5.1
Physical Controls
5.1.1 Physical access
COMTRUST’s network and operations is hosted in one of Etisalat
buildings. A number of measures have been adopted for
physical security of site and to ensure that access is limited
to only authorized individuals. The facilities hosting the
on-line CA, off-line CA and the repository have formidable
access control mechanisms to allow only authorized personnel
and visitors to access these facilities. The building is a
reinforced concrete structure with heavy doors and powerful
locks.
5.1.2
Site location and construction
Trusted employees man the COMTRUST facility round the clock.
The building has a four-tier security structure entailing
employee ID cards, smart cards, biometric readers and retina
scan. Access to security tier 1 is through smart card whereas
access to security tiers 2 and 3 is through smart card and
biometric readers. Access to security tier 4 (highest security
level) is through smart cards and retina scanner.
5.1.3
Power and air conditioning
The building has a reliable primary and secondary power /
air conditioning system for ensuring a safe operation. The
power backup consists of high power diesel generators and
battery based UPS system. In case of a power failure, the
UPS system immediately starts providing the backup power until
the diesel generators are fully activated
5.1.4
Water exposures
No exposure
5.1.5
Fire prevention and protection
A fully automated system has been installed in the building
to ensure fire prevention and protection.
5.1.6
Media storage
Daily backups for mission critical data and full system backups
are kept off-site in another building. The building has extensive
physical security to ensure access to authorized personnel
only.
5.1.7
Waste disposal
All paper waste is shredded before disposal. There is no other
type of waste emanating from the COMTRUST site as all the
systems are recyclable
5.1.8
Off-site backup
See section 5.1.6
5.2
Procedural Controls
5.2.1 Trusted roles
COMTRUST shall formulate and follow personnel and management
practices that provide reasonable assurance of the trustworthiness
and competence of their employees and of the satisfactory
performance of their duties. Such practices shall be consistent
with this CPS. All employees working for Trusted roles shall
be treated as trusted employees.
5.2.2
Number of persons required per task
COMTRUST has designed and implemented strict security regimens
to ensure that only authorized personnel perform the tasks
as delegated to them. Tasks with high sensitivity are required
to be performed by multiple trusted employees. These policies
also ensure that a sensitive task cannot be performed until
at least two trusted employees jointly have both physical
and logical access to the device / facility.
5.2.3
Identification and authentication for each role
Identification and authentication stipulations for each trusted
role are ensured through a combination of physical and logical
security implementations. These are:
i)Physical Security Controls
ii)Smart Cards
iii)Biometrics
vi)Retina Scanners
v)Logical Security Controls
vi)Access levels defined in line with job responsibilities for
the trusted role.
5.3
Personnel Controls
5.3.1 Background, qualifications,
experience, and clearance requirements
COMTRUST will employ suitable personnel in accordance with
specific skills & qualifications, clearance requirements of
UAE Immigration Department and train them appropriately to
operate its Certification Services to comply with internationally
acceptable industry standards to assume trusted roles. Such
employees shall be treated as trusted employees.
COMTRUST representatives (including CSRs) will be fluent in written and spoken Arabic and English and will be imparted suitable training on verification of relevant documents submitted by certificate applicants.
5.3.2 Background check procedures
See section 5.3.1
5.3.3 Training requirements
COMTRUST imparts all the necessary training to its operational staff to help them perform their duties in best possible manner. These human resources are also trained on-the-job to specialize in a certain functional area of expertise. As and when changes in Certification Authority system occur, the staff undergo necessary training to make sure that such changes are implemented in a smooth manner.
5.3.4 Retraining frequency and requirements
See section 5.3.3.
5.3.5 Job rotation frequency and sequence
Not applicable
5.3.6 Sanctions for unauthorized actions
All trusted employees are made to understand that they are supposed to adhere to the functional roles and responsibilities specified for them. If any violation is noticed, COMTRUST shall suspend the access of the personnel involved to all CA systems-immediately on noticing such violation.
5.3.7 Contracting personnel requirements
COMTRUST shall formulate and follow personnel and management practices that provide reasonable assurance of the trustworthiness and competence of their employees and of the satisfactory performance of their duties. Such practices shall be consistent with this CPS. Any COMTRUST sub-contractor, when employed for a certain task, is judged in accordance with the criteria applicable to full-time employee.
5.3.8 Documentation supplied to personnel
All COMTRUST personnel are provided detailed job descriptions in order for them to successfully perform in their designated roles.
