Key Management

Key management covers the entire lifecycle of keys and everything that happens to them from beginning to end including generation, communication and distribution, storage, entry and installation, checking the validity, usage, changing the active key, archiving, destruction, audit of key operations and usage, key backup and recovery, and emergency reserve keys.

Cloud Controls Matrix (CCM) Data

Array

IS-19 | Information Security | Encryption Key Management

Control Specification +-

Policies and procedures shall be established and mechanisms implemented for effective key management to support encryption of data in storage and in transmission.

Architectural Relevance +-

PhysicalNetworkComputeAppData
False True False True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True False

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

DS5.8

45 CFR 164.312 (a)(2)(iv)
45 CFR 164.312(e)(1)

Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

SC-12
SC-13
SC-17
SC-28

NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-17

3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

L.6

8.1.1
8.2.1
8.2.5

Jericho ForumNERC CIP

Commandment #9
Commandment #10
Commandment #11

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-19.1

Do you encrypt tenant data at rest (on disk/storage) within your environment?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.8

45 CFR 164.312 (a)(2)(iv)
45 CFR 164.312(e)(1) (New)

Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-12 (2)
NIST SP800-53 R3 SC-12 (5)
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28
NIST SP800-53 R3 SC-28 (1)

PCI-DSS v2.0 3.4.1
PCI-DSS v2.0 3.5
PCI-DSS v2.0 3.5.1
PCI-DSS v2.0 3.5.2
PCI-DSS v2.0 3.6
PCI-DSS v2.0 3.6.1
PCI-DSS v2.0 3.6.2
PCI-DSS v2.0 3.6.3
PCI-DSS v2.0 3.6.4
PCI-DSS v2.0 3.6.5
PCI-DSS v2.0 3.6.6
PCI-DSS v2.0 3.6.7
PCI-DSS v2.0 3.6.8

SIG v6.0: L.6

GAPP Ref 8.1.1
GAPP Ref 8.2.1
GAPP Ref 8.2.5

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-19.2

Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.8

45 CFR 164.312 (a)(2)(iv)
45 CFR 164.312(e)(1) (New)

Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-12 (2)
NIST SP800-53 R3 SC-12 (5)
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28
NIST SP800-53 R3 SC-28 (1)

PCI-DSS v2.0 3.4.1
PCI-DSS v2.0 3.5
PCI-DSS v2.0 3.5.1
PCI-DSS v2.0 3.5.2
PCI-DSS v2.0 3.6
PCI-DSS v2.0 3.6.1
PCI-DSS v2.0 3.6.2
PCI-DSS v2.0 3.6.3
PCI-DSS v2.0 3.6.4
PCI-DSS v2.0 3.6.5
PCI-DSS v2.0 3.6.6
PCI-DSS v2.0 3.6.7
PCI-DSS v2.0 3.6.8

SIG v6.0: L.6

GAPP Ref 8.1.1
GAPP Ref 8.2.1
GAPP Ref 8.2.5

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-19.3

Do you have a capability to manage encryption keys on behalf of tenants?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.8

45 CFR 164.312 (a)(2)(iv)
45 CFR 164.312(e)(1) (New)

Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-12 (2)
NIST SP800-53 R3 SC-12 (5)
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28
NIST SP800-53 R3 SC-28 (1)

PCI-DSS v2.0 3.4.1
PCI-DSS v2.0 3.5
PCI-DSS v2.0 3.5.1
PCI-DSS v2.0 3.5.2
PCI-DSS v2.0 3.6
PCI-DSS v2.0 3.6.1
PCI-DSS v2.0 3.6.2
PCI-DSS v2.0 3.6.3
PCI-DSS v2.0 3.6.4
PCI-DSS v2.0 3.6.5
PCI-DSS v2.0 3.6.6
PCI-DSS v2.0 3.6.7
PCI-DSS v2.0 3.6.8

SIG v6.0: L.6

GAPP Ref 8.1.1
GAPP Ref 8.2.1
GAPP Ref 8.2.5

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-19.4

Do you maintain key management procedures?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.8

45 CFR 164.312 (a)(2)(iv)
45 CFR 164.312(e)(1) (New)

Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 SC-12
NIST SP800-53 R3 SC-12 (2)
NIST SP800-53 R3 SC-12 (5)
NIST SP800-53 R3 SC-13
NIST SP800-53 R3 SC-13 (1)
NIST SP800-53 R3 SC-17
NIST SP800-53 R3 SC-28
NIST SP800-53 R3 SC-28 (1)

PCI-DSS v2.0 3.4.1
PCI-DSS v2.0 3.5
PCI-DSS v2.0 3.5.1
PCI-DSS v2.0 3.5.2
PCI-DSS v2.0 3.6
PCI-DSS v2.0 3.6.1
PCI-DSS v2.0 3.6.2
PCI-DSS v2.0 3.6.3
PCI-DSS v2.0 3.6.4
PCI-DSS v2.0 3.6.5
PCI-DSS v2.0 3.6.6
PCI-DSS v2.0 3.6.7
PCI-DSS v2.0 3.6.8

SIG v6.0: L.6

GAPP Ref 8.1.1
GAPP Ref 8.2.1
GAPP Ref 8.2.5

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True