Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology.
A risk-based approach to encryption algorithms adoption should consider, but not be limited to:
- Cryptographic key management system algorithms should not exceed the anticipated lifetime of the CKMS and the information it protects.
- Cryptographic key management system security policies should protect the confidentiality, integrity, availability, and source authentication of all keys, algorithms, and metadata.
- The (CKMS) should include, but is not limited to:
Approved algorithms Hardware security modules (HSMs) Key sizes
- The adoption of the appropriate key size and algorithm types should be done based on cost-benefit analysis and the level of risk to data (please see the reference to quantum-resistant encryption in CEK-03).
- Identify the encryption algorithms in use.
- Confirm that identified encryption algorithms have been reviewed and approved by appropriate management.
- Confirm that the encryption algorithm approval process includes assessment of the appropriateness of the algorithm for the data it is protecting, any associated risks, and the algorithm's usability.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.