last sync: 2025-Mar-26 20:41:27 UTC

Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.

Azure BuiltIn Policy definition

Source Azure Portal
Display name Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.
Id d8cf8476-a2ec-4916-896e-992351803c44
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types none
Compliance
The following 68 compliance controls are associated with this Policy definition 'Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.' (d8cf8476-a2ec-4916-896e-992351803c44)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Canada_Federal_PBMM_3-1-2020 PE_10 Canada_Federal_PBMM_3-1-2020_PE_10 Canada Federal PBMM 3-1-2020 PE 10 Emergency Shutoff Emergency Shutoff Shared 1. The organization provides the capability of shutting off power to the information system or individual system components in emergency situations. 2. The organization places emergency shutoff switches or devices in organization-defined location by information system or system component to facilitate safe and easy access for personnel. 3. The organization protects emergency power shutoff capability from unauthorized activation. To safeguard against unauthorized activation. 2
Canada_Federal_PBMM_3-1-2020 PE_11 Canada_Federal_PBMM_3-1-2020_PE_11 Canada Federal PBMM 3-1-2020 PE 11 Emergency Power Emergency Power Shared The organization provides a short-term uninterruptible power supply to facilitate transition of the information system to long-term alternate power in the event of a primary power source loss. To prevent damage or destruction. 2
Canada_Federal_PBMM_3-1-2020 PE_12 Canada_Federal_PBMM_3-1-2020_PE_12 Canada Federal PBMM 3-1-2020 PE 12 Emergency Lighting Emergency Lighting Shared The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. To ensure personnel safety. 2
Canada_Federal_PBMM_3-1-2020 PE_13 Canada_Federal_PBMM_3-1-2020_PE_13 Canada Federal PBMM 3-1-2020 PE 13 Fire Protection Fire Protection Shared The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. To ensure personnel safety. 2
Canada_Federal_PBMM_3-1-2020 PE_13(2) Canada_Federal_PBMM_3-1-2020_PE_13(2) Canada Federal PBMM 3-1-2020 PE 13(2) Fire Protection Fire Protection | Suppression Devices / Systems Shared The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and local fire department. To ensure personnel safety. 2
Canada_Federal_PBMM_3-1-2020 SI_8(1) Canada_Federal_PBMM_3-1-2020_SI_8(1) Canada Federal PBMM 3-1-2020 SI 8(1) Spam Protection Spam Protection | Central Management of Protection Mechanisms Shared The organization centrally manages spam protection mechanisms. To enhance overall security posture. 88
CIS_Azure_2.0.0 8.8 CIS_Azure_2.0.0_8.8 CIS Microsoft Azure Foundations Benchmark recommendation 8.8 8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services Shared There are an additional costs per operation in running the needed applications. Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased. Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy. link 1
CMMC_L2_v1.9.0 SC.L2_3.13.10 CMMC_L2_v1.9.0_SC.L2_3.13.10 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 SC.L2 3.13.10 System and Communications Protection Key Management Shared Establish and manage cryptographic keys for cryptography employed in organizational systems. To protect information assets from unauthorized access, manipulation, or disclosure. 14
CSA_v4.0.12 CCC_03 CSA_v4.0.12_CCC_03 CSA Cloud Controls Matrix v4.0.12 CCC 03 Change Control and Configuration Management Change Management Technology Shared n/a Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). 31
CSA_v4.0.12 CEK_01 CSA_v4.0.12_CEK_01 CSA Cloud Controls Matrix v4.0.12 CEK 01 Cryptography, Encryption & Key Management Encryption and Key Management Policy and Procedures Shared n/a Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually. 14
CSA_v4.0.12 CEK_02 CSA_v4.0.12_CEK_02 CSA Cloud Controls Matrix v4.0.12 CEK 02 Cryptography, Encryption & Key Management CEK Roles and Responsibilities Shared n/a Define and implement cryptographic, encryption and key management roles and responsibilities. 25
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 CEK_04 CSA_v4.0.12_CEK_04 CSA Cloud Controls Matrix v4.0.12 CEK 04 Cryptography, Encryption & Key Management Encryption Algorithm Shared n/a Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology. 12
