)
> [ETSI EN 319 401, REQ-7.3.1-01, REQ-7.3.1-02]
Microsec has a detailed asset list which contains all of the valuable assets according to the legal and financial requirements in Hungary.
This list is maintained by our finance department and each asset is added to the list immediately upon purchase.
Of course, this asset list does not contain the low-value assets (such as mouse or keyboard), but contains the computers, screens, all the furniture and other tangible assets.
The auditor asked to maintain a shorter asset list, which contains only those IT assets which are essential for the operation of the services (HSMs, routers, switches, servers, desktop computers used for the services, etc.)
Microsec now maintains two lists in parallel, which are synchronized regularly. One is the full list and the other is the list of the critical IT devices.
The Microsec low level risk analysis is connected to this critical asset list.
> ** The TSP shall ensure that
> the password policy provisions are applied in all systems in the TSP and
> shall review them periodically. [ETSI EN 319 401, REQ-7.4-06]
Microsec uses various devices with different operating systems which have different support for forcing the password policies.
Microsec typically uses PKI certificate-based authentication between servers and when users log into applications, but in some cases username and password is also used (typically in addition to a PKI-based authentication).
Microsec reviewed the abilities of the used servers and the best practices regarding passwords, and changed the password policies accordingly, so that the requirements are now enforced across all used platforms
> ** The TSP shall move the videoserver from the secondary data center to
> another secure location without IT administrator access and shall review
> the records on regular basis. [ISO27001], [ETSI EN 319 401, REQ-7.6-03]
In 2018 Microsec already had two data centers on two separate locations at 10 km distance from each other. Each data center had its own video monitoring system. The video records were stored locally in each data center. The video servers were stored outside the server room in the operator room in a closed rack. The administrators who had access to the server room were able to go into the operator room, so they had physical access to the video server machine. They had no user access to the video server, so they were not able to delete the records, but they were able to damage the server. The video records were being deleted after 3 days according to the Hungarian regulation, and they were checked only in case of a possible incident.
To solve the issue Microsec routed all the video signals to the server room in the Microsec office. As a result, the internal IT operators can see all the camera pictures in real time and all the video is recorded continuously on two separate locations. This effectively prevents any administrator from damaging the stored video records
> ** The TSP shall check operational state of the CCTV system regularly.
> [ETSI EN 319 401, REQ-7.6-03]
Earlier, the video records were deleted after 3 days according to the Hungarian regulation and checked only in case of a possible incident.
Presently, the IT operators can see all the camera pictures in real time and all the video is recorded continuously on two separate locations.
The availability and quality of the recorded video is also checked every workday as part of the daily system supervision process.
> ** The TSP shall extend the Termination Plan
> to all services mentioned in the CPSs. [ETSI EN 319 401, REQ-7.12-02]
This finding refers to the use of external RA.
In 2018 the CP contained the possibility to use an external RA. It contained general requirements, i.e. the CA is responsible for the operation of the external RA and the details of the cooperation shall be fixed in the service contract. The option of the external RA has never been used.
There was no detailed description for the external RA in the termination plan, because the exact way of operation was not fixed.
The auditor required to work out all the details for each possibility included in the CPS.
Microsec did not use external RA at that time and did not plan to use external RA. Instead of working out the details of a non-existent cooperation, Microsec removed all the parts related to external RA from its CPS.
> ** The TSP shall check the possibilities to store and review video logs
> for a longer period of time. [ETSI EN 319 411-1, OVR-6.4.2-07]
In 2018, due to the Hungarian regulations, video logs were allowed to be stored only for 3 days.
Microsec agreed with the auditor that this was not sufficient in all cases (for example in case an incident happens on Friday) and asked the authorities to amend this regulation.
This national regulation was changed in 2019 and after this change Microsec increased the storage time of the video logs to 30 days.
> ** The TSP shall maintain dual control for performing critical functions on
> the core systems (including Root CA, intermediate CAs, archiving system,
> TSA system, OCSP responders etc.) [ETSI EN 319 411-1, GEN-6.4.3-02,
> OVR-6.4.8-07, GEN-6.5.1-04, GEN-6.5.2-06]
This finding refers to dual control upon leaving the server room.
Microsec uses dual control in each component of its system as a general requirement. It is not only required by our processes but also enforced by our IT systems critical for the certificate management.
Microsec also has dual control for the physical access in several places.
Access to the data center server room is only possible if two authorized persons use their contactless cards and enter their passwords at the same time. The distance of the card readers and the time limit makes it impossible for a single person to enter the server room alone.
This system was used for entry to the server room, but it was not used to enforce the use of two cards when leaving the server room.
