Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements.
Suspended keys are not used for a period.
- Keys may be suspended for leaves of absence or suspicion of compromise.
- Suspensions should be investigated before transitioning to activation, revocation, or replacement.
- Suspended keys should not be used to encrypt data, but they can decrypt data.
- Do not process encryption applied after the beginning of a suspension period.
- All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
- Confirm the existence of processes and procedures to manage the transition state of keys.
- Review the access and permissions regarding the transition state of keys and confirm that these are restricted to appropriate individuals.
- Verify that it is possible to modify a key state and suspend/disable keys when required.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.