WebTrust Principle 3

CA Environmental Controls

The third principle is—The certification authority maintains effective controls to provide reasonable assurance that:

• Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA’s business practices disclosure




• The continuity of key and certificate life cycle management operations is maintained




• CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity

The establishment and maintenance of a trustworthy CA environment is essential to the reliability of the CA’s business processes. Without strong CA environmental controls, strong key and certificate life cycle management controls are severely diminished in value. CA environmental controls include CPS and CP management, security management, asset classification and management, personnel security, physical and environmental security of the CA facility, operations management, system access management, systems development and maintenance, business continuity management, monitoring and compliance, and event journaling.