GovRA Operations Manual

Overview

• Introduction• Publications and Repository Responsibilities• Identification and Verfication• Operational Requirements• Facility Management and Operational Controls

Systems Overview

• An RA is a component of the Issuing CA that collects and processes Digital certificates requests and certificate revocation / suspension requests. It comprises both staff and webs based tools. The RA manages the life cycle of the application process.

Basic Functions

• Identify the user and register the user information

• Transit the certificate request to the CA • Validate certificates from the CA directory server

and CRL• Request revocation of certificates.

Roles and Responsibilities

• The RA is primarily responsible for managing the registration function, the initial authentication, verification of applicant, approving / denying applicants for digital certificates. The RA provides an application form used by applicants to initiate the application process. In circumstances where the PKI will be issuing the applicant a digital certificate, certain information provided by the applicant in this form will be used for generating the associated personal digital certificate.

Roles and Responsibilities

• Agency Head

• RA Administrator• External Auditor• Systems Administrator • Systems Operators

• Database Administrator

• Archiving and Office Administrator• Review Committee / Officer• Facility Security Officer• Process Officers

Process Officers

• Submissions Officer• Verification Officer• Encoder• Quality Control• Help Desk

Publications and Repository Requirements

Publications and Repository Responsibilities

• The publicly accessible directory system shall be designed and implemented so as to comply with the following requirements:

• Available at all times of the day, and on all days of every year;

• Aggregate uptime not less than 99.7 at any period in one month

• No downtime shall not exceed 30 minutes• A specific-purpose repository may be made available

with specific hours of operation

Identification and Verification

Types of Application Requests

• Application for authentication certificate • Application for signing certificate • SSL • Revocation• Suspension

Limits to Applications and Requests

• For lawful and intended purposes only.

• Must not be prohibited by the CP • Certificate must be used in accordance with its key-

usage field extensions• The certificate is valid at the time of reliance by

reference to an online certificate status protocol or CRL checks.

• Relying parties are required to seek further independent assurances before any act of reliance is deemed reasonable.

Application Process

• The application process shall only apply to end users who have undergone the verification process and enrolment process.

• During verification and enrolment, the identity of the end user must be ascertained and the accuracy of the information provided by the end user must be verified.

• The application process shall cover processing of the submitted documents, identification and authentication, approval or rejection of the request, and sending of the certificate.

• The application process shall be conducted within five days.

Acceptance & Publication

Acceptance • Failure to object to the certificate or its contents within five days,

after notification of the issuance of the certificate, constitutes acceptance of the certificate.

• Acceptance requires the acceptance by the subscriber of the Certificate Policy and Certificate Practice Statement, a copy of which is available online at _____.

• The application form shall likewise contain the subscriber's acceptance of the terms defined in the CP and CPS.

Publication • All certificates shall be published in the CAs' repository system.

Verification, Authentication and Validation Process

Steps

• The Submission Officer shall check the completeness of the application form and the documentary requirements submitted.

• The Verification Officer shall ensure that the information provided in the application form is accurate by conducting random checks on pieces of information.

• The Quality Control Officer shall check the information that has been digitized by the Encoder to ensure that there is no discrepancy between the hard copy of the application form and the submitted documents, and the soft copy.

Renewal, Revocation, Suspension, and Modification Process

Circumstances for Renewal

• A certificate may be renewed if the public key has not reached the end of its validity period, the associated private key has not been compromised and the subscriber name and attributes are unchanged.

Circumstances for Revocation

• Key Compromise• CA Compromise• The CA is determined not being compliant with its CP /CPS• Cessation Of Operation• Privilege Withdrawn • Reasonable Belief in Unreliability• Other - the CA may also revoke the digital certificates if:

• policy requirements are no longer being met by the subscriber• an authenticated request is received by a CA or RA from an

individual subscriber or an authorized representative of a juridical entity subscriber

• An authorized employee determines that an emergency specified under Section 12.12 of DTI DAO No. 10-09 has occurred that may impact the integrity of the certificates issued by the CA

Circumstances for Suspension

• Suspension shall be an alternative to revocation in case the review committee or the RA or CA upon investigation does not find sufficient proof to either revoke or affirm the certificate.

• Request for suspension shall follow the same process as revocation;

• A suspension shall be temporary and limited with a maximum time; • A suspended certificate may be terminated before the maximum

suspension time under the following conditions: the purpose of the certificate is no longer applicable and the holder shall no longer entitled to use the certificate OR the holder requests immediate termination.

