Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.
Key change management is the process of managing all changes to key management governance, organization, infrastructure, and activities.
- Changes to the key management system and its policies and procedures should be analyzed and approved before implementation.
- Changes should be documented to show the reasoning behind the changes and include a path to rollback to the previous status.
- If unauthorized changes are made to the software, the software should be recovered.
- There should be security audits after every significant change to the key management system.
- All audit results should be reported to the system authority.
- Examine policy and procedures and obtain evidence that these include the change management process.
- Obtain representative samples of recent changes relating to cryptographic, encryption, and key management technology.
- Confirm that sample changes have followed the organization change management procedures, including approval by appropriate individuals, communication of changes to relevant stakeholders, and assessment of the success of implementing changes with any required remediation actions being tracked.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.