15 - Awareness
Overview
Providing awareness about the PKI and its purpose in the organization and outside ensures that each PKI participant understands it properly and is timely informed about any important events that may impact the participant.
The awareness is important for all PKI participants to know how to handle exceptional situations and how to react to them. It is also important to know how to communicate and when so as to not misunderstand any issues or incidents.
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | No awareness is provided. No program is established. |
| 2 - Basic | Incomplete awareness plan is defined, and it is not often followed and communicated. It is mainly ad-hoc and not maintained, without proper planning and monitoring. |
| 3 - Advanced | The awareness plan is defined, followed and communicated to all PKI participants. The awareness is not integrated in the organization and is not periodically reviewed and improved. |
| 4 - Managed | The awareness program is designed to support the PKI participants. The awareness plan is defined, followed and communicated to all PKI participants. It is maintained and monitored over the time. |
| 5 - Optimized | Information is disclosed and properly communicated to all PKI participant according to the awareness plan. The awareness plan is well designed and continuously improved. Participant are properly informed about important information and how to behave. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Establish and maintain awareness plan | 2 |
| 2 | Disclose PKI information | 2 |
| 3 | Establish single point of contact | 1 |
| 4 | Timely communication of important information | 2 |
Details
Establish and maintain awareness plan
Guidance
Awareness plan should be established and maintained to ensure that the PKI participants are aware of all relevant events related to the PKI implementation and its purpose in the organization and outside. It should cover at lease the following information:
- How the organization discloses information to PKI participants
- Contact information
- How are changes communicated
- Who is responsible for accurate awareness
- Resolving communication issues and incidents
Every PKI participant should receive information and relevant resource in a timely manner according to the awareness plan.
Assessment
- Documented awareness plan
- Awareness plan is up-to-date
- Review awareness content to ensure that it is contains relevant information
- Awareness plan is approved and communicated to all PKI participants
- Awareness plan is integrated in the organization
References
- RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- ETSI EN 319 401 - General Policy Requirements for Trust Service Providers
Disclose PKI information
Guidance
Information about the policies, processes, and procedures that are maintained by the PKI should be disclosed to the PKI participants. This information should be available on a timely basis and in a form that is understandable to the PKI participants.
Organization maintaining the PKI implementation should disclose the following information on a website or other appropriate media that can be reached by the PKI participants:
- Certificate Policy
- Certification Practice Statement
- Revocation information
- Valid CA certificates
- Vulnerability reports
- Audit reports
- Contact information
- Obligations of the PKI participants
- Legal liability of the PKI participants
- Warranty information
- Disclaimer information
- Privacy and data protection information
- Other relevant information
Assessment
- Review disclosure statement content to ensure that it is contains relevant information
- Disclosure statement is approved and communicated to all PKI participants
- Information is available to all PKI participants
- Information is up-to-date
References
- RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- ETSI EN 319 401 - General Policy Requirements for Trust Service Providers
Establish single point of contact
Guidance
The single point of contact (SPOC) provides a convenient way for any PKI participant to contact the organization and responsible personnel of the PKI implementation. The single point of contact should be available 24/7 and should be able to provide relevant information and trigger appropriate procedures if needed based on the situation.
Contact information for the SPOC should be disclosed to all PKI participants. The SPOC may be reached through different communication channels, such as:
- Phone
- Web site form
- Other
Assessment
- Contact SPOC to ensure that it is available and responds in a timely manner
- Review that the SPOC communicates according to the awareness plan
- Review that the SPOC is able to provide relevant information and trigger appropriate procedures if needed based on the situation
References
- RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- ETSI EN 319 401 - General Policy Requirements for Trust Service Providers
Timely communication of important information
Guidance
In the event of an incident with high impact to the security and established trust of the PKI implementation, the organization should communicate the information to the PKI participants in a timely manner to avoid increased escalation of the event and inform participants of further actions that may be required to execute.
Example of events that require timely communication may be:
- Compromise of the private key
- Changes in the Certificate Policy
- Changes in the Certification Practice Statement
- Security breach
- Other events that may require immediate action by the PKI participants
Assessment
- Documented procedures to timely inform PKI participants about high impact events
- Review that the procedures are followed
- Interview personnel to ensure that they are aware of the procedures and know how to communicate the information
