ETSI EN 319 401 policy and security requirements

The standard applies general policy requirements to Trust Service Providers independent of the type of trust service. It covers operation and management practices, while noting that other specifications can refine and extend the requirements for particular trust services. That makes scope the first decision: name the trust service, service policy, systems, facilities, people, suppliers, and external organizations that support the service.

Clause 5 then requires the TSP to identify, analyse, and evaluate trust service risks, choose risk treatment measures, document the security requirements and operational procedures needed for those treatments, review the risk assessment regularly, and have management approve the assessment and accept residual risk. Policy text that is not traceable to this risk work is weak evidence.

Clause 6.1 requires the TSP to specify the policies and practices appropriate for the trust services it provides, have them approved by management, publish and communicate them as relevant, and maintain a trust service practice statement that addresses the requirements of the applicable trust service policy. The practice statement also has to identify obligations of external organizations supporting the service.

The same clause requires relevant documentation to be made available to subscribers and relying parties as necessary to demonstrate conformance to the trust service policy, while allowing sensitive aspects to remain undisclosed. When practice-statement changes might affect acceptance by subjects, subscribers, or relying parties, EN 319 401 requires due notice and immediate availability of the revised practice statement after approval.

Clause 6.2 requires terms and conditions to be available to subscribers and relying parties, made available before entering a contractual relationship, provided through a durable means of communication, and written in readily understandable language. Those terms need to specify, for each supported trust service policy, items such as the policy applied, service limitations, subscriber obligations, relying-party information, event-log retention, liability limits, applicable legal system, complaints and dispute procedures, conformity-assessment status and scheme where applicable, contact information, and availability undertakings.

Clause 6.3 requires an information security policy approved by management and setting out the organization's approach to information security. It must be documented, implemented, and maintained, include controls and operating procedures for facilities, systems, and information assets, communicate changes to third parties where applicable, notify important service-provision changes to appropriate parties, and review the policy and asset inventory at planned intervals or after significant changes.

EN 319 401 security policy only becomes useful when it is tied to operational controls. The standard requires reliable organization practices, segregation of conflicting duties, personnel and contractors who apply information security according to TSP policies, documented security roles and responsibilities, identified trusted roles, asset inventory and classification, controlled storage media handling, least-privilege access administration, privileged-account controls, and authentication before critical applications are used.

The technical side continues through cryptographic key lifecycle controls, physical protection for critical service components, secure design analysis for systems development, change control for operational software and configurations, malware protection, configuration monitoring, network segmentation, zone-based controls, separation of administration and production networks, trusted channels between trustworthy systems, vulnerability scanning, and penetration testing after significant infrastructure or application changes.

Clause 7.9 requires monitoring and logging mechanisms, detection of abnormal activities as alarms, regular review of logs, incident response procedures for containment, eradication, and recovery, communication plans, incident documentation, interfaces between incident handling and business continuity, reporting procedures, severity assessment, reclassification as new inputs arrive, and post-incident reviews that identify root cause and reduce recurrence risk.

Clause 7.10 requires the TSP to record and keep accessible relevant information about data issued and received by the TSP for an appropriate period, including after the TSP's activities cease, for legal evidence and continuity. Clauses 7.11 and 7.12 add continuity, backup, crisis management, and termination planning, including subscriber and relying-party notices, subcontractor authorization termination, evidence-transfer arrangements, private-key destruction or withdrawal, and continued access to public keys or trust service tokens for a reasonable period.

Clause 7.14 requires the TSP to address security risks from supplier products and services, including the ICT supply chain. The supply-chain policy has to identify and communicate the TSP's role, define criteria for selecting and contracting suppliers or service providers, and consider cybersecurity specifications, risk and classification levels, diversification and vendor lock-in, and critical-supply-chain risk assessment results.

When other parties provide parts of the service through subcontracting, outsourcing, or other arrangements, EN 319 401 requires the TSP to maintain overall responsibility for conformance with the supply chain policy, information security policy, and trust service policy requirements. Supplier agreements, SLAs, audit mechanisms, critical-component traceability, cloud shared-responsibility expectations, supplier registers, and supplier-change reviews should therefore sit in the same evidence file as the policy and security requirements.