Logo

10 - Sourcing

Overview

PKI is a complex system that requires a lot of resources to be managed and maintained. Proper sourcing of the resources is one of the key factors of a mature infrastructure that can maintain and improve trust over the time. The resources can be:

  • Financial resources needed to maintain the PKI
  • Computing resources like hardware, software, tools, technologies
  • Human resources (personnel)
  • Management resources like processes and procedures

Sourcing is a process of defining the required resources and their specification, availability, and management. Sourcing requires monitoring and periodic review of the resources needed and alignment with the overall strategy of the organization and scope of the PKI.

Requirements

#RequirementWeight
1Resources are identified and documented5
2Resources are clearly defined3
3Availability of resources4
4Resources are periodically reviewed3

Details

Resources are identified and documented

Guidance

Resources needed for proper management of the PKI are identified and documented. Resources should be aligned with the PKI scope and use-case(s) that should be supported. The main question to answer here is “Do we know what resources we need to manage the PKI?”.

Assessment

The following is sample evidence that can be used to assess the requirement:

  • Resource management process
  • Documented requirements on the resources
  • Categorization of resources (an example can be people, processes, procedures, tools, technologies)
  • Alignment with the scope of the use-case

References

N/A

Resources are clearly defined

Guidance

Identified resources should be properly defined and specified. The specification depends on the type of the resource and can include for example the following:

  • People: required skills to perform the tasks, roles, and responsibilities
  • Tools: description, supported technologies
  • Technologies: required functionality and performance
  • Financial resources: required budget, funding sources
  • Management resources: processes and procedures, inputs, outputs
  • Other resources: description, specification, requirements

Without clearly defined resources, there could be misuse of the organization’s assets or inconsistent interaction with personnel and other parties, leading to insecure and untrusted implementation of the PKI.

Assessment

The following is a sample evidence that can be used to assess the requirement:

  • Resource management process
  • Documented requirements on the resources
  • Categorization of resources (an example can be: people, processes, procedures, tools, technologies)
  • Alignment with the scope of the use-case
  • Interview personnel in various roles

References

Availability of resources

Guidance

Identified and defined resources should be available at the required capacity. The availability of the resources should be aligned with the overall strategy of the organization and scope of the PKI. The availability of the resources should be controlled to ensure that the resources are available when needed.

Assessment

  • Review of the resource management process
  • Review of the capacity or demand management process
  • Alignment with the strategy of the organization and scope of the PKI
  • Review of the assignment of the resources to the tasks
  • Utilization and performance of the services

References

Resources are periodically reviewed

Guidance

Resource should be periodically reviewed to ensure the accurate use of the resources and secure operations. Frequency of the review depends on the complexity and criticality of the infrastructure. Good practice is to perform reviews at least once a year.

Review includes the following (but not limited to)

  • Analysis that the resources continue to match with the scope and capacity required to provide the services
  • Review of the specifications of the resources to continue support of the PKI
  • Review announcements and technology trends (for example “end of life” plans for a technology)
  • Documentation of any remediation plan, updates to sourcing of the PKI, that should be approved by the management

Assessment

  • Review of changes to the PKI scope
  • Review of the capacity or available resources
  • Vendor announcements
  • Technology trends
  • Skills and knowledge of the personnel

References

N/A

Participate in our community discussions and/or join the consortium