Circumstances for Certificate Modification

• Certificate modification is performed when change occurs in any of the information of an existing certificate.

• After modification, the original certificate may or may not be revoked but it must not be re-keyed, renewed, or modified anymore.

RA Operational Requirements

Hours of Operation

• Hours of Operation. GovRA offices shall be open from Monday to Friday during regular business hours, from 8 AM to 5 PM to accept requests for new certificates, certificate modification, suspensions, and revocation.

Facility Management and Operational Controls

Facility Management and Operational Controls

• Physical and Security Controls• Procedural Controls• Personnel Security Controls

Physical and Security Controls

• All computers and other electronic devices used to store subscriber information shall be secured by password and must be authenticated with digital certificates. The computers must be encrypted to prevent unauthorized access. All information must be stored in the cloud.

• Hard copies of the documents submitted by applicants and subscribers must be kept in secure, locked cabinets.

• Logs, minutes of reviews, and other documentation must be stored in secure, locked cabinets.

• Under 24/7 CCTV surveillance and shall regularly be patrolled by designated security guards.

• Any technicians, repair crew, service personnel or other outsiders must secure authorization and be escorted by the security officer before proceeding within the GovRA office

Procedural Controls

• Trusted roles• Document amendment process• Logical access control• Configuration management• Archiving and recovery• Control of removable media• Storage and handling procedures• Emergency and standard destruction

procedures

Trusted Roles

• Access to certain functions shall only be given to appropriate officials, especially with regard to accessing subscriber information and data, server services, and other certificate related functions. All GovRA personnel that need access to the PKI system are assigned individual accounts with a role attached to achieve privileges in the system;

• Certain roles shall require the separation of duties. • No user shall be assigned multiple roles. The following roles have access to

some part of the PKI system:– security officer

– System administrator – System operator – System auditor – Database administrator – Registration authorities.

Document Amendment Process

• Any amendment in the GovRA Manual shall be done by the PKI Committee no more than once a year.

• Any proposed amendments or changes to the GovRA manual shall be submitted by the GovRA branch or other proposing party to the RA administrator.

• The RA administrator shall then forward the document to the Agency Head.

• The Agency Head shall submit the document to the PKI Committee for discussion.

• Any changes and amendments to the GovRA manual may only be made by a majority vote from all the members of the PKI Committee.

• Other documents pertaining to GovRA operations shall likewise be changed through a proposal submitted and voted upon by the PKI Committee.

Logical Access Control

• A multi-layer access system shall be implemented to secure the GovRA office and the individual components within the office, especially the computer rooms and the file storage rooms. The multi-layer access system shall include the use of passwords, finger print recognition, and other software to limit access to the GovRA office.

• The RA Administrator shall authorize the personnel’s' access to the rooms. • The records room in particular shall only be accessible to the Archiving and

Office Administrator. • The computer room, if any, shall be accessed by the Systems administrator,

system operators, and the database administrators.

• The computers shall be configured so that over-all administrator account shall only be accessed by the Systems administrator.

• The database accounts shall only be accessed by the database administrator.

Archiving and Recovery

• All applicant and subscriber information shall be digitized for digital storage.

• All data and information shall be managed by the Archiving and Office Administrator;

• All data shall be stored in the GovCloud for safety and backup.

• GovRA offices may also install separate servers for data backup.

Control of Removable Media

• The use of removable media, including magnetic media, flash drives, CDs, and other legacy hardware, inside GovRA offices shall be monitored strictly. Security guards shall check personnel before coming in and before leaving the GovRA office for any removable media. All removable media must be approved and authorized by the RA administrator first. Otherwise, these must be deposited with the security guards.

• The contents of removable media that are brought inside must be scanned by the systems administrator before being allowed to leave the facility. No part information or data, in part or in whole, from the GovRA systems and databases may be stored or taken outside without prior authorization from the RA Administrator;

• Unauthorized copying of GovRA – related data shall be sanctioned;• Any data pertaining to the GovRA authorized to be stored in removable

media or taken outside of the office must be digitally signed by the officer taking the data out of the office, for tracking and reference.

Storage / Handling Procedures

• The office shall be opened during the start of shift by the security guard; • Security guards shall check all personnel and officials before entry into the

office. Any prohibited items such as removable media shall be stored in lockers outside of the office. Any personnel who shall access the lockers shall need to be checked by the security guard again before entry into the main GovRA office.

