CEK-20: Key Recovery

Threats Addressed:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements.

Implementation Guidance

Key recovery retrieves or reconstructs keys from backups or archives. When recovering keys, consider:

  1. The type of key (e.g., private signature keys or symmetric data encryption keys).
  2. The application in which the key will be used (e.g., interactive communication or file storage).
  3. Whether the key is “owned” by the local entity, another entity, or is shared.
  4. The role of the entity in communication (e.g., sender or receiver).
  5. The algorithm or computation in which the key will be used.
  6. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Examine if the organization has defined processes and procedures for handling the operational risk of compromised keys.
  2. Determine if the key recovery process fulfills the organization and external business / operational continuity requirements.
  3. Evaluate the significance of technical and organizational measures as per the key management lifecycle.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.