CEK-09: Encryption and Key Management Audit

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Audit encryption and key management systems, policies, and processes with a frequency that is proportional to the risk exposure of the system with audit occurring preferably continuously but at least annually and after any security event(s).

Implementation Guidance

Key audit is the process of assessing the organization, governance, infrastructure, policies, procedures, and activities.

  1. Audits assess compliance with "key management" policies and procedures.
  2. Audits assess the design and effectiveness of "key management" controls and the control environment.
  3. Audits assess compliance with industry and regulatory standards (e.g., Health Insurance Portability and Accountability Act (HIPAA), payment card industry (PCI)).
  4. Audits results are reported to the key management system authority.
  5. Audits are performed according to key- and risk-management policies.
  6. Request third-party certification reports and review issues with the CSP and auditor.
  7. At a minimum, sensitive audit information and sensitive audit tools should be cryptographically protected.

Auditing Guidance

  1. Examine the master audit plan to confirm that audits of encryption and key management systems, policy and processes are included in the plan.
  2. Review previously completed audits and confirm that audits of encryption and key management systems, policy and processes have been completed and that any issues raised have been included in issue logs and tracked appropriately.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.