|
|
 |
SPYRUS Policies and Procedures - Configuration Management and Quality Control
CM is a mandatory element of system security. Quality Control, or Quality Assurance, may be a mandatory element within a specific jurisdiction. CM and QC essentially describe the same thing: the methods and procedures through which the security components and safeguards are kept intact over time. The CM/QC Manual describes the procedures for maintaining control, whether these procedures are system-based or more administrative in nature. The QC Manual is necessary if an organization is required or wishes to conform to ISO 9000. The CM/QC Manual is internal, but will be used for security and/or quality audit.
If CM and QC are determined by policy to be separate requirements, then two manuals can be developed from the SPYRUS CM/QC Manual. Configuration Management will be part of the System Security Architecture, although it is usually not described in detail in the SSA, rather it requires its own manual with procedures. These are used on a daily basis by system administrators, CA operators, system technicians and others who are in a position to make changes to the overall IT system of the organization. Communication and training are essential to ensure that CM procedures are rigorously enforced and followed throughout the organization.
Similarly, QC may require its own Manual particularly if ISO 9000 certification is sought. By setting out a Quality Policy at the start of the Manual - a policy that will reflect, and be derived from, business objectives and in the PKI context the Certificate Policy - and then procedures to maintain the policy, certification is more likely to be obtained.
For PKI, configuration and change management are inherent in maintaining the trust and assurance of the certificates issued. Similarly, specified and written procedures on the processes involved in the daily operations of the organization are necessary as evidence of quality control.
The SPYRUS Configuration Management and Quality Control Manual was developed as an integral part of trust in the PKI. Our experience in delivering high-quality systems assures our customers of demonstrating a similar high-quality PKI system once deployed.
|
|
