Categories Maturity Evaluation
For the evaluation of the maturity level of the category, the following formula is applied:
Category maturity level = floor ( ( Q1(score) + … + Qn(score) ) / n )
Where n is the number of questions in the category.
List of categories
The following categories are recognized as part of the PKI maturity assessment:
| # | Category | Description | Inputs and evidence |
|---|---|---|---|
| 1 | Strategy and vision | Responsibility for the PKI management and strategy over the time to respond on trends, threats and risks. | Responsibility matrixFormal assignment fo the responsibilitiesDocumented PKI purpose and strategy |
| 2 | Policies and documentation | Formal policies and practice statements for supported PKI services and use-cases. Formal management of agreements between parties involved in the PKI. | Documented certification policies and practice statementsDocumented PKI disclosure statementAvailability and maintenance of policies |
| 3 | Compliance | Adherence to standards and applicable regulations and requirements for the PKI and trust services. Standards and regulations may be internal or external, country specific or purpose specific. | List of standards and regulations that PKI must comply withResponsibility for the compliance management |
| 4 | Processes and procedures | Processes and procedures related to PKI management tasks and operational activities. This includes also the supply chain procedures and processes that includes delivery of the HW and SW related to the PKI. | Documented processes and proceduresDescription of the supply chainValidation of the integrity |
| 5 | Key Management | Key management policy and procedures related to PKI cryptographic keys and its lifecycle. Inventory of cryptographic keys. Secure and trusted key ceremonies. Key escrow and key recovery if applicable. | Documented key management policy and proceduresInventory of cryptographic keys |
| 6 | Certificate Management | Certificate management policy and lifecycle. Inventory of certificates. Definition of the certificate profiles and supported states of the certificate including the transitions between the states. Proper validation fo the certificates. | Documented certificate profiles and lifecycleInventory of certificates |
| 7 | Interoperability | Interoperability between applications, implementations, and technologies. Application of interoperable protocols and standards. Transparency and vendor lock avoidance strategy. | Integration guidanceSupported protocols and priorities in usage of protocolsRequirements for the vendor lock avoidance |
| 8 | Infrastructure Management | Availability of the PKI services, infrastructure setup to achieve availability goals. PKI continuity testing and infrastructure recovery. Infrastructure security controls. | Description of the availability requirementsHigh availability and failover designRecovery proceduresNetwork segmentation |
| 9 | Change Management and Agility | Secure and controlled process for the change management. Formal process to request changes in the PKI, approval, staging, roll-back. | Documented change management processSample change requests |
| 10 | Sourcing | Availability of skilled resources to manage PKI. Processes and procedures to maintain the required resources in time, monitoring of the skills. | Roles and responsibilities to operate PKIRequirements for the skillsRegular monitoring of the resource availability |
| 11 | Knowledge and Training | Education of people and continuously gathering required knowledge and skills to manage PKI. Training plans and improvement. | Training planContinuous education of the personnel |
| 12 | Monitoring and Auditing | Measurement of the PKI metrics, collecting evidence, monitoring and alerting of relevant issues, incident response management. | Description of metricsCollecting of logs and recordsIncident response plans |
| 13 | Automation | Automation of certificate lifecycle management. Technology and tools for the automation. Monitoring of automated certificate operations. | Automation needsToolingAutomation monitoring |
| 14 | Certificate discovery | Discovery of certificates issued and used in the infrastructure and application to manage its compliance. Processes and procedure to maintain discovery and respond on discovered certificates. | Discovery locationsRules for management of discovered certificatesAuthorized certificates |
| 15 | Awareness | Providing awareness about the PKI in the organization and its purpose. Awareness how to apply the PKI in a trusted and secure way. | Awareness planAwareness programQ&A |
| 16 | Resilience | Quickly respond to potential attack and unavailability of the PKI services or other related resources. | Vulnerability managementBusiness continuity plansFuture proofing |
Example
Q1(score) = 3, Q2(score) = 4, Q3(score) = 1, Q4(score) = 5, Q5(score) = 5
Category maturity level = floor(3+4+1+5+5) / 5 = floor(3,6) = 3 (Advanced)
