#Redirect SecurityManual#Background_Check_Procedures

Trust check was suspended [[TopMinutes-20070917]] and not required for critical systems [[Advisory/HRMinutes20070921]].  It was eventually superceded by the ABC process described in [[SecurityManual#Background_Check_Procedures|SM9.1.4]] and [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#9.1.4|SP9.1.4]].  Following text is therefore deprecated.


--------------------------------------------------

There are several roles that are very security-critical:
 * Administrators of the Servers and Services
 * Core-Developers (who are developing themself or approving changes from Non-Core-Developers)
 * Support-Personnel (who can access personal data, and have support-privileges on the database)
 * Internal auditors

The people who are applying for any of those roles need to undergo the following checks and procedures:
 * Knowledge checks (good knowledge of the following topics has to be determined)
  * Secure programming (applies only to developers, and partly to administrators)
  * Responsibilities brought by the role
  * [[http://en.wikipedia.org/wiki/CISSP]]
  * http://certification.about.com/od/securitycerts/a/seccertessentls.htm

 * Trustworthiness
  * Any information the person gives, should be cross-checked, and verified. 
  * Lie-detection: Any detected lies makes the person untrustworthy. 

 * Risk and Liability
  * Is the person able and willing to accept the risk and liability attached to the role?
  * Detecting potential conflicts of interest, and securing the person and CAcert from it
  * Alcohol/Drug abuse

 * Identity
  * The identity of the person has to be checked. (Assurer-Status)
  * The location of the person has to be checked. (Where does he/she live?)

 * Persuasion-Resistance
  * Social-Engineering
  * Family