CSA_v4.0.12 CEK_05 CSA_v4.0.12_CEK_05 CSA Cloud Controls Matrix v4.0.12 CEK 05 Cryptography, Encryption & Key Management Encryption Change Management Shared n/a Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes. 11
CSA_v4.0.12 CEK_10 CSA_v4.0.12_CEK_10 CSA Cloud Controls Matrix v4.0.12 CEK 10 Cryptography, Encryption & Key Management Key Generation Shared n/a Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used. 24
CSA_v4.0.12 CEK_11 CSA_v4.0.12_CEK_11 CSA Cloud Controls Matrix v4.0.12 CEK 11 Cryptography, Encryption & Key Management Key Purpose Shared n/a Manage cryptographic secret and private keys that are provisioned for a unique purpose. 24
CSA_v4.0.12 CEK_12 CSA_v4.0.12_CEK_12 CSA Cloud Controls Matrix v4.0.12 CEK 12 Cryptography, Encryption & Key Management Key Rotation Shared n/a Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements. 22
CSA_v4.0.12 CEK_13 CSA_v4.0.12_CEK_13 CSA Cloud Controls Matrix v4.0.12 CEK 13 Cryptography, Encryption & Key Management Key Revocation Shared n/a Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no longer part of the organization, which include provisions for legal and regulatory requirements. 12
CSA_v4.0.12 CEK_14 CSA_v4.0.12_CEK_14 CSA Cloud Controls Matrix v4.0.12 CEK 14 Cryptography, Encryption & Key Management Key Destruction Shared n/a Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements. 12
CSA_v4.0.12 CEK_15 CSA_v4.0.12_CEK_15 CSA Cloud Controls Matrix v4.0.12 CEK 15 Cryptography, Encryption & Key Management Key Activation Shared n/a Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements. 21
CSA_v4.0.12 CEK_16 CSA_v4.0.12_CEK_16 CSA Cloud Controls Matrix v4.0.12 CEK 16 Cryptography, Encryption & Key Management Key Suspension Shared n/a Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements. 23
CSA_v4.0.12 CEK_17 CSA_v4.0.12_CEK_17 CSA Cloud Controls Matrix v4.0.12 CEK 17 Cryptography, Encryption & Key Management Key Deactivation Shared n/a Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_18 CSA_v4.0.12_CEK_18 CSA Cloud Controls Matrix v4.0.12 CEK 18 Cryptography, Encryption & Key Management Key Archival Shared n/a Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements. 11
CSA_v4.0.12 CEK_20 CSA_v4.0.12_CEK_20 CSA Cloud Controls Matrix v4.0.12 CEK 20 Cryptography, Encryption & Key Management Key Recovery Shared n/a Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements. 25
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
HITRUST_CSF_v11.3 06.c HITRUST_CSF_v11.3_06.c HITRUST CSF v11.3 06.c Compliance with Legal Requirements To prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. Shared 1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information. 2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. 26
HITRUST_CSF_v11.3 10.g HITRUST_CSF_v11.3_10.g HITRUST CSF v11.3 10.g Cryptographic Controls To ensure key management's support to the organization’s use of cryptographic techniques. Shared 1. All cryptographic keys are to be protected against modification, loss, and destruction. 2. Secret/private keys, including split-keys, are to be protected against unauthorized disclosure. Key management shall be in place to support the organization’s use of cryptographic techniques. 7
ISO_IEC_27002_2022 8.24 ISO_IEC_27002_2022_8.24 ISO IEC 27002 2022 8.24 Protection, Preventive Control Use of cryptography Shared Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 14
ISO_IEC_27017_2015 10.1.2 ISO_IEC_27017_2015_10.1.2 ISO IEC 27017 2015 10.1.2 Cryptography Key Management Shared For Cloud Service Customer: The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management. Where the cloud service provides key management functionality for use by the cloud service customer, the cloud service customer should request the following information on the procedures used to manage keys related to the cloud service: (i) type of keys; (ii) specifications of the key management system, including procedures for each stage of the key life-cycle, i.e., generating, changing or updating, storing, retiring, retrieving, retaining and destroying; (iii) recommended key management procedures for use by the cloud service customer. The cloud service customer should not permit the cloud service provider to store and manage the encryption keys for cryptographic operations when the cloud service customer employs its own key management or a separate and distinct key management service. To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. 14
