3 - Compliance
Compliance refers to the ability of an organization to adhere to relevant laws, regulations, and standards related to the scope of the PKI. A properly implemented PKI Compliance program ensures that an organization’s PKI is protected from threats and risks that could result in financial loss, reputational damage, legal liabilities, or eventually in the loss of trust.
The compliance process helps to manage a PKI in a way that meets legal and regulatory requirements, and ensures information is used and protected appropriately, according to defined and documented policies and practices statements.
Compliance is important for several reasons, including:
- It supports the risk management process associated with the PKI assets
- Minimize reputation issues that can lead to the loss of trust
- Provides assurance for the relying parties and subscribers
- Proves adherence to legal requirements
Overall, compliance and related procedures help to ensure that the PKI is managed and maintained according to the relevant laws, regulations, and standards. This minimizes the risk of loss of trust and provides assurance to PKI participants.
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | There is no compliance program in place. The organization is not aware of the relevant laws, regulations, and standards, and is exposed to significant risks. |
| 2 - Basic | The compliance responsibility is established and assigned. The organization is aware of the relevant laws, regulations, and standards that should be followed. |
| 3 - Advanced | Compliance policy is defined, implemented, and communicated. Compliance program is established. |
| 4 - Managed | Compliance program and policy is established and maintained by responsible personnel. Procedures are in place and followed to ensure compliance with relevant laws, regulations, and standards. |
| 5 - Optimized | Organization is aware of the relevant laws, regulations, and standards and is able to demonstrate compliance over the time. Compliance program is continuously maintained and improved. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Compliance policies are defined, implemented, and communicated | 3 |
| 2 | A program to monitor compliance with the policies is established | 4 |
| 3 | Responsibilities for the compliance are formally defined and assigned | 3 |
| 4 | List of relevant laws, regulations, and standards, exist and is maintained | 5 |
Details
Compliance policies are defined, implemented, and communicated
Guidance
Compliance policies are a critical component of an organization’s risk management strategy to help ensure that the PKI system is secure, reliable, trustworthy, and meets any applicable regulatory requirements.
By defining appropriate policies and related procedures and communicating these to all stakeholders who rely on the PKI, the organization can ensure that administrators, operators, and users are properly authenticated and authorized to access the system and that appropriate controls are in place to prevent unauthorized access or misuse of the PKI.
Having a sound set of compliance policies defined, implemented, and communicated can help to demonstrate that the organization took reasonable steps to protect the PKI and may result in reduced legal liability in the event of a breach due to improper or malicious use of the PKI.
The compliance policies typically include:
- Laws, industry regulations and government legislation that apply to the organization business and PKI
- Roles and responsibilities
- Compliance program management requirements
- Reporting and auditing requirements
- References to relevant documents (anti-trust, anti-fraud, anti-bribery, anti-money laundering, due diligence, etc.)
- Any other relevant information that rule compliance
Assessment
- Documented audit and accountability policies
- Documented communication plan for informing stakeholders of the policies
- Formalized process for stakeholder acknowledgement upon receipt of the policies
References
A program to monitor compliance with the policies is established
Guidance
A PKI compliance monitoring program typically involves ongoing monitoring and testing of the controls and procedures to detect potential compliance violations associated with rules and regulations that govern the issuance, update, or revocation of certificates.
These programs often include a risk assessment to identify and assess potential risks that could lead to non-compliance, including regulatory changes, operational changes, or employee turnover.
The monitoring process may include reviewing documentation, conducting interviews with key stakeholders, and reporting any issues or compliance violations. Reporting from compliance monitoring should be communicated to those stakeholders who committed the violation(s) and those stakeholders who are empowered to take corrective action to address the violations observed.
Assessment
- Documented practices regarding periodic and aperiodic compliance assessments
- Documented practices for regularly review and reporting of security issues
- Documented and implemented processes for investigation and response to suspicious activities
References
Responsibilities for the compliance are formally defined and assigned
Guidance
Within the organization, there should exist clear and well documented guidelines outlining which individual, group or team is responsible for ensuring that PKI policies are being followed. This applies to governance and oversight in addition to operational policies and procedures.
Documenting specifically “who” shall be responsible for ensuring PKI policies are being enforced enhances accountability and trustworthiness of the PKI by enforcing the mentality that “someone is watching”. This will help to mitigate risks associated with improper or malicious acts.
Assessment
- For each defined procedure, a specific individual or team is identified and assigned to perform the tasks associated with the procedure
- Interview with the personnel to confirm understanding of the role and responsibilities
References
List of relevant laws, regulations, and standards, exist and is maintained
Guidance
To better understand the relevance to PKI, one should understand the differences between laws, regulations, and standards.
Laws are legal rules that are enacted by a governing body, such as a federal, state or local government. They are binding and enforceable by the legal system within the jurisdiction of the governing body that enacted them. Violating law can lead to legal consequences, such as fines or imprisonment.
Regulations are derived from laws and are often meant to supplement and clarify the broader provisions outlined in the laws. Compliance with regulations is mandatory and non-compliance can result in penalties or other legal consequences.
Standards are voluntary guidelines or specifications typically established by a particular industry group or standards organization. Standards usually define best practices, technical specifications, quality benchmarks, and other criteria and are meant as a means of ensuring consistency, interoperability, and quality. Typically, compliance with standards is not legally required, however, lack of conformance to standards can lead to diminished interoperability and reduced trust.
With respect to PKI, it is very important to understand what laws, regulations and standards are relevant to the PKI and its ancillary systems. For example, given that PKI involves cryptography, one must be certain to adhere to government laws regarding use and deployment of cryptographic products and solutions.
And, many times, a PKI will make use of hardware cryptographic modules for key generation and storage. Therefore, it’s critical to ensure that the hardware cryptographic modules comply with the relevant standards. There are many laws, regulations and standards that apply to PKI. As such, it is necessary to maintain a list of the ones that are relevant to your organization to help ensure that none are being overlooked.
Assessment
- Documented list of applicable laws, regulations and standards is maintained
- Procedures established for periodic review of the laws, regulations and standards
- Procedures established to remediate any deficiencies or non-compliance issues identified
- Procedures established to communicate results of the periodic reviews
