Sourcing
Overview
PKI is a complex system that requires a lot of resources to be managed and maintained. Proper sourcing of the resources is one of key factors for the of mature infrastructure that can maintain and improve trust over the time. The resources can be:
- financial resources needed to maintain the PKI
- computing resources like hardware, software, tools, technologies
- human resources (personnel)
- management resources like processes and procedures
The sourcing is a process of defining the required resources and their specification, availability, and management. The sourcing requires monitoring and periodic review of the resources needed and alignment with the overall strategy of the organization and scope of the PKI.
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Resources are identified and documented | 5 |
| 2 | Resources are clearly defined | 3 |
| 3 | Availability of resources | 4 |
| 4 | Resources are periodically reviewed | 3 |
Details
Resources are identified and documented
Guidance
Resources needed for proper management of the PKI are identified and documented. Resources should be aligned with the PKI scope and use-case that should be supported. The main question to answer here is “Do we know what resources we need to manage the PKI?”.
Assessment
The following is sample evidence that can be used to assess the requirement:
- Resource management process
- Documented requirements on the resources
- Categorization of resources (an example can be people, processes, procedures, tools, technologies)
- Alignment with the scope of the use-case
References
Resources are clearly defined
Guidance
Identified resources should be properly defined and specified. The specification depends on the type of the resource and can include for example the following:
- People: required skills to perform the tasks, roles, and responsibilities
- Tools: description, supported technologies
- Technologies: required functionality and performance
- Financial resources: required budget, funding sources
- Management resources: processes and procedures, inputs, outputs
- Other resources: description, specification, requirements
Without clearly defined resources, there could be misuse of the organization’s assets or inconsistent interaction with personnel and other parties, leading to insecure and untrusted implementation of the PKI.
Assessment
The following is a sample evidence that can be used to assess the requirement:
- Resource management process
- Documented requirements on the resources
- Categorization of resources (an example can be: people, processes, procedures, tools, technologies)
- Alignment with the scope of the use-case
- Interview personnel in various roles
References
Availability of resources
Guidance
Identified and defined resources should be available at the required capacity. The availability of the resources should be aligned with the overall strategy of the organization and scope of the PKI. The availability of the resources should be controlled to ensure that the resources are available when needed.
Assessment
- Review of the resource management process
- Review of the capacity or demand management process
- Alignment with the strategy of the organization and scope of the PKI
- Review of the assignment of the resources to the tasks
- Utilization and performance of the services
References
Resources are periodically reviewed
Resource should be periodically reviewed to ensure the accurate use the resources and secure the operations. Frequency of the review depends on the complexity and criticality of the infrastructure. Good practice is to perform review at least once a year.
Review includes the following (but not limited to)
- Analysis that the resources continue to match with the scope and capacity required to provide the services
- Review of the specifications for the resources to continue support the PKI
- Review announcements and technology trends (for example “end of life” plans for a technology)
- Documentation of any remediation plan, updates to sourcing of the PKI, that should be approved by the management
Assessment
- Review of changes to the PKI scope
- Review of the capacity or available resources
- Vendor announcement
- Technology trends
- Skills and knowledge of the personnel
