LOG-10: Encryption Monitoring and Reporting

Control Family:

Logging and Monitoring

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: EKM-02: Key Generation, EKM-03: Sensitive Data Protection.

Control Statement

Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls.

Implementation Guidance

Compliance breaches and deviations from standard operations should be reported as defined in the organization’s incident management process (as outlined in SEF-01). In addition, file-integrity monitoring or change-detection software should be used to prevent changes in existing log data.

Auditing Guidance

  1. Examine policy related to the monitoring and reporting of operations of cryptographic policy.
  2. Examine the process to identify such a policy.
  3. Evaluate the effectiveness of such reporting capability.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.