4.11 End of Subscription ............................................................................................................................. 26
4.12 Key Escrow and Recovery .................................................................................................................. 26
4.12.1 Key Escrow ...................................................................................................................................... 26
4.12.2 Key Recovery ................................................................................................................................... 26
5 Facility, Management, and Operational Controls ...................................................................................... 29
5.1 Physical Controls..................................................................................................................................... 29
5.1.1 Site Location and Construction ........................................................................................................ 29
5.1.2 Physical Access ............................................................................................................................... 29
5.1.3 Power and Air Conditioning ............................................................................................................. 30
5.1.4 Water Exposures ............................................................................................................................. 30
5.1.5 Fire Prevention and Protection ........................................................................................................ 30
5.1.6 Media Storage .................................................................................................................................. 30
5.1.7 Waste Disposal ................................................................................................................................ 30
5.1.8 Off-Site Backup ................................................................................................................................ 30
5.2 Procedural Controls ................................................................................................................................ 30
5.2.1 Trusted Roles ................................................................................................................................... 30
5.2.2 Number of Persons Required for Task ............................................................................................ 32
5.2.3 Roles Requiring Separation of Duties .............................................................................................. 32
5.3 Personnel Controls .................................................................................................................................. 32
5.3.1 Qualifications, Experience, and Clearance Requirements .............................................................. 32
5.3.2 Background Check Procedures ....................................................................................................... 33
5.3.3 Training Requirements ..................................................................................................................... 33
5.3.4 Retraining Frequency and Requirements ........................................................................................ 33
5.3.5 Job Rotation Frequency and Sequence .......................................................................................... 34
5.3.6 Sanctions for Unauthorized Actions ................................................................................................. 34
5.3.7 Independent Contractor Requirements ............................................................................................ 34
5.3.8 Documentation Supplied to Personnel ............................................................................................ 34
5.4 Audit Logging Procedures ....................................................................................................................... 34
5.4.1 Types of Events Recorded ............................................................................................................... 34
5.4.2 Frequency of Processing Log .......................................................................................................... 36
5.4.3 Retention Period of Audit Log .......................................................................................................... 36
5.4.4 Protection of Audit Log ..................................................................................................................... 36
5.4.5 Audit Log Backup Procedures ......................................................................................................... 37
5.4.6 Audit Collection System (Internal vs. External) ................................................................................ 37
5.4.7 Notification to Event-Causing Subject ............................................................................................. 37
5.4.8 Vulnerability Assessments ............................................................................................................... 37
5.5 Records Archival ..................................................................................................................................... 37
5.5.1 Types of Records Archived .............................................................................................................. 37
5.5.2 Retention Period of Archive ............................................................................................................. 38
5.5.3 Protection of Archive ........................................................................................................................ 38
5.5.4 Archive Backup Procedures............................................................................................................. 38
5.5.5 Requirements for Time-Stamping of Records ................................................................................. 38
5.5.6 Archive Collection System (Internal vs. External) ............................................................................ 39
5.5.7 Procedures to Obtain and Verify Archive Information ..................................................................... 39
5.6 Key Changeover...................................................................................................................................... 39
5.7 Compromise and Disaster Recovery ...................................................................................................... 39
5.7.1 Incident and Compromise Handling Procedures ............................................................................. 39
5.7.2 Computing Resources, Software, and/or Data are Corrupted ......................................................... 39
5.7.3 Entity Private Key Compromise Procedures .................................................................................... 39
5.7.4 Business Continuity Capabilities After a Disaster ............................................................................ 40
5.8 CA or RA Termination ............................................................................................................................. 40
6 Technical Security Controls ........................................................................................................................ 42
6.1 Key Pair Generation and Installation....................................................................................................... 42
6.1.1 Key Pair Generation ......................................................................................................................... 42
6.1.2 Private Key Delivery to Subscriber .................................................................................................. 42
6.1.3 Public Key Delivery to Certificate Issuer .......................................................................................... 43
6.1.4 CA Public Key Delivery to Relying Parties ....................................................................................... 43