CEK-19: Key Compromise

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for encrypting data, which include provisions for legal and regulatory requirements.

Implementation Guidance

Compromised keys/states are keys that may be waiting for the performance of an investigation to determine the appropriate disposition. Compromised keys should be revoked using the organization’s emergency revocation policy. When appropriate, relevant stakeholders should be notified that keys previously used to encrypt their data have been compromised and that those keys are no longer used for encryption. These compromised keys should be notated in the organization’s “Compromised Key Lists (CKLs)” along with a summary of users notified, notification timeframes, or reasons that notifications were not made to compromised key users. Compromised keys await an investigation to determine disposition.

  1. Perform emergency revocation when keys are lost or compromised.
  2. A compromised status must be available to all who have relied on the key.
  3. Use CKLs to inform stakeholders.
  4. Compromised status is also reflected in the inventory management system.
  5. Use audits to uncover undetected compromised keys.
  6. Analyze events to support recovery from compromises.
  7. Detail the method for revoking and re-keying compromised keys.
  8. Use cryptoperiods to limit compromised key damage.
  9. A compromised key should only be used to process data it has protected for the sole purpose of de-encrypting the data.
  10. All transitions/activity shall be recorded (logged) and the key state updated in the inventory management system (CKMS).

Auditing Guidance

  1. Examine if the organization has defined processes, procedures and technical measures for secure handling of compromised keys.
  2. Review if the process for secure usage of compromised keys fulfills the organization and external business / operational continuity requirements.
  3. Evaluate the significance of technical and organizational measures defined and implemented for usage of compromised keys in a secure environment.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.