Editor: Philipp Dunkel
Creation date: 20090313
CAcert's Security Policy 9.1.4 ("SP") passes the Background Check of critical roles to the responsibility of an Arbitrator in a duly filed dispute.
For optimum security of CAcert information the total number of people having access to systems should be zero. However reality requires people to administer systems and access to data by support persons and much more. In order to still retain as much security as possible the people that actually do have access to systems need to be well controlled.
In order to achieve this, CAcert finds it essential to apply principles such as four eyes and dual control over the checking of critical roles. See SP1.2. However four eyes only have value if they are four reliable and qualified eyes. Therefore all personnel that are to have access to systems and data must be vetted and evaluated for competence, reliability and conflicts.
Vetting personnel has always been a challenge because much depends on the person doing the vetting and the procedures used to do this vetting. For this reason the procedure needs to be well defined. This is an attempt to do so for the purposes of CAcert.
This procedure document outlines the process for the benefit of Arbitrators. It represents (or will represent) precedent where confirmed by prior Arbitrations. Each Arbitrator may make modifications in his ruling, under Dispute Resolution Policy (COD7), which should then be entered into this Procedure.
See also Security Manual for additional preamble.
The vetting of personnel given access to CAcert systems and data should be done by a random person associated with CAcert. This is to ensure that the person doing the vetting is not previously acquainted with the person being vetted and therefore possibly influenced by that previous acquaintance contrary to objective opinion.
We currently already have a body of people being trusted for their objective opinions. These are the people entrusted with arbitration. Arbitration also has a well defined process and escalation procedure in place that is well suited to the task. Therefore the vetting should be done by an Arbitrator randomly assigned to the case.
This is done by filing a dispute "against" the person being vetted on their competence and reliability. This arbitration is an administrative proceeding and has no implication against the person. In general, the team leader for the team concerned would file the dispute, but this is not fixed.
The Arbitrator and case-manager vets the person in question by requesting background information and conducting an interview. Then, the Arbitrator issues a ruling as to whether the person is considered reliable and competent enough to be granted access to systems and data.
The Arbitrator should request from support a list of all assurances done on the person in question. CAcert should require the person in question to have been assured by at least two CAcert assurers.
The Arbitrator requests a curriculum vitae / resume and other documents from the person being vetted. This should be a resume similar to that submitted as part of a job application and should include basic personal information as well as relevant professional experience.
The person being vetted should also provide two pertinent references as to their character and experience. Again this is similar to references provided with job applications. The aim here is that the Arbitrator can check these references and get a third party opinion on the person in question. The Arbitrator should check those references, keeping in mind their purpose.
The Arbitrator will request contact information from the person in question. This is more than just an email address, but also telephone numbers, chat handles (AIM, Skype, ICQ, etc...) and a physical address. The Arbitrator then has to attempt to verify that information. The extent of the verification required is decided by the Arbitrator keeping in mind the purpose of that information.
The purpose of the contact information is two-fold. Firstly, CAcert needs to be able to contact the person in case of emergencies and to so in a timely manner. See SP6.4. Secondly, CAcert needs to be able to use that information in the event of problems in the future. See SP18.104.22.168, e.g., to provide that contact information to Arbitration or foreign courts.
The last part of the process is an interview which can be conducted in person, by telephone or by chat system. This should however be a live conversation (i.e.: Synchronous and not Asynchronous). It should be recorded or minuted.
The purpose of this is to give the opportunity to question the candidate in a bit more detail and provide the Arbitrator with a clearer picture of the candidate. This again is similar to a job interview and also gives the candidate the opportunity to clear up areas of his resume that have been misunderstood by the Arbitrator.
Issues that should be addressed include:
The ruling issued by the Arbitrator consists of two parts. The first is whether the candidate in question should be considered reliable enough to gain access to CAcert systems and data as part of their work for CAcert. The second part is a recommendation on continued training in the areas of data security, social engineering, and other relevant fields.
The proceeding and their recording follow the general rules for all arbitrations. The Arbitrator should feel at liberty to strike personal information gathered during the process from the public record but should in all cases ensure that all information is retained in some manner. This is an evaluation of the public need for that information vs. the privacy of the applicant. Care should be taken to balance these issues in accord with the applicant and the wider Community.