compliance controls are associated with this Policy definition 'Storage account keys should not be expired' (044985bb-afe1-42cd-8a36-9d5d42424537)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CMMC_L2_v1.9.0 |
SC.L2_3.13.10 |
CMMC_L2_v1.9.0_SC.L2_3.13.10 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.10 |
System and Communications Protection |
Key Management |
Shared |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
To protect information assets from unauthorized access, manipulation, or disclosure. |
|
14 |
| CSA_v4.0.12 |
CEK_01 |
CSA_v4.0.12_CEK_01 |
CSA Cloud Controls Matrix v4.0.12 CEK 01 |
Cryptography, Encryption & Key Management |
Encryption and Key Management Policy and Procedures |
Shared |
n/a |
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for Cryptography, Encryption and Key Management. Review
and update the policies and procedures at least annually. |
|
14 |
| CSA_v4.0.12 |
CEK_02 |
CSA_v4.0.12_CEK_02 |
CSA Cloud Controls Matrix v4.0.12 CEK 02 |
Cryptography, Encryption & Key Management |
CEK Roles and Responsibilities |
Shared |
n/a |
Define and implement cryptographic, encryption and key management
roles and responsibilities. |
|
25 |
| CSA_v4.0.12 |
CEK_03 |
CSA_v4.0.12_CEK_03 |
CSA Cloud Controls Matrix v4.0.12 CEK 03 |
Cryptography, Encryption & Key Management |
Data Encryption |
Shared |
n/a |
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards. |
|
58 |
| CSA_v4.0.12 |
CEK_04 |
CSA_v4.0.12_CEK_04 |
CSA Cloud Controls Matrix v4.0.12 CEK 04 |
Cryptography, Encryption & Key Management |
Encryption Algorithm |
Shared |
n/a |
Use encryption algorithms that are appropriate for data protection,
considering the classification of data, associated risks, and usability of the
encryption technology. |
|
12 |
| CSA_v4.0.12 |
CEK_10 |
CSA_v4.0.12_CEK_10 |
CSA Cloud Controls Matrix v4.0.12 CEK 10 |
Cryptography, Encryption & Key Management |
Key Generation |
Shared |
n/a |
Generate Cryptographic keys using industry accepted cryptographic
libraries specifying the algorithm strength and the random number generator
used. |
|
24 |
| CSA_v4.0.12 |
CEK_11 |
CSA_v4.0.12_CEK_11 |
CSA Cloud Controls Matrix v4.0.12 CEK 11 |
Cryptography, Encryption & Key Management |
Key Purpose |
Shared |
n/a |
Manage cryptographic secret and private keys that are provisioned
for a unique purpose. |
|
24 |
| CSA_v4.0.12 |
CEK_12 |
CSA_v4.0.12_CEK_12 |
CSA Cloud Controls Matrix v4.0.12 CEK 12 |
Cryptography, Encryption & Key Management |
Key Rotation |
Shared |
n/a |
Rotate cryptographic keys in accordance with the calculated cryptoperiod,
which includes provisions for considering the risk of information disclosure
and legal and regulatory requirements. |
|
22 |
| CSA_v4.0.12 |
CEK_13 |
CSA_v4.0.12_CEK_13 |
CSA Cloud Controls Matrix v4.0.12 CEK 13 |
Cryptography, Encryption & Key Management |
Key Revocation |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the
organization, which include provisions for legal and regulatory requirements. |
|
12 |
| CSA_v4.0.12 |
CEK_14 |
CSA_v4.0.12_CEK_14 |
CSA Cloud Controls Matrix v4.0.12 CEK 14 |
Cryptography, Encryption & Key Management |
Key Destruction |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to destroy keys stored outside a secure environment and revoke keys
stored in Hardware Security Modules (HSMs) when they are no longer needed, which
include provisions for legal and regulatory requirements. |
|
12 |
| CSA_v4.0.12 |
CEK_15 |
CSA_v4.0.12_CEK_15 |
CSA Cloud Controls Matrix v4.0.12 CEK 15 |
Cryptography, Encryption & Key Management |
Key Activation |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to create keys in a pre-activated state when they have been generated
but not authorized for use, which include provisions for legal and regulatory
requirements. |
|
21 |
| CSA_v4.0.12 |
CEK_16 |
CSA_v4.0.12_CEK_16 |
CSA Cloud Controls Matrix v4.0.12 CEK 16 |
Cryptography, Encryption & Key Management |
Key Suspension |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to monitor, review and approve key transitions from any state to/from
suspension, which include provisions for legal and regulatory requirements. |
|
23 |
| CSA_v4.0.12 |
CEK_17 |
CSA_v4.0.12_CEK_17 |
CSA Cloud Controls Matrix v4.0.12 CEK 17 |
Cryptography, Encryption & Key Management |
Key Deactivation |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to deactivate keys at the time of their expiration date, which include
provisions for legal and regulatory requirements. |
|
11 |
| CSA_v4.0.12 |
CEK_18 |
CSA_v4.0.12_CEK_18 |
CSA Cloud Controls Matrix v4.0.12 CEK 18 |
Cryptography, Encryption & Key Management |