• Security guards shall check all personnel and officials before leaving the office.

• Security guard shall close the office. The name of the security guard who opens and closes the office shall be kept in the security guard log books. During non-business hours, the security guards shall inspect the office premises at least once every half hour. Any irregularities or disturbances shall be logged in detail and immediately reported to the RA Administrator the following day.

Emergency and Standard Destruction Procedures

• All documents processed by GovRA offices shall be sorted by the Archiving officer and classified. Confidential materials shall only be accessed by officers with the appropriate security privilege or upon authorization by the RA administrator.

• All documents upon classification shall undergo digitization. GovRAs shall utilize the NARMIS for file storage and management, and shall tag or label documents according to their appropriate classification.

• Hard copies of documents shall be stored for a maximum of one (1) year, after which they shall be disposed of through a shredder. Files may also be sent to the National Archives of the Philippines for disposal.

Personnel Security Controls

• Trusted Roles• Facility Security Officer• Separation• Audit Logging Procedures• Records Archival• RA Termination• Compliance Audits and Other Assessments• Confidentiality of Information

Trusted Roles

• Security Officer - Having overall responsibility for administering the implementation of the security policies and practices.

• System Administrator - Authorized to install, configure and maintain trustworthy systems, but with controlled access to security‑related information. This user does not have access to the EJBCA web interface.

• System Operator - Responsible for operating trustworthy system on a day‑to‑day basis. A System Operator is authorized to perform system backup and recovery.

• System Auditor - Authorized to view archives and audit logs of the trustworthy system.

• Database Administrator - Has privileged access to the database and can create users, databases and manipulate tables. The DBA has access during installation. During normal operations, the DBA is not allowed to log into the system.

• Registration Officer - Responsible for approving end entity Certificate generation, revocation, suspension, renewal and re‑key

Facility Security Officer

• The Facility Security Officer shall supervise the implementation of security procedures and protocols in the GovRA offices.

• FSO shall ensure that all the security procedures found in the GovRA Operations Manual, CP-CPS, and other standards and documents pertaining to the operations of GovRAs shall be implemented within the FSO's office.

• The FSO shall conduct security audits on a monthly basis, which shall include a check of all security logs, including the logs of the security personnel.

• The FSO shall be notified of any breach in security, whether physical or procedural. The FSO, in coordination with the RA Administrator, shall address security breaches.

Separation

• All personnel working in GovRAs who resign must submit a resignation letter to be approved by the direct supervisor.

• Upon approval by the direct supervisor, the resigning employee shall be given one month before separating from the office.

• An assessment and evaluation of the employee’s work shall be conducted. All assigned tasks must have been finished, unless the assigned task is not yet due, in which case, only the deliverable milestone is required.

• The immediate supervisor or a Human Resources Representative shall facilitate an exit interview and other formalities.

Audit Logging

• System Access – certificate serial number will occur in the log for system access to GovRA. User name and certificate serial number will occur in the log for system access

• Physical Access – Card number and user name shall be logged in for the Physical Access whenever premises or office rooms shall be entered

Records Archival

• All documents submitted by applicants and subscribers shall be digitized using the iGovPhil’s NARMIS application;

• Digitized documents shall be stored in the GovCloud; • No active subscriber information may be deleted;• Inactive subscriber or applicant information shall be

retained for a period of at least two (2) years, but in no way more than ten (10) years.

• All documents and other records must be time-stamped.

RA Termination

• GovRAs shall remain active until mutual agreed upon with the GovCA.

• Upon termination or revocation of GovRA status, all files, archives, records, and logs must be forwarded to the GovCA;

• A public notice announcing the termination of the GovRA office must be published. In the event that an RA terminates its operation, it shall provide separate prior notice to ICTO-NCC, as Root CA, and DTI-PAO prior to termination;

• Subscribers must be notified. In the notification, the alternate GovRA office where subscribers can file their requests or ask for assistance must be provided.

Compliance Audits & Other Assessments

• GovRAs must be audited at least annually;• A third party auditor shall be commissioned for the

auditing, to ensure no conflict of interest. • A background check shall be enforced upon all auditors

to ensure that there is no relationship, business, commercial, or other interest in the matter.

Confidentiality of Information

• All information provided by subscribers and applicants are considered confidential and may not be shared by the GovRA with any person or agency.

• Access to subscriber or applicant information shall only be granted upon court warrant.

• Under no other circumstances may a GovRA disclose any information belonging to an applicant or a subscriber.