Establish crypto strategy in the organisation

The Encryption Key Management System (CKMS) handles, manages, stores, and monitors encryption keys. The management system can be implemented as an automated tool or as a more manual implementation.

The organization must have the means to monitor and report on all encryption materials and their status using an encryption key management system. The cryptographic key management system should be used at least to:

• Track changes to cryptographic states
• Generate and distribute cryptographic keys
• Generate public-key certificates
• For monitoring unidentified encrypted assets
• For cataloging, archiving, and backing up encryption keys
• Maintains a database of connections to an organization's certificate and encryption key structures

Our organization has defined policies for creating, storing, sharing, and deleting encryption keys.

Encryption key lengths and usage practices will be selected in accordance with best general practices by monitoring developments in the industry.

The organization must ensure that encryption keys are recycled in accordance with the specified encryption cycles. The risks of disclosure and statutory requirements must be taken into account when determining the encryption period.

When recycling encryption keys, the old key must first be used for decryption and then the new key for recryption.

The organization must have the means to generate encryption keys in pre-activated state when the key has been generated but not yet approved for use.

When activating encryption keys, please note the following:

• The encryption key can be changed from pre-activated to activated by adding the start date of the encryption period
• Inactive encryption keys cannot be used for encryption
• Inactivated encryption keys can only be used to prove key management or key validation
• An encryption key in pre-activated mode should be destroyed if it is no longer needed

Recovering an encryption key means rebuilding the encryption key using backups or archives.

The organization must have the means to assess the risk of disclosure of the encryption key or encrypted data compared to compromising business continuity if the encryption key is lost.

The organization must have the means to handle compromised encryption keys. Endangered cryptographic keys may be in a state where they are awaiting further investigation to determine the appropriate course of action.

The handling of compromised cryptographic keys shall take into account at least the following:

The immediate revocation of compromised encryption keys should be subject to the organisation's emergency revocation processes.

Organisation should verify that the set of cryptographic controls that apply to the use of data systems comply with relevant agreements, legislation and regulations.