CEK-15: Key Activation

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements.

Implementation Guidance

Activated keys are used to protect information cryptographically.

  1. Pre-activated keys are activated by entering the start date of the validity/cryptoperiod.
  2. Keys which are not activated for use are not ready to encrypt data.
  3. Non-activated keys should only be used to perform proof-of-possession or key confirmation.
  4. If pre-activated keys are no longer needed, they should be destroyed.
  5. If there are suspicions about the integrity of a given key, it should be moved to the compromised state.
  6. ll relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Confirm the existence of processes and procedures to generate keys.
  2. Confirm that the access and permissions around the key creation process is restricted to appropriate individuals.
  3. Identify the key management server and the key storage database.
  4. Review the key attributes and confirm that these are appropriate for the key, e.g., activation data, instance, deletion ability, rollover, etc.
  5. Confirm the key activation process, e.g., manual, on creation, at a future time.
  6. Review the pre-activated keys.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.