PKI Framework

Adequacy of Security policies and implementation

 

Key Life Cycle Management Controls

  • CA Key Generation
    The Certification Authority maintains controls to provide reasonable assurance that CA key pairs are generated in accordance with industry standards.
  • CA Key Storage, Backup and Recovery
    The Certification Authority maintains controls to provide reasonable assurance that CA private keys remain confidential and maintain their integrity.
  • CA Public Key Distribution
    The Certification Authority maintains controls to provide reasonable assurance that the integrity and authenticity of the CA public key and any associated parameters are maintained during initial and subsequent distribution.
  • CA Key Escrow (Optional)
    The Certification Authority maintains controls to provide reasonable assurance that escrowed CA private signing keys remain confidential.
  • CA Key Usage
    The Certification Authority maintains controls to provide reasonable assurance that CA keys are used only for their intended functions in their intended locations.
  • CA Key Destruction
    The Certification Authority maintains controls to provide reasonable assurance that CA keys are completely destroyed at the end of the key pair life cycle.
  • CA Key Archival
    The Certification Authority maintains controls to provide reasonable assurance that archived CA keys remain confidential and are never put back into production.
  • CA Cryptographic Hardware Life Cycle Management
    The Certification Authority maintains controls to provide reasonable assurance that access to CA cryptographic hardware is limited to properly authorized individuals.
    The Certification Authority maintains controls to provide reasonable assurance that CA cryptographic hardware is functioning correctly.
  • CA-Provided Subscriber Key Management Services (Optional)
    The Certification Authority maintains controls to provide reasonable assurance that subscriber keys generated by the CA (or RA) are generated in accordance with industry standards.
    The Certification Authority maintains controls to provide reasonable assurance that subscriber private keys stored by the CA remain confidential and maintain their integrity.
    The Certification Authority maintains controls to provide reasonable assurance that subscriber keys stored by the CA are completely destroyed at the end of the key pair life cycle.
    The Certification Authority maintains controls to provide reasonable assurance that subscriber keys archived by the CA remain confidential.
    The Certification Authority maintains controls to provide reasonable assurance that subscriber keys escrowed by the CA remain confidential.
  • Certification Practice Statement and Certificate Policy Management
    The Certification Authority maintains controls to provide reasonable assurance that the CA's CPS and Certificate Policy (CP) management controls are effective.
  • Security Management
    The Certification Authority maintains controls to provide reasonable assurance that management direction and support for information security is provided.
    The Certification Authority maintains controls to provide reasonable assurance that information security is properly managed within the organization.
    The Certification Authority maintains controls to provide reasonable assurance that the security of CA facilities, systems, and information assets accessed by third parties is maintained.
    The Certification Authority maintains controls to provide reasonable assurance that the security of information is maintained when the responsibility for CA functions has been outsourced to another organization or entity.
  • Asset Classification and Management
    The Certification Authority maintains controls to provide reasonable assurance that CA assets and information receive an appropriate level of protection.
  • Personnel Security
    The Certification Authority maintains controls to provide reasonable assurance that personnel and hiring practices enhance and support the trustworthiness of the CA's operations.
  • Operations Management
    The Certification Authority maintains controls to provide reasonable assurance that the correct and secure operation of CA information processing facilities is ensured.
    The Certification Authority maintains controls to provide reasonable assurance that the risk of CA systems failure is minimized.
    The Certification Authority maintains controls to provide reasonable assurance that the integrity of CA systems and information is protected against viruses and malicious software.
    The Certification Authority maintains controls to provide reasonable assurance that damage from security incidents and malfunctions is minimized through the use of incident reporting and response procedures.
    The Certification Authority maintains controls to provide reasonable assurance that media are securely handled to protect media from damage, theft, and unauthorized access.
  • Monitoring and Compliance
    The Certification Authority maintains controls to provide reasonable assurance that compliance with the CA's security policies and procedures is ensured.
    The Certification Authority maintains controls to provide reasonable assurance that the effectiveness of the system audit process is maximized and interference to and from the system audit process is minimized.
    The Certification Authority maintains controls to provide reasonable assurance that unauthorized CA system usage is detected.