5.4 Audit logging procedures

5.4.1 Types of events recorded

The CA and each Delegated Third Party SHALL record details of the actions taken to process a certificate request and to issue a Certificate, including all information generated and documentation received in connection with the certificate request; the time and date; and the personnel involved. The CA SHALL make these records available to its Qualified Auditor as proof of the CA’s compliance with these Requirements.

The CA SHALL record at least the following events:

  1. CA key lifecycle management events, including:
  • Key generation, backup, storage, recovery, archival, and destruction; and
  • Cryptographic device lifecycle management events.
  1. CA and Subscriber Certificate lifecycle management events, including:
  • Certificate requests, renewal, and re-key requests, and revocation;
  • All verification activities stipulated in these Requirements and the CA’s Certification Practice Statement;
  • Date, time, phone number used, persons spoken to, and end results of verification telephone calls;
  • Acceptance and rejection of certificate requests;
  • Issuance of Certificates; and
  • Generation of Certificate Revocation Lists and OCSP entries.
  1. Security events, including:
  • Successful and unsuccessful PKI system access attempts;
  • PKI and security system actions performed;
  • Security profile changes;
  • System crashes, hardware failures, and other anomalies;
  • Firewall and router activities; and
  • Entries to and exits from the CA facility.

Log entries MUST include the following elements:

  1. Date and time of entry;
  2. Identity of the person making the journal entry; and
  3. Description of the entry.

5.4.2 Frequency of processing log

No stipulation.

5.4.3 Retention period for audit log

The CA SHALL retain any audit logs generated for at least seven years. The CA SHALL make these audit logs available to its Qualified Auditor upon request.

5.4.4 Protection of audit log

No stipulation.

5.4.5 Audit log backup procedures

No stipulation.

5.4.6 Audit collection system (internal vs. external)

No stipulation.

5.4.7 Notification to event-causing subject

No stipulation.

5.4.8 Vulnerability assessments

Additionally, the CA’s security program MUST include an annual Risk Assessment that:

  1. Identifies foreseeable internal and external threats that could result in unauthorized access, disclosure, misuse, alteration, or destruction of any Certificate Data or Certificate Management Processes;

  2. Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Certificate Data and Certificate Management Processes; and

  3. Assesses the sufficiency of the policies, procedures, information systems, technology, and other arrangements that the CA has in place to counter such threats.