CEK-11: Key Purpose

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Manage cryptographic secret and private keys that are provisioned for a unique purpose.

Implementation Guidance

Key distribution is the process of logically or physically transferring keys.

  1. Distribution of asymmetric key pairs (public, ephemeral, centrally) requires protection mechanisms.
  2. Distribution of symmetric keys requires their own protection mechanisms.
  3. Distribution of other key materials requires their own protection mechanisms.
  4. Distributed keys should be protected at rest, in storage, in transit, and to the appropriate extent (even when in use).
  5. Distribution controls must address confidentiality, integrity, and availability.
  6. Manual or automated (preferable) distribution may be used.
  7. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Obtain copies of the policy and procedures detailing the management of secret and private cryptographic keys.
  2. Identify cryptographic secret and private keys that have been provisioned for a unique purpose.
  3. Ascertain that these keys are being managed in accordance with policy and procedures.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.