Key Archival |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to manage archived keys in a secure repository requiring least privilege
access, which include provisions for legal and regulatory requirements. |
|
11 |
| CSA_v4.0.12 |
CEK_19 |
CSA_v4.0.12_CEK_19 |
CSA Cloud Controls Matrix v4.0.12 CEK 19 |
Cryptography, Encryption & Key Management |
Key Compromise |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to use compromised keys to encrypt information only in controlled circumstance,
and thereafter exclusively for decrypting data and never for encrypting data,
which include provisions for legal and regulatory requirements. |
|
11 |
| CSA_v4.0.12 |
CEK_20 |
CSA_v4.0.12_CEK_20 |
CSA Cloud Controls Matrix v4.0.12 CEK 20 |
Cryptography, Encryption & Key Management |
Key Recovery |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements. |
|
24 |
| CSA_v4.0.12 |
CEK_21 |
CSA_v4.0.12_CEK_21 |
CSA Cloud Controls Matrix v4.0.12 CEK 21 |
Cryptography, Encryption & Key Management |
Key Inventory Management |
Shared |
n/a |
Define, implement and evaluate processes, procedures and technical
measures in order for the key management system to track and report all cryptographic
materials and changes in status, which include provisions for legal and regulatory
requirements. |
|
12 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
193 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
310 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
310 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| ISO_IEC_27002_2022 |
8.24 |
ISO_IEC_27002_2022_8.24 |
ISO IEC 27002 2022 8.24 |
Protection,
Preventive Control |
Use of cryptography |
Shared |
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.
|
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. |
|
14 |
| ISO_IEC_27017_2015 |
10.1.2 |
ISO_IEC_27017_2015_10.1.2 |
ISO IEC 27017 2015 10.1.2 |
Cryptography |
Key Management |
Shared |
For Cloud Service Customer:
The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management.
Where the cloud service provides key management functionality for use by the cloud service customer, the cloud service customer should request the following information on the procedures used to manage keys related to the cloud service:
(i) type of keys;
(ii) specifications of the key management system, including procedures for each stage of the key life-cycle, i.e., generating, changing or updating, storing, retiring, retrieving, retaining and destroying;
(iii) recommended key management procedures for use by the cloud service customer.
The cloud service customer should not permit the cloud service provider to store and manage the encryption keys for cryptographic operations when the cloud service customer employs its own key management or a separate and distinct key management service. |
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. |
|
14 |
| New_Zealand_ISM |
17.1.58.C.01 |
New_Zealand_ISM_17.1.58.C.01 |
New_Zealand_ISM_17.1.58.C.01 |
17. Cryptography |
17.1.58.C.01 Key Refresh and Retirement |
|
n/a |
Agencies SHOULD establish cryptoperiods for all keys and cryptographic implementations in their systems and operations. |
|
3 |
| NIST_SP_800-171_R3_3 |
.13.10 |
NIST_SP_800-171_R3_3.13.10 |
NIST 800-171 R3 3.13.10 |
System and Communications Protection Control |
Cryptographic Key Establishment and Management |
Shared |
Cryptographic key establishment and management include key generation, distribution, storage, access, rotation, and destruction. Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to 03.13.11. |
Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key establishment and management]. |
|
14 |
| NIST_SP_800-53_R5.1.1 |
SC.12 |
NIST_SP_800-53_R5.1.1_SC.12 |
NIST SP 800-53 R5.1.1 SC.12 |
System and Communications Protection |
Cryptographic Key Establishment and Management |
Shared |
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. |
|
13 |
| NZ_ISM_v3.5 |
GS-2 |
NZ_ISM_v3.5_GS-2 |
NZISM Security Benchmark GS-2 |
Gateway security |
19.1.11 Using Gateways |
Customer |
n/a |
Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s).
The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies.
Gateway components may also reside in a virtual environment ??? refer to Section 22.2 ??? Virtualisation and Section 22.3 ??? Virtual Local Area Networks |
link |
10 |
| NZISM_Security_Benchmark_v1.1 |
GS-2 |
NZISM_Security_Benchmark_v1.1_GS-2 |
NZISM Security Benchmark GS-2 |
Gateway security |
19.1.11 Using Gateways |
Customer |
Agencies MUST ensure that:
all agency networks are protected from networks in other security domains by one or more gateways;
all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s).
