OpenSSL

Cryptography and SSL/TLS Toolkit

Accessing Sensitive Information Policy

Purpose

The purpose of the Sensitive Information Policy (The Policy) is to outline the principles and behaviours adopted by OpenSSL when accessing Sensitive Information.

OpenSSL has a responsibility to maintain security for all sensitive information under its control and to secure this information against intentional or unintentional loss of confidentiality or integrity, so as to avoid financial loss, reputational damage or adverse impacts on our customers, contractors and contributors.

Scope

The policy applies to all OpenSSL contributors, contractors and individuals who use OpenSSL information resources.

The Policy establishes who can decide on what is deemed sensitive information, who can authorise access to it, which persons or roles have access to it, what they can access, under what circumstances they can access it and how the sensitive information can be used.

Note: The Policy doesn’t cover how they physically access the sensitive information.

Principles

Definition

Sensitive Information is defined as any information classified by OpenSSL or by law as private and confidential. Sensitive Information shall not include records that by law must be made available to the general public.

The Sensitive Information Table (SIT) will include the types of information that is considered by OpenSSL to be sensitive, this list is not exhaustive and by default includes any information deemed sensitive under legislation whether it is specifically listed or not.

Deciding what is Sensitive Information

  • OpenSSL Management Committee (OMC) will decide on what constitutes sensitive information on behalf of OpenSSL and maintain details of these in the SIT.
  • The OMC or their designated representative will ensure that the SIT is regularly reviewed and maintained.
  • For the purposes of The Policy, information that is deemed sensitive or requires restricted access under legislation is automatically considered to be part of the Sensitive Information Table in accordance with all legal obligations regardless of whether it appears in the SIT.
  • The OMC can choose to make publicly available information normally considered sensitive (excluding information deemed sensitive under legislation) in order for OpenSSL to conduct business eg program code in that instance the information is considered non-sensitive.

Authorisation to access sensitive information

  • The OMC will decide on who has access to sensitive information and what sensitive information they can access.
  • The OMC will consider requests to access sensitive information solely based on whether a contractor, contributor or other individual requires access in order to perform the roles, tasks and duties assigned to them by OpenSSL keeping in mind that protection of sensitive information is a critical business requirement however the ability to work effectively and appropriately access sensitive information is also important.
  • Contractors, contributors or individuals will only be permitted to access sensitive information where they have either been given specific permission from the OMC or where the OMC has deemed their role to require access in order to perform their required tasks and duties.
    • A list of Roles and individuals with access to sensitive information and what sensitive information they can access, will be maintained and regularly reviewed by the OMC or its designated representative, to ensure only those who need access have access. This list can be found in the Sensitive Information Access Table (SIAT).
    • Where a role is listed in the SIAT, all persons performing this role are considered to have been granted authorization by the OMC to access the listed sensitive information, whilst they are performing this role.
    • Where an individual has several roles their authorized access will be an amalgamation of all the roles they perform. Eg if you are a Developer & on the OMC you would have the authorization to access everything covered by both the Developer and OMC roles.
  • Where practical, access privileges will be differentiated by user and user accounts which will be used in preference to root accounts.
  • OpenSSL will maintain controls that limit access to sensitive information which are adequate, relevant and not excessive.
  • Exemptions: The OMC must authorise any exemptions regarding access to sensitive information and this would only occur where there is a business need to be exempted from this policy (i.e. too costly, too complex, adversely impacting other business requirements). A risk assessment must be conducted and reviewed by the OMC prior to any authorisation being provided.

Use of Sensitive Information

Sensitive Information can only be accessed and used for business purposes ie in the performance of a person’s role, allocated task or duties as assigned to them by OpenSSL in the course of conducting OpenSSL business activities.

Breaches of The Policy

Where any OpenSSL contractor, contributor, or individual who uses OpenSSL information resources is found in violation of The Policy they may be subject to disciplinary action, up to and including termination of any contractual arrangements.