Encryption and Key Management
A key component of the Information Security Program are encryption and key management policies.
EKM Control Domains
EKM-01: Entitlement -
- EKM-01.1: Do you have key management policies binding keys to identifiable owners?
Policy to be referenced here is INSERT
*Action item: INSERT
EKM-02: Key Generation -
- EKM-02.1: Do you have a capability to allow creation of unique encryption keys per tenant?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-02.2: Do you have a capability to manage encryption keys on behalf of tenants?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-02.3: Do you maintain key management procedures?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-02.4: Do you have documented ownership for each stage of the lifecycle of encryption keys?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-02.5: Do you utilize any third party/open source/proprietary frameworks to manage encryption keys?
Policy to be referenced here is INSERT
*Action item: INSERT
EKM-03: Encryption -
- EKM-03.1: Do you encrypt tenant data at rest (on disk/storage) within your environment?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-03.2: Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-03.3: Do you have documentation establishing and defining your encryption management policies, procedures, and guidelines?
Policy to be referenced here is INSERT
*Action item: INSERT
EKM-04: Storage and Access -
- EKM-04.1: Do you have platform and data appropriate encryption that uses open/validated formats and standard algorithms?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-04.2: Are your encryption keys maintained by the cloud consumer or a trusted key management provider?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-04.3: Do you store encryption keys in the cloud?
Policy to be referenced here is INSERT
*Action item: INSERT
- EKM-04.4: Do you have separate key management and key usage duties?
Policy to be referenced here is INSERT
*Action item: INSERT
Related Documents
- None