SAMMY UI is optimized for resolutions with a width 1024px and higher.
Cloud Controls Matrix
Browse Cloud Controls...
CEK-02: CEK Roles and Responsibilities
CEK Roles and Responsibilities
CEK-02: Are cryptography, encryption, and key management roles and responsibilities defined and implemented?
Below are some examples of possible roles and responsibilities:
a. Keys managers should not be able to access protected data or the cryptographic engine.
b. Separation of duties should include two or more individuals control a single process.
c. Split Knowledge requires no one person knows the complete value of an encryption key.
d. No one person should know the entire passphrase used to create encryption keys.
e. Restrict access rights to the least resources required (least privilege).
f. A policy authority is responsible for all operational cryptographic key management system (CKMS) roles and reports to the executive IT.


Roles and responsibilities should be defined and followed:
a. Generation or acquisition of key information .
b. Secure distribution of private and secret keys,and the metadata.
c. Establishment of cryptoperiods.
d. Key and certificate inventory management.
e. Revocation of compromised keys and the establishment of replacement keys and/or certificates.
f. Management of the storage and recovery of operational and backed-up key information.
g. Storage and recovery of archived key information.
h. Checking the integrity of stored key information before using it.
i. Destruction of private or secret keys that are no longer required.
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Define and implement cryptographic, encryption and key management roles and responsibilities.