See below for the practice statements on audit logging procedures.

Types of Events Recorded

Significant security events in the CAs are automatically time-stamped and recorded as audit logs. Audit logs are archived periodically. Where these events cannot be electronically logged, the CA shall supplement electronic audit logs with physical logs as necessary.

The foregoing record requirements include, but are not limited to, an obligation to record the following events:

  • CA Certificate key lifecycle events, including:
    • CA Private Key generation, backup, storage destruction, and recovery
    • CA certificate requests and CA certificate revocation;
    • Cryptographic device lifecycle management events;
  • Subscriber Certificate lifecycle management events, including:
    • Certificate issuance requests and revocation requests;
  • Generation of CRLs; Security events, including:
    • Successful and unsuccessful PKI system access attempts;
    • PKI and security system actions performed;
    • Entries to and exits from the facility housing the HSM.

Frequency of Processing Data

A security Information and Event Management (SIEM) system continuously monitors the audit logs. Policy violations and other significant events generate alerts that operations and security teams review for malicious activity.

Retention Period for Security Audit Data

The audit logs are retained on the PKI system for at least three months and periodically archived in accordance with section Records Archival.

Protection of Security Audit Data

Audit logs remain stored on the PKI systems until archived in accordance with section Records Archival. Only Trusted Role personnel have access to the PKI systems.

Audit Log Backup Procedures

Audit logs are periodically archived in accordance with section Records Archival.

Audit Collection System

Audit collection processes are integral to the system and cover its entire deployment time. Should it become apparent that an automated audit system has failed, the Operational Authority will be notified and will consider suspending operations until the audit capability can be restored.

Notification to Event-Causing Subject

No stipulation.

Vulnerability Assessments

Vulnerability scans are conducted monthly to identify system weaknesses and patching requirements for operating systems and supporting infrastructure. Identified vulnerabilities are analyzed and addressed in accordance with Entrust's Patch and Vulnerability Management Standards.

Risk Assessments

An annual risk assessment.

  1. Identifies foreseeable internal and external threats that could result in unauthorized access, disclosure, misuse, alteration, or destruction of any Certificate data or Certificate management processes;
  2. Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Certificate data and Certificate management processes; and
  3. Assesses the sufficiency of the policies, procedures, information systems, technology, and other arrangements that the CA has in place to counter such threats.

Based on the risk assessment, a security plan is developed, implemented, and maintained, consisting of security procedures, measures, and products designed to achieve the above objectives and manage and control the risks identified during the risk assessment. The security plan includes administrative, organizational, technical, and physical safeguards appropriate to the sensitivity of the Certificate data and Certificate management processes. The security plan also considers the available technology and the cost of implementing the specific measures. It implements a reasonable level of security appropriate to the harm that might result from a security breach and the nature of the data to be protected.