The auditor required to install the same system to be able to leave the server room only by using dual control.
Microsec developed the same system inside the server room and now it is possible to leave the server room only if two authorized persons are present.
> ** The TSP shall develop a restoration plan which schedules the
> restoration over time to cover every system. [ETSI 319 411-1, OVR-6.4.8-05]
This finding refers to the readability of backup discs over a long period of time.
In 2018 Microsec used optical discs to store the system logs and the backup data.
The discs are stored in two copies in the data centers in a physically protected metal cabinet. The temperature and the humidity are controlled, there is no light or other radiation, so the discs are expected to remain readable for the 10 years storage period.
These discs are durable for at least 10 years. Earlier, the discs were checked for readability only when the data was needed. Microsec had never experienced any problem with the readability of any disc.
The auditor asked to make a plan and check the readability of all the stored discs regularly by defining sampling rules. Microsec shall check that the stored data is readable and suitable to restore the whole working system by using the stored data.
Microsec developed a maintenance plan, and since then, based on the plan, regularly checks the readability of the discs.
In September 2019 Microsec introduced a new system for backup purposes based on magnetic tape. The backup is made in parallel on two locations and stores all the log and backup data continuously.
We have two tapes on each location, one tape is active in the tape recorder, and the other is stored in a safe-deposit on that location as a backup tape. The active and the backup tapes are changed monthly on both locations. After the tape change the system checks the content of the installed tape and automatically copies the missing log data to the tape (the log of the previous month). The readability of the tape is automatically checked by the recording system when writing new data to the log.
The log data is also stored on the storage system and is removed from the backup server only after copying all data to the tapes in 4 copies.
> ** The TSP shall approve and publish the latest version of its CP und
> CPS documents. [ETSI EN 319 401, REQ-6.1-05]
During the audit Microsec had an open draft version of the public documents and Microsec made some smaller changes based on the requirements of the auditor. The audit was partially based on this draft document and the auditor recorded this way that the draft version shall be published.
The new versions of the public documents were published on the planned date with the already agreed improvements.
> ** The TSP shall modify the web application form and the registration
> interface in such a way that it is clearly indicated what kind of
> information are required for the issuance of the given certificate in
> accordance with the policies. Misleading information shall be avoided.
> [ETSI EN 319 401, REQ-6.1-01]
Microsec employs web-based forms to offer clients an easy certificate request method for the most widely used certificate types.
The finding refers to the application form for the electronic signature certificate. The customers who require electronic signature certificates typically belong to some organization, and the form required to enter the organization data, but the auditor wanted to request a certificate as a private person without any organization data.
The form did not specify that it was designed only for those natural persons who are associated with an organization. Based on this finding Microsec reviewed all the certificate request forms and made the necessary improvements. The form header now clearly describes what type of certificate you can apply for using the form.
> * The following minor non-conformities are listed in the 2018 EV
> attestation statement :
This is the period of time EV attestation letter for the new ECC root on 2019-06-12
This is the same document as included at the year 2019
> ** Findings with regard to ETSI EN 319 401: 7.11 Business continuity
> management - Documentation and implementation of the generation of the
> OCSP certificates within the BCP document shall be improved. [ETSI EN
> 319 401, Clause 7.11]
The generation of the OCSP certificates was changed, it was moved to another server. The actual version of the Business Continuity Plan contained the earlier server configuration and not the actual configuration.
Microsec reviewed the whole BCP document and corrected the fault in it.
Microsec held a training for the employees responsible for the maintenance of the BCP document, to ensure that it is kept up to date.
> ** Findings with regard to ETSI EN 319 411-1: 6.2 Identification and
> authentication - Documentation and implementation of the internal
> guideline with regard to the verification of possible organizations
> shall be improved. [ETSI EN 319 411-1, Clause 6.2.2 a), g), i)] [EVCG,
> Clause 11.1.1, Point 1. (A)] [ETSI EN 319 411-1, Clause 6.2.2 a)]
The internal documents contain detailed guidelines on how to validate the data of an organization. Hungary has a national company registration system which contains all the data of the bigger companies. The database is publicly available and contains the actual and authentic data of all the registered companies.
Microsec uses this service during the validation of the company data.
This database does not contain the registration data of the private entrepreneurs. Since these entities very rarely apply for certificates, the internal guideline did not specify how to check private entrepreneurs, this information was planned to be added as needed for the first application. Registration officers were aware of this. This did not cause any problems in practice; no such entity requested an EV certificate from Microsec.
Based on the finding of the auditor, Microsec developed the validation rules for this type of entity and added this information to the internal guideline.