3.1.17—Access Control - Derived
Derived Requirement
>Control Description
Protect wireless access using authentication and encryption
>Discussion
Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. See [NIST CRYPTO].
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern protection and management of cryptographic keys?
- •What procedures address key generation, distribution, and destruction?
- •Who has responsibility for cryptographic key management?
- •How often are key management practices reviewed and updated?
- •What governance ensures keys are properly protected throughout lifecycle?
Technical Implementation:
- •What cryptographic key management systems are implemented?
- •How do you protect keys from unauthorized access and disclosure?
- •What controls govern key generation, storage, and rotation?
- •How are cryptographic keys backed up and recovered?
- •What mechanisms enforce key access restrictions?
Evidence & Documentation:
- •Can you provide key management policies and procedures?
- •What documentation tracks key lifecycle events?
- •Can you demonstrate key protection mechanisms (HSMs, key vaults)?
- •What audit logs track key access and usage?
- •What evidence shows keys are properly generated and protected?
Ask AI
Configure your API key to use AI features.