CEK-01: Encryption and Key Management Policy and Procedures

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: EKM-01: Entitlement, EKM-02: Key Generation, EKM-03: Sensitive Data Protection, GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually.

Implementation Guidance

Policies and procedures on the use, protection, and lifetime of cryptographic keys should be developed and implemented through their full lifecycle. Policies and procedures include but are not limited to the following considerations: A. Policies and procedures relating to organization/management.

  1. Roles and responsibilities (See GRM for general considerations)
  2. Data protection (DSP domain for general considerations)

1) Data encryption 2) Algorithm

  1. Change management (See CCC domain for general considerations)

1) Cost-Benefit analysis

  1. Risk management (See BCR/GRC domains for general considerations)
  2. Monitoring and reporting (see LOG and monitoring domain for general considerations )
  3. Transaction/activity logging (see LOG and monitoring domain for general considerations)
  4. Incident handling (see SEF domain for general considerations)
  5. Audit (See A&A domain for general considerations)

B. Policies and procedures relating to key management.

  1. Key generation
  2. Key distribution
  3. Key rotation
  4. Key revocation
  5. Key destruction
  6. Key activation
  7. Key suspension
  8. Key deactivation
  9. Key archival
  10. Key compromise
  11. Key recovery
  12. Key inventory management
  13. Key purposes
  14. Key access

Auditing Guidance

  1. Review cryptography, encryption, and key management policy and procedures and confirm that these have been approved by appropriate management.
  2. Confirm that the policy and procedures are reviewed at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.