Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements.
Key archiving places keys in long-term storage.
- Archived key material can support the later recovery of information.
- While archived key material may be needed in the future, the key material should be destroyed when no longer required.
- The key recovery process should include the generation, storage, and access of the long-term storage keys used to protect backed-up and archived key information.
- Archives should be used for long-term key access.
- The inventory system should record the storage and recovery of archived key information.
- All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
- Confirm the existence of a documented and valid process for key archival.
- Verify that the key archival process implements least privilege throughout the key archival cycle.
- Establish whether the storage medium is secure, as per internal and external requirements.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.