NIST_SP_800-171_R3_3 .1.16 NIST_SP_800-171_R3_3.1.16 NIST 800-171 R3 3.1.16 Access Control Wireless Access Shared Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, smart watches). Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential missions or business functions can help reduce susceptibility to threats by adversaries involving wireless technologies. a. Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system. b. Authorize each type of wireless access to the system prior to establishing such connections. c. Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment. 8
NIST_SP_800-171_R3_3 .13.10 NIST_SP_800-171_R3_3.13.10 NIST 800-171 R3 3.13.10 System and Communications Protection Control Cryptographic Key Establishment and Management Shared Cryptographic key establishment and management include key generation, distribution, storage, access, rotation, and destruction. Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to 03.13.11. Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key establishment and management]. 14
NIST_SP_800-53_R5.1.1 CM.3.6 NIST_SP_800-53_R5.1.1_CM.3.6 NIST SP 800-53 R5.1.1 CM.3.6 Configuration Management Control Configuration Change Control | Cryptography Management Shared Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates. 3
NIST_SP_800-53_R5.1.1 SC.12 NIST_SP_800-53_R5.1.1_SC.12 NIST SP 800-53 R5.1.1 SC.12 System and Communications Protection Cryptographic Key Establishment and Management Shared Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment. 13
NIST_SP_800-53_R5.1.1 SC.12.2 NIST_SP_800-53_R5.1.1_SC.12.2 NIST SP 800-53 R5.1.1 SC.12.2 System and Communications Protection Cryptographic Key Establishment and Management | Symmetric Keys Shared Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes. [SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and [SP 800-57-3] provide guidance on cryptographic key management. 2
NIST_SP_800-53_R5.1.1 SC.28.3 NIST_SP_800-53_R5.1.1_SC.28.3 NIST SP 800-53 R5.1.1 SC.28.3 System and Communications Protection Protection of Information at Rest | Cryptographic Keys Shared Provide protected storage for cryptographic keys [Selection: [Assignment: organization-defined safeguards] ; hardware-protected key store]. A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys. 1
NZISM_v3.7 16.3.5.C.01. NZISM_v3.7_16.3.5.C.01. NZISM v3.7 16.3.5.C.01. Privileged User Access 16.3.5.C.01. - To enhance overall security posture. Shared n/a Agencies MUST: 1. ensure strong change management practices are implemented; 2. ensure that the use of privileged accounts is controlled and accountable; 3. ensure that system administrators are assigned and consistently use, an individual account for the performance of their administration tasks; 4. keep privileged accounts to a minimum; and 5. allow the use of privileged accounts for administrative work only. 5
NZISM_v3.7 16.3.5.C.02. NZISM_v3.7_16.3.5.C.02. NZISM v3.7 16.3.5.C.02. Privileged User Access 16.3.5.C.02. - To enhance overall security posture. Shared n/a Agencies SHOULD: 1. ensure strong change management practices are implemented; 2. ensure that the use of privileged accounts is controlled and accountable; 3. ensure that system administrators are assigned an individual account for the performance of their administration tasks; 4. keep privileged accounts to a minimum; and 5. allow the use of privileged accounts for administrative work only. 5
NZISM_v3.7 17.9.37.C.01. NZISM_v3.7_17.9.37.C.01. NZISM v3.7 17.9.37.C.01. Key Management 17.9.37.C.01. - To enhance the overall security posture of the systems and the sensitive information they protect. Shared n/a Agencies MUST comply with NZCSI when using HACE. 5
NZISM_v3.7 19.1.22.C.02. NZISM_v3.7_19.1.22.C.02. NZISM v3.7 19.1.22.C.02. Gateways 19.1.22.C.02. - To ensure transparency, accountability, and adherence to established procedures for maintaining network security and integrity. Shared n/a Agencies MUST document any changes to gateways in accordance with the agency's Change Management Policy. 5
NZISM_v3.7 3.3.6.C.05. NZISM_v3.7_3.3.6.C.05. NZISM v3.7 3.3.6.C.05. Information Technology Security Managers 3.3.6.C.05. - To enhance the integrity and security of agency IT operations. Shared n/a ITSMs SHOULD be included in the agency's change management and change control processes to ensure that risks are properly identified and controls are properly applied to manage those risks. 5
