Define and implement cryptographic, encryption and key management roles and responsibilities.
Below are some examples of possible roles and responsibilities:
- Keys managers should not be able to access protected data or the cryptographic engine.
- Separation of duties should include two or more individuals control a single process.
- Split Knowledge requires no one person knows the complete value of an encryption key.
- No one person should know the entire passphrase used to create encryption keys.
- Restrict access rights to the least resources required (least privilege).
- A policy authority is responsible for all operational cryptographic key management system (CKMS) roles and reports to the executive IT.
Roles and responsibilities should be defined and followed:
- Generation or acquisition of key information .
- Secure distribution of private and secret keys,and the metadata.
- Establishment of cryptoperiods.
- Key and certificate inventory management.
- Revocation of compromised keys and the establishment of replacement keys and/or certificates.
- Management of the storage and recovery of operational and backed-up key information.
- Storage and recovery of archived key information.
- Checking the integrity of stored key information before using it.
- Destruction of private or secret keys that are no longer required.
- Obtain cryptographic, encryption policy, and key management procedures.
- Verify, by interviews or otherwise, that employees and stakeholders are aware of their roles and responsibilities, and obtain supporting documentation evidencing that the responsibilities are being managed in-line with policy and procedures.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.