CEK-21: Key Inventory Management

CSF v1.1 References:

Threats Addressed:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements.

Implementation Guidance

Cryptographic Key Management Systems (CKMS), whether manual or automated, exist to process, control, store and report key management activity. The CKMS should:

  1. Capture, track and label all changes in status.
  2. Continuously monitor for unknown cryptographic assets.
  3. Generate and distribute key information.
  4. Acquire or generate public-key certificates.
  5. ackup archive and inventory key information.
  6. Maintain a database that maps entities to an organization’s certificate or key structure.
  7. Provide maintenance and distribution of revoked key or certificate reports.
  8. Generate audit requests and process audit responses.
  9. Crypto materials include keys, certificates, and HSMs.
  10. Key management technology and processes should be NIST FIPS validated and NSA-approved.
  11. Cryptographic key management system security policies should protect the confidentiality, integrity, availability, and source authentication of all keys, certificates, algorithms, and metadata.
  12. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Examine if the organization has defined the key management processes.
  2. Review the processes for key lifecycle management (creation, rotation, storage, disposal) with respect to organization and external (regulatory) requirements.
  3. Evaluate if the processes and procedures for change management of key management systems provide an overall traceability of lifecycle steps.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.