NZISM_v3.7 6.3.6.C.01. NZISM_v3.7_6.3.6.C.01. NZISM v3.7 6.3.6.C.01. Change Management 6.3.6.C.01. - To maintain the integrity and security of systems. Shared n/a Agencies MUST ensure that for routine and urgent changes: 1. the change management process, as defined in the relevant information security documentation, is followed; 2. the proposed change is approved by the relevant authority; 3. any proposed change that could impact the security or accreditation status of a system is submitted to the Accreditation Authority for approval; and 4. all associated information security documentation is updated to reflect the change. 5
NZISM_v3.7 6.3.6.C.02. NZISM_v3.7_6.3.6.C.02. NZISM v3.7 6.3.6.C.02. Change Management 6.3.6.C.02. - To maintain operational integrity and security posture. Shared n/a Agencies SHOULD ensure that for routine and urgent changes: 1. the change management process, as defined in the relevant information security documentation, is followed; 2. the proposed change is approved by the relevant authority; 3. any proposed change that could impact the security of a system or accreditation status is submitted to the Accreditation Authority for approval; and 4. all associated information security documentation is updated to reflect the change. 5
NZISM_v3.7 6.3.7.C.01. NZISM_v3.7_6.3.7.C.01. NZISM v3.7 6.3.7.C.01. Change Management 6.3.7.C.01. - To foster systematic and responsive management of critical alterations. Shared n/a An agency's change management process MUST define appropriate actions to be followed before and after urgent changes are implemented. 4
NZISM_v3.7 6.3.7.C.02. NZISM_v3.7_6.3.7.C.02. NZISM v3.7 6.3.7.C.02. Change Management 6.3.7.C.02. - To facilitate structured management of critical alterations. Shared n/a An agency's change management process SHOULD define appropriate actions to be followed before and after urgent changes are implemented. 4
NZISM_v3.7 6.3.7.C.03. NZISM_v3.7_6.3.7.C.03. NZISM v3.7 6.3.7.C.03. Change Management 6.3.7.C.03. - To ensure systematic and effective management of changes. Shared n/a Agencies SHOULD follow this change management process outline: 1. produce a written change request; 2. submit the change request to all stakeholders for approval; 3. document the changes to be implemented; 4. test the approved changes; 5. notification to user of the change schedule and likely effect or outage; 6. implement the approved changes after successful testing; 7. update the relevant information security documentation including the SRMP, SSP and SOPs 8. notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and 9. continually educate system users in regards to changes. 4
PCI_DSS_v4.0.1 3.6.1 PCI_DSS_v4.0.1_3.6.1 PCI DSS v4.0.1 3.6.1 Protect Stored Account Data Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: access to keys is restricted to the fewest number of custodians necessary. Key-encrypting keys are at least as strong as the data-encrypting keys they protect. Key-encrypting keys are stored separately from data-encrypting keys. Keys are stored securely in the fewest possible locations and forms Shared n/a Examine documented key-management policies and procedures to verify that processes to protect cryptographic keys used to protect stored account data against disclosure and misuse are defined to include all elements specified in this requirement 16
PCI_DSS_v4.0.1 3.6.1.1 PCI_DSS_v4.0.1_3.6.1.1 PCI DSS v4.0.1 3.6.1.1 Protect Stored Account Data Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes: details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. Preventing the use of the same cryptographic keys in production and test environments. Description of the key usage for each key. Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, to support meeting Requirement 12.3.4 Shared n/a Additional testing procedure for service provider assessments only: Interview responsible personnel and examine documentation to verify that a document exists to describe the cryptographic architecture that includes all elements specified in this requirement 14
