##master-page:AuditResultTemplate ##master-date:2014-06-24 #acl BenediktHeintel:read,write,delete,revert,admin TeamAudit:read,write BoardGroup:read All:read #format wiki #language en = Audit Finding Tracking = == Non-Conformities == || '''Status''' || '''Text''' ||'''Source''' || '''Opened''' || '''Closed''' || '''Responsible''' || || {-} || I. "The Name is recorded as a string of characters, encoded in unicode transformation format." || [[Audit/Results/session2015.1#Non-Conformities|session2015.1]] || 2015-04-10 || || Software Team || || {-} || II. Allow members to record additional names or variations of names to her online account || [[Audit/Results/session2015.1#Non-Conformities|session2015.1]] || 2015-04-10 || || Software Team || || {g} || I. Generate root certificates with basicConstrains critical and organisation information set. || [[Audit/Results/session2015.3#Non-Conformities|session2015.3]] || 2015-09-13 || 2015-10-03 || NRE Team || || {g} || II. Generate sub-root certificates with the required fields from BR 7.1.2.2 set. || [[Audit/Results/session2015.3#Non-Conformities|session2015.3]] || 2015-09-13 || 2015-10-03 || NRE Team || == Recommendations == || '''Status''' || '''Text''' ||'''Source''' || '''Opened''' || '''Closed''' || '''Responsible''' || || {-} || V. Complete rework of the ABC questionnaire, specific questions for the roles Software Assessor, Access Engineer, (Critical) System Administrator, and Support Personnel should be attached. The questionnaire should be checked regularly on applicability to reflect changes, threads and risk within and outside of CAcert. ||[[Audit/Results/session2014.1#Recommendations|session2014.1]] || 2015-08-26 || || DRO || || {-} || I. "Optional: If the Assurance is reciprocal, then the Assurer's email address and Secondary Distinguishing Feature are required as well;" || [[Audit/Results/session2015.1#Recommendations|session2015.1]] || 2015-04-10 || || Software Team || || {g} || I. The CA root and all of its sub-root should not be valid prior generation. || [[Audit/Results/session2015.3#Recommendations|session2015.3]] || 2015-09-13 || 2016-03-12 || NRE Team || || {-} || II. Transfer the documentation from the pad to CAcert's Wiki. || [[Audit/Results/session2015.3#Recommendations|session2015.3]] || 2015-09-13 || || NRE Team || || {g} || III. Add a flag to all.sh to allow/dis-allow root key and certificate generation. || [[Audit/Results/session2015.3#Recommendations|session2015.3]] || 2015-09-13 || 2015-12-22 || NRE Team || || {g} || I. Enclose the last echo commands in execute.sh in quotation marks. || [[Audit/Results/session2015.4#Recommendations|session2015.4]] || 2015-10-14 || 2015-12-02 || Software Team || || {g} || II. Transfer the procedure from github to CAcert's Wiki. || [[Audit/Results/session2015.4#Recommendations|session2015.4]] || 2015-10-14 || || Software Team || || {g} || III. Disturbance should be avoided under all circumstances. Before the session, every mobile phone and pager should be switched off and put on top of a table, also the door should be closed during the session and entering and leaving the room should be forbidden while the session is running. || [[Audit/Results/session2015.4#Recommendations|session2015.4]] || 2015-10-14 || 2016-03-12 || Software Team || || {-} || IV. Have USB sticks of different brands available to avoid failures of hardware and compatibility issues. || [[Audit/Results/session2015.4#Recommendations|session2015.4]] || 2015-10-14 || || Software Team || = Incident Action Tracking = || '''Status''' || '''Text''' ||'''Source''' || '''Opened''' || '''Closed''' || '''Responsible''' || || {-} || Dispute [[Arbitrations/a20140712.1|a20140712.1]] open || [[Audit/Incidents/i20140625.1#A5._Permanent_Corrective_Action|i20140625.1]], [[Audit/Incidents/i20140814.1#A7._Preventive_Actions|i20140814.1]] || 2014-07-13 || || Arbitration || || {-} || 1) that board takes steps to ensure that each CAcert team member of Support, SE, Arbitration, Infrastructure honours CAcert's Privacy Policy and prove the understanding of named policy by repeating a PP CATS Test yearly. || [[Audit/Incidents/i20140625.1#A7._Preventive_Actions|i20140625.1]], [[Audit/Incidents/i20140628.1#A7._Preventive_Actions|i20140628.1]], [[Audit/Incidents/i20140814.1#A7._Preventive_Actions|i20140814.1]], [[Audit/Incidents/i20151205.1#A7._Preventive_Actions|i20151205.1]] || 2014-07-13 || || Board || || {-} || 2) the change has to be retained in accordant policies via Arbitration and Policy group. || [[Audit/Incidents/i20140625.1#A7._Preventive_Actions|i20140625.1]], [[Audit/Incidents/i20140628.1#A7._Preventive_Actions|i20140628.1]], [[Audit/Incidents/i20140814.1#A7._Preventive_Actions|i20140814.1]], [[Audit/Incidents/i20151205.1#A7._Preventive_Actions|i20151205.1]] || 2014-07-13 || || Board || || {-} || 3) the required CATS test is prepared under the responsibility of the Education Team || [[Audit/Incidents/i20140625.1#A7._Preventive_Actions|i20140625.1]], [[Audit/Incidents/i20140628.1#A7._Preventive_Actions|i20140628.1]], [[Audit/Incidents/i20140814.1#A7._Preventive_Actions|i20140814.1]], [[Audit/Incidents/i20151205.1#A7._Preventive_Actions|i20151205.1]] || 2014-07-13 || || Board || || {-} || Dispute [[Arbitrations/a20140422.1|a20140422.1]] open || [[Audit/Incidents/i20140628.1#A5._Permanent_Corrective_Action|i20140628.1]] || 2014-07-13 || || Arbitration || || {-} || 1. (A) should apologise toward (B) and (C) for the tone of the email. || [[Audit/Incidents/i20151205.1#A5._Permanent_Corrective_Action|i20151205.1]] || 2015-12-18 || || Member (A) || || {g} || 1. support to pass one delete account through to Arbitration to clarify the lock account or a milder method => [[Arbitrations/a20141024.1|a20141024.1]] || [[Audit/Incidents/i20141011.1#A7._Preventive_Actions|i20141011.1]] || 2015-08-11 || 2016-04-23 || Support || || {-} || 2. to attach a process diagram to the process description in the support handbook. || [[Audit/Incidents/i20141011.1#A7._Preventive_Actions|i20141011.1]] || 2015-08-11 || || Support || || {-} || 2. Standard templates should be provided the Organisation Assurance Officer for initial mails to have a common communication towards potential organisation assurances and avoid mistakes. || [[Audit/Incidents/i20151205.1#A5._Permanent_Corrective_Action|i20151205.1]] || 2015-12-18 || || OAO || || {-} || 3. The Organisation Assurance Officer should advice all of his Organisation Assurer to use OTRS as standard tool for answering on tickets. || [[Audit/Incidents/i20151205.1#A5._Permanent_Corrective_Action|i20151205.1]] || 2015-12-18 || || OAO || || {-} || 4. Delete the email thread containing the wrong support email addresses from the public mailing lists. || [[Audit/Incidents/i20151205.1#A5._Permanent_Corrective_Action|i20151205.1]] || 2015-12-18 || || List Admin || ---- . CategoryAudit