Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements.
Activated keys are used to protect information cryptographically.
- Pre-activated keys are activated by entering the start date of the validity/cryptoperiod.
- Keys which are not activated for use are not ready to encrypt data.
- Non-activated keys should only be used to perform proof-of-possession or key confirmation.
- If pre-activated keys are no longer needed, they should be destroyed.
- If there are suspicions about the integrity of a given key, it should be moved to the compromised state.
- ll relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
- Confirm the existence of processes and procedures to generate keys.
- Confirm that the access and permissions around the key creation process is restricted to appropriate individuals.
- Identify the key management server and the key storage database.
- Review the key attributes and confirm that these are appropriate for the key, e.g., activation data, instance, deletion ability, rollover, etc.
- Confirm the key activation process, e.g., manual, on creation, at a future time.
- Review the pre-activated keys.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.