CAs shall implement and maintain a Network and Systems Security Program.
The CA shall implement and maintain network and systems security documentation (e.g. physical, personnel, procedural and technical controls) appropriate for the services provided.
- WebTrust § 3.1.1 - An information security policy document, that includes physical, personnel, procedural and technical controls, is approved by management, published and communicated to all employees.
- NIST 800-53 PM-1 a. Develop and disseminate an organization-wide information security program plan that: ….
- ETSI 6.3
The Security Plan shall be reviewed and updated at least annually.
- WebTrust § 3.1.3 -There is a defined review process for maintaining the information security policy, including responsibilities and review dates.
- NIST 800-53 PM-1 c. Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments
CAs shall implement and maintain a Network and Systems Security Program.
The CA shall implement and maintain network and systems security documentation (e.g. physical, personnel, procedural and technical controls) appropriate for the services provided.
The Security Plan shall be reviewed and updated at least annually.