Categories Maturity Evaluation

For the evaluation of the maturity level of the category, the following formula is applied:

Category maturity level = floor ( ( Q1(score) + … + Qn(score) ) / n )

Where n is the number of questions in the category.

List of categories

The following categories are recognized as part of the PKI maturity assessment:

#CategoryDescriptionInputs and evidence
1Strategy and visionResponsibility for the PKI management and strategy over the time to respond on trends, threats and risks.Responsibility matrixFormal assignment fo the responsibilitiesDocumented PKI purpose and strategy
2Policies and documentationFormal policies and practice statements for supported PKI services and use-cases. Formal management of agreements between parties involved in the PKI.Documented certification policies and practice statementsDocumented PKI disclosure statementAvailability and maintenance of policies
3ComplianceAdherence to standards and applicable regulations and requirements for the PKI and trust services. Standards and regulations may be internal or external, country specific or purpose specific.List of standards and regulations that PKI must comply withResponsibility for the compliance management
4Processes and proceduresProcesses and procedures related to PKI management tasks and operational activities. This includes also the supply chain procedures and processes that includes delivery of the HW and SW related to the PKI.Documented processes and proceduresDescription of the supply chainValidation of the integrity
5Key ManagementKey management policy and procedures related to PKI cryptographic keys and its lifecycle. Inventory of cryptographic keys. Secure and trusted key ceremonies. Key escrow and key recovery if applicable.Documented key management policy and proceduresInventory of cryptographic keys
6Certificate ManagementCertificate management policy and lifecycle. Inventory of certificates. Definition of the certificate profiles and supported states of the certificate including the transitions between the states. Proper validation fo the certificates.Documented certificate profiles and lifecycleInventory of certificates
7InteroperabilityInteroperability between applications, implementations, and technologies. Application of interoperable protocols and standards. Transparency and vendor lock avoidance strategy.Integration guidanceSupported protocols and priorities in usage of protocolsRequirements for the vendor lock avoidance
8Infrastructure ManagementAvailability of the PKI services, infrastructure setup to achieve availability goals. PKI continuity testing and infrastructure recovery. Infrastructure security controls.Description of the availability requirementsHigh availability and failover designRecovery proceduresNetwork segmentation
9Change Management and AgilitySecure and controlled process for the change management. Formal process to request changes in the PKI, approval, staging, roll-back.Documented change management processSample change requests
10SourcingAvailability of skilled resources to manage PKI. Processes and procedures to maintain the required resources in time, monitoring of the skills.Roles and responsibilities to operate PKIRequirements for the skillsRegular monitoring of the resource availability
11Knowledge and TrainingEducation of people and continuously gathering required knowledge and skills to manage PKI. Training plans and improvement.Training planContinuous education of the personnel
12Monitoring and AuditingMeasurement of the PKI metrics, collecting evidence, monitoring and alerting of relevant issues, incident response management.Description of metricsCollecting of logs and recordsIncident response plans
13AutomationAutomation of certificate lifecycle management. Technology and tools for the automation. Monitoring of automated certificate operations.Automation needsToolingAutomation monitoring
14Certificate discoveryDiscovery of certificates issued and used in the infrastructure and application to manage its compliance. Processes and procedure to maintain discovery and respond on discovered certificates.Discovery locationsRules for management of discovered certificatesAuthorized certificates
15AwarenessProviding awareness about the PKI in the organization and its purpose. Awareness how to apply the PKI in a trusted and secure way.Awareness planAwareness programQ&A
16ResilienceQuickly respond to potential attack and unavailability of the PKI services or other related resources.Vulnerability managementBusiness continuity plansFuture proofing

Example

Q1(score) = 3, Q2(score) = 4, Q3(score) = 1, Q4(score) = 5, Q5(score) = 5

Category maturity level = floor(3+4+1+5+5) / 5 = floor(3,6) = 3 (Advanced)
Participate in our community discussions and/or join the consortium