1 - Strategy and vision
Trusted and secure PKI must be properly managed and supported by the organization. The existence of a strategy and vision for the PKI is one of the key factors for the success of the PKI and contributes to the overall maturity. The strategy and vision should be aligned with the organizational goals and approach and should be followed and measured regularly.
Formal documentation about the business drivers, scope, and design of the PKI helps to ensure that the PKI is properly aligned and understood to support the organizational. The documentation should be reviewed and updated regularly to ensure that the PKI is aligned with the organizational goals and needs.
Undefined or unclear understanding and leadership can cause loss of the established trust and can lead to the failure of the PKI quickly.
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | There are no leadership responsibilities and vision defined. The design is managed ad-hoc. |
| 2 - Basic | Basic vision has been developed but not followed. The scope and business drivers are not fully documented and understood. |
| 3 - Advanced | There is a responsible sponsor of the PKI. Strategy has been defined and approved. |
| 4 - Managed | Strategy and vision are followed and regularly measured to improve. The scope, business drivers, and design are documented and reviewed regularly. |
| 5 - Optimized | Strategy and vision are fully in line with the organizational strategy and helps business to achieve future development through continuous improvement. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Organizational sponsor and support | 3 |
| 2 | Formal assignment of responsible leadership | 2 |
| 3 | Scope and business drivers for PKI | 2 |
| 4 | Architecture and design of the PKI | 1 |
Details
Organizational sponsor and support
Guidance
The success of the PKI implementation highly depends on the organization top management support. Top management typically also acts as a sponsor of the PKI, meaning that they allocate and approve budget needed to build and maintain the PKI.
The basic assumption is that the established digital trust is going to be maintained and developed for years, and therefore it is important to have a long-term vision and strategy for the PKI. The strategy and vision should be aligned with the overall organizational goals and approach.
Assessment
The following is sample evidence that can be used to assess the requirement:
- Interview with the top management
- Documented strategy and vision
- Documented organizational goals and approach
- Understanding of why the PKI is needed and what is the value for the organization
- Support and sponsorship of the top management
References
Formal assignment of responsible leadership
Guidance
Proper leadership and responsible person should be assigned by the management to fulfil the role for the establishment, maintenance, and development of the PKI according to the strategy and vision. The responsible person should be able to make decisions and take actions to ensure the PKI is aligned with the organizational goals and needs.
Assessment
The formal assignment of the responsible person should be documented and approved by the management. Formal document should contains identification of the person and understanding of the role and responsibilities. Interview with the responsible person should confirm the understanding of the role and responsibilities, driving the PKI implementation according to the organizational strategy.
References
Scope and business drivers for PKI
Guidance
The scope of the PKI should be clearly defined and documented. The scope should be defined in terms of the use-cases that the PKI is going to support. Each use-case can have a different requirements and therefore different strategy. The use-cases should be defined in terms of the business drivers that are going to be supported by the PKI. Business drivers helps to document alignment with the overall organizational goals.
The scope and business drivers can be considered as a formal high-level overview of the PKI strategy and vision. Its purpose is also to create a common understanding of the organizational PKI and to provide direction for the detailed design and implementation. The target audience consists typically of architects, experts, advisors, management, and sponsors.
Assessment
The following is sample evidence that can be used to assess the requirement:
- Documented scope of the PKI
- Documented business drivers
- Documented use-cases
- Documented alignment with the organizational goals
References
- ISO/IEC 27001 - Information security management systems
- The Open Group Architecture Framework (TOGAF)
Architecture and design of the PKI
Guidance
The architecture and design of the PKI should be documented to provide a clear understanding of the implementation and technologies that are involved. The architecture and design should be aligned with the scope and business drivers for the PKI and should be reviewed and updated regularly.
The architecture and design typically consists of the following:
- Functional and technical design description
- Description of logical components
- Network infrastructure design
- Technology involved
- Integration requirements and interfaces (APIs)
- Support systems (such as IAM, logging, monitoring, etc.)
- Operational requirements
- Security requirements
- Deployment options
- Staging and testing
The architecture and design are further used for the implementation of the PKI and serves as an input for the PKI team. It can be also used for the procurement of the PKI components and services that are needed for the implementation.
Assessment
The following is sample evidence that can be used to assess the requirement:
- Documented architecture and design
- Alignment with the scope and business drivers
- Interview with the PKI team to confirm the understanding of the architecture and design
