CEK-06: Encryption Change Cost Benefit Analysis

Info icon.

Control is new to this version of the control set.

Control Statement

Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis.

Implementation Guidance

Encryption change cost-benefit analysis is the process of comparing the benefit of encryption changes to its cost.

  1. Key change management cost-benefit analysis/return on investment (ROI) should be calculated for all key management-related changes.
  2. Every analysis should fully account for downstream effects of proposed changes, including residual risks.
  3. Every analysis should be reviewed and approved.
  4. Six months after a change, compare the anticipated ROI to the actual ROI.
  5. Significant deviation from the planned ROI should be audited.
  6. Report all audit results to the system authority.

Auditing Guidance

  1. Obtain a copy of the change management policy and procedures. Confirm that these documents include assessment of impact on downstream effects, including residual risk, cost, and benefit analysis.
  2. Examine recent changes made to cryptography-, encryption-, and key management-related systems (including policy and procedures), and confirm that these changes include an account of downstream effects of proposed changes, including residual risk, cost, and benefits analysis.
  3. Confirm that the changes have been reviewed and approved by appropriate management.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.