CEK-05: Encryption Change Management

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: EKM-02: Key Generation.

Control Statement

Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.

Implementation Guidance

Key change management is the process of managing all changes to key management governance, organization, infrastructure, and activities.

  1. Changes to the key management system and its policies and procedures should be analyzed and approved before implementation.
  2. Changes should be documented to show the reasoning behind the changes and include a path to rollback to the previous status.
  3. If unauthorized changes are made to the software, the software should be recovered.
  4. There should be security audits after every significant change to the key management system.
  5. All audit results should be reported to the system authority.

Auditing Guidance

  1. Examine policy and procedures and obtain evidence that these include the change management process.
  2. Obtain representative samples of recent changes relating to cryptographic, encryption, and key management technology.
  3. Confirm that sample changes have followed the organization change management procedures, including approval by appropriate individuals, communication of changes to relevant stakeholders, and assessment of the success of implementing changes with any required remediation actions being tracked.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.