14 - Awareness

Overview

Providing awareness about the PKI and its purpose in the organization and outside ensures that each PKI participant understands it properly and is timely informed about any important events that may impact the participant.

The awareness is important for all PKI participants to know how to handle exceptional situations and how to react to them. It is also important to know how to communicate and when so as to not misunderstand any issues or incidents.

Category maturity levels description

Maturity levelDescription
1 - InitialNo awareness is provided. No program is established.
2 - BasicIncomplete awareness plan is defined, and it is not often followed and communicated. It is mainly ad-hoc and not maintained, without proper planning and monitoring.
3 - AdvancedThe awareness plan is defined, followed and communicated to all PKI participants. The awareness is not integrated in the organization and is not periodically reviewed and improved.
4 - ManagedThe awareness program is designed to support the PKI participants. The awareness plan is defined, followed and communicated to all PKI participants. It is maintained and monitored over the time.
5 - OptimizedInformation is disclosed and properly communicated to all PKI participant according to the awareness plan. The awareness plan is well designed and continuously improved. Participant are properly informed about important information and how to behave.

Requirements

#RequirementWeight
1Establish and maintain awareness plan2
2Disclose PKI information2
3Establish single point of contact1
4Timely communication of important information2

Details

Establish and maintain awareness plan

Guidance

Awareness plan should be established and maintained to ensure that the PKI participants are aware of all relevant events related to the PKI implementation and its purpose in the organization and outside. It should cover at lease the following information:

  • How the organization discloses information to PKI participants
  • Contact information
  • How are changes communicated
  • Who is responsible for accurate awareness
  • Resolving communication issues and incidents

Every PKI participant should receive information and relevant resource in a timely manner according to the awareness plan.

Assessment

  • Documented awareness plan
  • Awareness plan is up-to-date
  • Review awareness content to ensure that it is contains relevant information
  • Awareness plan is approved and communicated to all PKI participants
  • Awareness plan is integrated in the organization

References

Disclose PKI information

Guidance

Information about the policies, processes, and procedures that are maintained by the PKI should be disclosed to the PKI participants. This information should be available on a timely basis and in a form that is understandable to the PKI participants.

Organization maintaining the PKI implementation should disclose the following information on a website or other appropriate media that can be reached by the PKI participants:

  • Certificate Policy
  • Certification Practice Statement
  • Revocation information
  • Valid CA certificates
  • Vulnerability reports
  • Audit reports
  • Contact information
  • Obligations of the PKI participants
  • Legal liability of the PKI participants
  • Warranty information
  • Disclaimer information
  • Privacy and data protection information
  • Other relevant information

Assessment

  • Review disclosure statement content to ensure that it is contains relevant information
  • Disclosure statement is approved and communicated to all PKI participants
  • Information is available to all PKI participants
  • Information is up-to-date

References

Establish single point of contact

Guidance

The single point of contact (SPOC) provides a convenient way for any PKI participant to contact the organization and responsible personnel of the PKI implementation. The single point of contact should be available 24/7 and should be able to provide relevant information and trigger appropriate procedures if needed based on the situation.

Contact information for the SPOC should be disclosed to all PKI participants. The SPOC may be reached through different communication channels, such as:

  • Email
  • Phone
  • Web site form
  • Other

Assessment

  • Contact SPOC to ensure that it is available and responds in a timely manner
  • Review that the SPOC communicates according to the awareness plan
  • Review that the SPOC is able to provide relevant information and trigger appropriate procedures if needed based on the situation

References

Timely communication of important information

Guidance

In the event of an incident with high impact to the security and established trust of the PKI implementation, the organization should communicate the information to the PKI participants in a timely manner to avoid increased escalation of the event and inform participants of further actions that may be required to execute.

Example of events that require timely communication may be:

  • Compromise of the private key
  • Changes in the Certificate Policy
  • Changes in the Certification Practice Statement
  • Security breach
  • Other events that may require immediate action by the PKI participants

Assessment

  • Documented procedures to timely inform PKI participants about high impact events
  • Review that the procedures are followed
  • Interview personnel to ensure that they are aware of the procedures and know how to communicate the information

References

Participate in our community discussions and/or join the consortium