PCI_DSS_v4.0.1 3.6.1.2 PCI_DSS_v4.0.1_3.6.1.2 PCI DSS v4.0.1 3.6.1.2 Protect Stored Account Data Secret and private keys used to protect stored account data are stored in one (or more) of the following forms at all times: encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device. As at least two full-length key components or key shares, in accordance with an industry-accepted method Shared n/a Examine documented procedures to verify it is defined that cryptographic keys used to encrypt/decrypt stored account data must exist only in one (or more) of the forms specified in this requirement. Examine system configurations and key storage locations to verify that cryptographic keys used to encrypt/decrypt stored account data exist in one (or more) of the forms specified in this requirement. Wherever key-encrypting keys are used, examine system configurations and key storage locations to verify: key-encrypting keys are at least as strong as the data-encrypting keys they protect. Key-encrypting keys are stored separately from data-encrypting keys 1
PCI_DSS_v4.0.1 3.6.1.4 PCI_DSS_v4.0.1_3.6.1.4 PCI DSS v4.0.1 3.6.1.4 Protect Stored Account Data Cryptographic keys are stored in the fewest possible locations Shared n/a Examine key storage locations and observe processes to verify that keys are stored in the fewest possible locations 1
PCI_DSS_v4.0.1 3.7.1 PCI_DSS_v4.0.1_3.7.1 PCI DSS v4.0.1 3.7.1 Protect Stored Account Data Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define generation of strong cryptographic keys. Observe the method for generating keys to verify that strong keys are generated 16
PCI_DSS_v4.0.1 3.7.2 PCI_DSS_v4.0.1_3.7.2 PCI DSS v4.0.1 3.7.2 Protect Stored Account Data Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure distribution of cryptographic keys. Observe the method for distributing keys to verify that keys are distributed securely 16
PCI_DSS_v4.0.1 3.7.3 PCI_DSS_v4.0.1_3.7.3 PCI DSS v4.0.1 3.7.3 Protect Stored Account Data Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure storage of cryptographic keys. Observe the method for storing keys to verify that keys are stored securely 14
PCI_DSS_v4.0.1 3.7.5 PCI_DSS_v4.0.1_3.7.5 PCI DSS v4.0.1 3.7.5 Protect Stored Account Data Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: the key has reached the end of its defined cryptoperiod. The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. The key is suspected of or known to be compromised. Retired or replaced keys are not used for encryption operations Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define retirement, replacement, or destruction of keys in accordance with all elements specified in this requirement. Interview personnel to verify that processes are implemented in accordance with all elements specified in this requirement 14
PCI_DSS_v4.0.1 3.7.6 PCI_DSS_v4.0.1_3.7.6 PCI DSS v4.0.1 3.7.6 Protect Stored Account Data Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented, including managing these operations using split knowledge and dual control Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define using split knowledge and dual control. Interview personnel and/or observe processes to verify that manual cleartext keys are managed with split knowledge and dual control 16
PCI_DSS_v4.0.1 3.7.7 PCI_DSS_v4.0.1_3.7.7 PCI DSS v4.0.1 3.7.7 Protect Stored Account Data Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define prevention of unauthorized substitution of cryptographic keys. Interview personnel and/or observe processes to verify that unauthorized substitution of keys is prevented 14
PCI_DSS_v4.0.1 3.7.8 PCI_DSS_v4.0.1_3.7.8 PCI DSS v4.0.1 3.7.8 Protect Stored Account Data Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities Shared n/a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define acknowledgments for key custodians in accordance with all elements specified in this requirement. Examine documentation or other evidence showing that key custodians have provided acknowledgments in accordance with all elements specified in this requirement 14
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls To mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management To minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SOC_2023 CC9.1 SOC_2023_CC9.1 SOC 2023 CC9.1 Risk Mitigation To enhance resilience and ensure continuity of critical operations in the face of adverse events or threats. Shared n/a Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. 18
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-06-26 17:52:13 add d8cf8476-a2ec-4916-896e-992351803c44
JSON compare n/a
JSON
api-version=2021-06-01
EPAC