Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.
Logging of key lifecycle events should include but are not limited to the following events: key generation, key usage, key storage (including backup), and archiving and key deletion. In addition, only authorized personnel should have access to key materials, and all access attempts should be logged and reviewed. Document and implement all key-management processes and procedures for cryptographic keys, including:
- Generation of strong cryptographic keys
- Secure cryptographic key distribution
- Secure cryptographic key storage
- Key revocation after expiry
- Split knowledge and dual control as needed for manual key management operations
- Prevention of unauthorized substitution of cryptographic keys
- Examine policy for logging and monitoring usage of cryptographic key usage lifecycle events.
- Examine the process to identify such events.
- Evaluate the review of these logs.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.