Categories
The following categories of the PKI maturity model are defined with the appropriate weight based on the applicability and importance:
| ID | Category | Description | Weight |
|---|---|---|---|
strategy-and-vision | Strategy and vision | Responsible for the PKI management and strategy. Includes alignment with organizational goals and requirements, risk management, and policy decisions. | 5 |
policies-and-documentation | Policies and documentation | Formal policies and practice statements for supported PKI services and use-cases. Formal management of agreements between parties involved in the PKI. | 4 |
compliance | Compliance | Adherence to standards and applicable regulations and requirements for the PKI and trust services. Standards and regulations may be internal or external, country specific or purpose specific. | 2 |
processes-and-procedures | Processes and procedures | Processes and procedures related to PKI management tasks and operational activities. This includes also the supply chain procedures and processes that includes acceptance or receipt of the HW and SW related to the PKI. | 3 |
cryptography | Cryptography | Cryptographic governance: approved algorithms, parameters, and protocols used within the PKI; visibility into cryptographic usage; lifecycle, deprecation rules, and cryptographic agility. | 5 |
key-management | Key management | Key management policy and procedures related to PKI cryptographic keys and its lifecycle. Inventory of cryptographic keys. Secure and trusted key ceremonies. Key escrow and key recovery if applicable. | 4 |
certificate-management | Certificate management | Certificate management policy and lifecycle. Inventory of certificates. Definition of the certificate profiles and supported states of the certificate including the transitions between the states. Proper validation of the certificates. | 4 |
infrastructure-management | Infrastructure management | Availability of the PKI services, infrastructure setup to achieve availability goals. PKI continuity testing and infrastructure recovery. Infrastructure security controls. | 2 |
change-management-and-agility | Change management and agility | Secure and controlled process for the change management. Formal process to request changes in the PKI, approval, staging, roll-back. | 3 |
resilience | Resilience | Quickly respond to potential attack and unavailability of the PKI services or other related resources. | 4 |
automation | Automation | Automation of certificate lifecycle management. Technology and tools for the automation. Monitoring of automated certificate operations. | 2 |
interoperability | Interoperability | Interoperability between applications, implementations, and technologies. Application of interoperable protocols and standards. Transparency and vendor lock avoidance strategy. | 2 |
monitoring-and-auditing | Monitoring and auditing | Measurement of the PKI metrics, collecting evidence, monitoring and alerting of relevant issues, including references to incident response management. | 2 |
sourcing | Sourcing | Availability of skilled resources to manage PKI. Processes and procedures to maintain the required resources in time, monitoring of the skills. | 4 |
knowledge-and-training | Knowledge and training | Education of people and continuously gathering required knowledge and skills to manage PKI. Training plans and improvement. | 3 |
awareness | Awareness | Providing awareness about the PKI in the organization and its purpose. Awareness how to apply the PKI in a trusted and secure way. | 3 |
For more information on categories, please refer to the Categories description.
The weights of the categories are used to calculate the overall maturity level of the PKI.
