CRY-01—Encryption Key Maintenance
>Control Description
Theme
Type
Policy/Standard
Cryptographic Management Policy>Implementation Guidance
1. Establish a process to ensure that organization approved key storage solutions are used. 2. Ensure that access to the cryptographic key stores is limited to authorized personnel. 3. Establish a process to periodically review the users access list for the keys and document the confirmation that these are authorized users. 4. Establish a process to ensure that the keys are rotated during either of the below events: a) Suspicion that the key has been compromised b) End of key life cycle 7. In case of termination or transfer of an individual with access to the key, establish a process for access review and key rotation.
>Testing Procedure
1. Inspect the process and location of where Encryption keys are stored. 2. Obtain details of the process to ensure that access to the cryptographic key stores is limited to authorized personnel. 3. Review the users access list for the keys and confirmation that these are authorized users. 4. Obtain confirmation of key rotation at the occurence of either of the below events during last quarter: a) Suspicion that the key has been compromised b) End of key life cycle 7. For a sample of termination or transfer of an individual with access to the key, and review the process of key rotation.
>Audit Artifacts
>Framework Mappings
Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.
Ask AI
Configure your API key to use AI features.