CEK-18: Key Archival

CSF v1.1 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements.

Implementation Guidance

Key archiving places keys in long-term storage.

  1. Archived key material can support the later recovery of information.
  2. While archived key material may be needed in the future, the key material should be destroyed when no longer required.
  3. The key recovery process should include the generation, storage, and access of the long-term storage keys used to protect backed-up and archived key information.
  4. Archives should be used for long-term key access.
  5. The inventory system should record the storage and recovery of archived key information.
  6. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Confirm the existence of a documented and valid process for key archival.
  2. Verify that the key archival process implements least privilege throughout the key archival cycle.
  3. Establish whether the storage medium is secure, as per internal and external requirements.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.