The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies.
Gateway components may also reside in a virtual environment – refer to Section 22.2 – Virtualisation and Section 22.3 – Virtual Local Area Networks |
link |
8 |
| PCI_DSS_v4.0.1 |
3.6.1 |
PCI_DSS_v4.0.1_3.6.1 |
PCI DSS v4.0.1 3.6.1 |
Protect Stored Account Data |
Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: access to keys is restricted to the fewest number of custodians necessary. Key-encrypting keys are at least as strong as the data-encrypting keys they protect. Key-encrypting keys are stored separately from data-encrypting keys. Keys are stored securely in the fewest possible locations and forms |
Shared |
n/a |
Examine documented key-management policies and procedures to verify that processes to protect cryptographic keys used to protect stored account data against disclosure and misuse are defined to include all elements specified in this requirement |
|
16 |
| PCI_DSS_v4.0.1 |
3.6.1.1 |
PCI_DSS_v4.0.1_3.6.1.1 |
PCI DSS v4.0.1 3.6.1.1 |
Protect Stored Account Data |
Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes: details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. Preventing the use of the same cryptographic keys in production and test environments. Description of the key usage for each key. Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, to support meeting Requirement 12.3.4 |
Shared |
n/a |
Additional testing procedure for service provider assessments only: Interview responsible personnel and examine documentation to verify that a document exists to describe the cryptographic architecture that includes all elements specified in this requirement |
|
14 |
| PCI_DSS_v4.0.1 |
3.7.1 |
PCI_DSS_v4.0.1_3.7.1 |
PCI DSS v4.0.1 3.7.1 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define generation of strong cryptographic keys. Observe the method for generating keys to verify that strong keys are generated |
|
16 |
| PCI_DSS_v4.0.1 |
3.7.2 |
PCI_DSS_v4.0.1_3.7.2 |
PCI DSS v4.0.1 3.7.2 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure distribution of cryptographic keys. Observe the method for distributing keys to verify that keys are distributed securely |
|
16 |
| PCI_DSS_v4.0.1 |
3.7.3 |
PCI_DSS_v4.0.1_3.7.3 |
PCI DSS v4.0.1 3.7.3 |
Protect Stored Account Data |
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure storage of cryptographic keys. Observe the method for storing keys to verify that keys are stored securely |
|
14 |
| PCI_DSS_v4.0.1 |
3.7.5 |
PCI_DSS_v4.0.1_3.7.5 |
PCI DSS v4.0.1 3.7.5 |
Protect Stored Account Data |
Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: the key has reached the end of its defined cryptoperiod. The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. The key is suspected of or known to be compromised. Retired or replaced keys are not used for encryption operations |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define retirement, replacement, or destruction of keys in accordance with all elements specified in this requirement. Interview personnel to verify that processes are implemented in accordance with all elements specified in this requirement |
|
14 |
| PCI_DSS_v4.0.1 |
3.7.6 |
PCI_DSS_v4.0.1_3.7.6 |
PCI DSS v4.0.1 3.7.6 |
Protect Stored Account Data |
Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented, including managing these operations using split knowledge and dual control |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define using split knowledge and dual control. Interview personnel and/or observe processes to verify that manual cleartext keys are managed with split knowledge and dual control |
|
16 |
| PCI_DSS_v4.0.1 |
3.7.7 |
PCI_DSS_v4.0.1_3.7.7 |
PCI DSS v4.0.1 3.7.7 |
Protect Stored Account Data |
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define prevention of unauthorized substitution of cryptographic keys. Interview personnel and/or observe processes to verify that unauthorized substitution of keys is prevented |
|
14 |
| PCI_DSS_v4.0.1 |
3.7.8 |
PCI_DSS_v4.0.1_3.7.8 |
PCI DSS v4.0.1 3.7.8 |
Protect Stored Account Data |
Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities |
Shared |
n/a |
Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define acknowledgments for key custodians in accordance with all elements specified in this requirement. Examine documentation or other evidence showing that key custodians have provided acknowledgments in accordance with all elements specified in this requirement |
|
14 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
218 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
229 |
| SOC_2023 |
CC6.1 |
SOC_2023_CC6.1 |
SOC 2023 CC6.1 |
Logical and Physical Access Controls |
Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. |
Shared |
n/a |
Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. |
|
128 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
213 |
| SOC_2023 |
CC9.1 |
SOC_2023_CC9.1 |
SOC 2023 CC9.1 |
Risk Mitigation |
Enhance resilience and ensure continuity of critical operations in the face of adverse events or threats. |
Shared |
n/a |
Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
|
18 |