CEK-02: CEK Roles and Responsibilities

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define and implement cryptographic, encryption and key management roles and responsibilities.

Implementation Guidance

Below are some examples of possible roles and responsibilities:

  1. Keys managers should not be able to access protected data or the cryptographic engine.
  2. Separation of duties should include two or more individuals control a single process.
  3. Split Knowledge requires no one person knows the complete value of an encryption key.
  4. No one person should know the entire passphrase used to create encryption keys.
  5. Restrict access rights to the least resources required (least privilege).
  6. A policy authority is responsible for all operational cryptographic key management system (CKMS) roles and reports to the executive IT.

Roles and responsibilities should be defined and followed:

  1. Generation or acquisition of key information .
  2. Secure distribution of private and secret keys,and the metadata.
  3. Establishment of cryptoperiods.
  4. Key and certificate inventory management.
  5. Revocation of compromised keys and the establishment of replacement keys and/or certificates.
  6. Management of the storage and recovery of operational and backed-up key information.
  7. Storage and recovery of archived key information.
  8. Checking the integrity of stored key information before using it.
  9. Destruction of private or secret keys that are no longer required.

Auditing Guidance

  1. Obtain cryptographic, encryption policy, and key management procedures.
  2. Verify, by interviews or otherwise, that employees and stakeholders are aware of their roles and responsibilities, and obtain supporting documentation evidencing that the responsibilities are being managed in-line with policy and procedures.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.