10 - Sourcing
Overview
PKI is a complex system that requires a lot of resources to be managed and maintained. Proper sourcing of the resources is one of the key factors of a mature infrastructure that can maintain and improve trust over the time. The resources can be:
- Financial resources needed to maintain the PKI
- Computing resources like hardware, software, tools, technologies
- Human resources (personnel)
- Management resources like processes and procedures
Sourcing is a process of defining the required resources and their specification, availability, and management. Sourcing requires monitoring and periodic review of the resources needed and alignment with the overall strategy of the organization and scope of the PKI.
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | The resources needed for the PKI are not defined and documented. There is a risk of unavailable resources causing the PKI to be unavailable. |
| 2 - Basic | Resource are identified and documented. The resources and their specification are not clearly defined, which can lead to misuse of resources. |
| 3 - Advanced | Resources are identified, documented, and clearly defined. The capacity of resources is aligned with the PKI scope and use-case(s). |
| 4 - Managed | Resources are identified, documented, and clearly defined. Resource management process ensures that the resources are available when needed. |
| 5 - Optimized | Resources are periodically reviewed and updated to ensure that the required capacity is available and aligned with the PKI scope and organization strategy. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Resources are identified and documented | 5 |
| 2 | Resources are clearly defined | 3 |
| 3 | Availability of resources | 4 |
| 4 | Resources are periodically reviewed | 3 |
Details
Resources are identified and documented
Guidance
Resources needed for proper management of the PKI are identified and documented. Resources should be aligned with the PKI scope and use-case(s) that should be supported. The main question to answer here is “Do we know what resources we need to manage the PKI?”.
Assessment
The following is sample evidence that can be used to assess the requirement:
- Resource management process
- Documented requirements on the resources
- Categorization of resources (an example can be people, processes, procedures, tools, technologies)
- Alignment with the scope of the use-case
References
N/A
Resources are clearly defined
Guidance
Identified resources should be properly defined and specified. The specification depends on the type of the resource and can include for example the following:
- People: required skills to perform the tasks, roles, and responsibilities
- Tools: description, supported technologies
- Technologies: required functionality and performance
- Financial resources: required budget, funding sources
- Management resources: processes and procedures, inputs, outputs
- Other resources: description, specification, requirements
Without clearly defined resources, there could be misuse of the organization’s assets or inconsistent interaction with personnel and other parties, leading to insecure and untrusted implementation of the PKI.
Assessment
The following is a sample evidence that can be used to assess the requirement:
- Resource management process
- Documented requirements on the resources
- Categorization of resources (an example can be: people, processes, procedures, tools, technologies)
- Alignment with the scope of the use-case
- Interview personnel in various roles
References
Availability of resources
Guidance
Identified and defined resources should be available at the required capacity. The availability of the resources should be aligned with the overall strategy of the organization and scope of the PKI. The availability of the resources should be controlled to ensure that the resources are available when needed.
Assessment
- Review of the resource management process
- Review of the capacity or demand management process
- Alignment with the strategy of the organization and scope of the PKI
- Review of the assignment of the resources to the tasks
- Utilization and performance of the services
References
Resources are periodically reviewed
Guidance
Resource should be periodically reviewed to ensure the accurate use of the resources and secure operations. Frequency of the review depends on the complexity and criticality of the infrastructure. Good practice is to perform reviews at least once a year.
Review includes the following (but not limited to)
- Analysis that the resources continue to match with the scope and capacity required to provide the services
- Review of the specifications of the resources to continue support of the PKI
- Review announcements and technology trends (for example “end of life” plans for a technology)
- Documentation of any remediation plan, updates to sourcing of the PKI, that should be approved by the management
Assessment
- Review of changes to the PKI scope
- Review of the capacity or available resources
- Vendor announcements
- Technology trends
- Skills and knowledge of the personnel
References
N/A
