CEK-16: Key Suspension

CSF v1.1 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements.

Implementation Guidance

Suspended keys are not used for a period.

  1. Keys may be suspended for leaves of absence or suspicion of compromise.
  2. Suspensions should be investigated before transitioning to activation, revocation, or replacement.
  3. Suspended keys should not be used to encrypt data, but they can decrypt data.
  4. Do not process encryption applied after the beginning of a suspension period.
  5. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Confirm the existence of processes and procedures to manage the transition state of keys.
  2. Review the access and permissions regarding the transition state of keys and confirm that these are restricted to appropriate individuals.
  3. Verify that it is possible to modify a key state and suspend/disable keys when required.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.