CEK-17: Key Deactivation

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date, which include provisions for legal and regulatory requirements.

Implementation Guidance

Deactivated keys should not be used to encrypt but can be used to decrypt.

  1. Upon the expiration date, keys should not be able to encrypt data.
  2. The deactivated state should transition to the destroyed state when keys are no longer needed.
  3. Metadata should be retained for audit purposes.
  4. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Confirm the existence of processes and procedures to deactivate keys.
  2. Review the access and permissions around the key deactivation process and confirm this is restricted to appropriate individuals.
  3. Review key deactivation process and configurations. Confirm that they are in line with internal and external requirements.
  4. Confirm the key deactivation process e.g. manual, on expiration, at a defined future time.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.