CEK-07: Encryption Risk Management

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.

Implementation Guidance

Key risk management is the process of managing the risks to key management governance, organization, infrastructure, and activities.

  1. Assess the risks of unauthorized disclosure, modification, destruction, or information loss.
  2. Cryptoperiod selections should consider the risk and consequences of information exposure.
  3. Evaluate the tradeoffs of manual versus automated key distribution.
  4. Reduce compromised key risks by (1) not using such keys for new encryption activities and (2) only using keys to decrypt material previously decrypted under this key.
  5. Adjust the audit scope and frequency to align with the risk assessment.
  6. Apply algorithm strength in proportion to the risk of information exposure.
  7. Assess risks to operational continuity versus the risks of key material data exposure when considering key recovery.

Auditing Guidance

  1. Identify and confirm the existence of the organization's risk assessment process and obtain the risk register.
  2. Confirm that the risk register includes as part of a regular process or control review encryption and key management.
  3. Obtain evidence that demonstrates that a risk assessment is performed of the encryption and key management program and process.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.