Cryptography, Encryption & Key Management
CEK domain controls.
Encryption and Key Management Policy and Procedures
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for cryptography, encryption and key management.
CEK Roles and Responsibilities
Define and implement cryptographic, encryption and key management roles and responsibilities.
Data Encryption
Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.
Encryption Algorithm
Use encryption algorithms that are appropriate for data protection.
Encryption Change Management
Establish a standard change management procedure to accommodate changes from internal and external sources, for review, approval, implementation and communication.
Encryption Change Cost Benefit Analysis
Manage and adopt changes to cryptography-, encryption-, and key management-related systems that may impact CSCs.
Encryption Risk Management
Establish a standard process to identify and assess the risks of cryptographic, encryption and key management techniques.
CSC Key Management Capability
Provide CSCs with the capability to manage their own data encryption keys.
Encryption and Key Management Audit
Audit encryption and key management systems, policies, and processes with a frequency that is proportional to the risk exposure of the system.
Key Generation
Generate cryptographic keys using industry accepted cryptographic libraries.
Key Purpose
Manage cryptographic secret and private keys that are provisioned for a unique purpose.
Key Rotation
Rotate cryptographic keys in accordance with the calculated cryptoperiod.
Key Revocation
Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod.
Key Destruction
Define, implement and evaluate processes, procedures and technical measures to destroy unneeded keys.
Key Activation
Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use.
Key Suspension
Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions.
Key Deactivation
Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date.
Key Archival
Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository.
Key Compromise
Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstances.
Key Recovery
Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material being compromised.
Key Inventory Management
Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status.