...
The Virginia Tech User CA Certification Practice Statement describes controls for EJBCA software maintenance the VTCA software (EJBCA), its maintenance, and security in sections 6.6.1 and 6.6.2. Section 6.7 specifies that Network Security Controls must be implemented to protect against known network attacks. Controls include up to date patching of operating system and application software, appropriate network boundary controls, turning off unused network ports and services, restricting installed software to that which is required to operate the CA. Login access to the VTCA EJBCA and TAS requires the use of the eToken, issued at the Silver level. Audit logs and archives are maintained, with restricted access to those logs. Separation of duties for PKI roles is required and enforced through data base roles, and secured channels are used for all network communication. The servers are scanned daily by the Information Security Office. Disaster recovery plans are documented and tested.
...