4 - Processes and procedures
Proper and effective processes and procedures related to PKI operations and management are essential for the successful implementation of the PKI. The processes and procedures should be aligned with the overall organizational policies and statements.
Process is a set of activities that are performed in a specific order to achieve a specific goal. The process should be documented and measured. The process is also repeatable and can be improved over time, based on the evaluation, feedback, or risk assessment. The scope of the processes is defined by the policies.
Procedure is a set of instructions that describe how to perform a specific task. The procedure should be also documented and can be used as a reference for the process. Procedure can include specific instructions for the process, such as how to perform a specific task, or how to use a specific tool.
Processes and procedure typically cover (but are not limited to) the following areas:
- infrastructure management
- data privacy and security
- business continuity, disaster recovery, contingency planning
- supply chain management
- physical security and access control
- incident management
- audit and compliance, evidence and reporting, archiving
- risk management and assessment
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | Processes and procedures are not formally defined and documented. Ad-hoc reactions to the events. |
| 2 - Basic | Processes and procedures are formally defined and documented, but not in the full scope and fully implemented and followed. |
| 3 - Advanced | The scope of the processes and procedures covers entire PKI implementation and policies, and is documented and followed. |
| 4 - Managed | The evidence from the processes and procedures is collected and maintained. Recurring activities are defined and executed by responsible roles. |
| 5 - Optimized | The processes and procedures, that are aligned with policies and organizational goals, are reviewed and updated on a regular basis. Evidence is properly managed and controlled. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Scope of processes and procedure is aligned with policies | 4 |
| 2 | Processes and procedures are formally documented and followed | 3 |
| 3 | Recurring activities are executed on time | 5 |
| 4 | Evidence from procedures is collected and maintained | 3 |
| 5 | Processes and procedures are reviewed and updated | 2 |
Details
Scope of processes and procedure is aligned with policies
Guidance
The scope of the processes and procedures should be aligned with the policies and statements. Each implementation and use case can have different scope, but the scope should be defined and documented, with all applicable processes, procedures, and eventually instructions.
The alignment with the policies helps to ensure that the processes and procedures are aligned with the PKI implementation goals and needs, and can be effectively trusted over the time. A simple matrix can be used to ensure that all applicable policies and statements are covered by the processes and procedures.
The completeness of the processes and procedures can be evaluated by the risk assessment, audit, or by the feedback from the users.
Assessment
The following is a sample evidence and information that can be collected during the assessment:
- Documented scope of the processes and procedures
- Alignment with the PKI policies and statements
- Interview with the PKI management
References
- RFC 3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- ISO/IEC 27001 - Information security management systems
Processes and procedures are formally documented and followed
Guidance
Identified processes and procedures needs to be properly designed and documented with all relevant information like scope, purpose, inputs, outputs, roles and responsibilities, and other. The processes and procedures should be also reviewed and approved by the management.
Once the processes and procedures are published, appropriate training is required to ensure they are followed by the PKI management and staff. Without following the processes and procedures, the PKI can be exposed to the risks and threats, and eventually lose any established trust.
Assessment
The following is sample evidence and information that can be collected during the assessment:
- Documented processes and procedures
- Completeness of the processes and procedures documentation
- Evidence of the processes and procedures usage
- Interview with the PKI management and staff
- Training materials covering the processes and procedures
References
Recurring activities are executed on time
Guidance
Recurring activities are the activities that are performed on a regular basis, such as certificate management operations, backup procedures, security reviews, risk assessment, reviews of logs and security events, and other.
Each activity should be tracked and have a frequency defined, for example, some activities may be performed daily, weekly, monthly, quarterly, or yearly. The activities should be performed on time, and any delays should be properly tracked and reported.
Recurring activities needs to be incorporated into the processes and procedures to support the PKI implementation.
Assessment
The following is sample evidence and information that can be collected during the assessment:
- Documented business as usual activities
- Evidence of the business as usual activities execution
- Business as usual activities tracking and reporting
- Calendar of activities
- Interview with the PKI management and staff
References
- ISO/IEC 27001 - Information security management systems
- RFC 3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
Evidence from procedures is collected and maintained
Guidance
Each process, procedure, instruction, or activity would not be effective without evidence confirming that it was performed. The evidence should be descriptive with all relevant information, such as date and time, who performed the activity, what was the result, and other information, if needed.
The evidence can be collected and maintained in various forms, such as logs, reports, notes, screenshots, etc. The evidence should be collected and maintained for the defined period of time, and should be available for the audit or other purposes.
Assessment
The following is sample evidence and information that can be collected during the assessment:
- Evidence of the execution of the processes and procedures
- Interview with the PKI management and staff
- Logs, reports, notes, screenshots, and other evidence
References
- ISO/IEC 27001 - Information security management systems
- RFC 3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- ENISA Publications
Processes and procedures are reviewed and updated
Guidance
The processes and procedures should be reviewed and updated on a regular basis, based on the feedback, risk assessment, audit, or other. The review should be performed by the management, and the updates should be approved by the management.
The review and update of the processes and procedures helps to keep the PKI implementation up to date, and helps to ensure that the processes and procedures are effective and efficient.
Assessment
The following is sample evidence and information that can be collected during the assessment:
- Documented review and update process
- Evidence of the review and update of the processes and procedures
- Interview with the PKI management and staff
