Except where otherwise stated, keys must be managed by their owners.
Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
When required, customers of the organization’s cloud-based software or platform offering must be able to obtain information regarding:
The cryptographic tools used to protect their information.
Any capabilities that are available to allow cloud service customers to apply their own cryptographic solutions.
The identity of the countries where the cryptographic tools are used to store or transfer cloud service customers’ data.
The use of organizationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work. Encryption must not be used to violate any laws or regulations including import/export restrictions. The encryption used by the Company conforms to international standards and U.S. import/export requirements, and thus can be used across international boundaries for business purposes.
All key management must be performed using software that automatically manages access control, secure storage, backup and rotation of keys. Specifically:
The key management service must provide key access to specificallydesignated users, with the ability to encrypt/decrypt information and generate data encryption keys.
The key management service must provide key administration access to specifically-designated users, with the ability to create, schedule delete, enable/disable rotation, and set usage policies for keys.
The key management service must store and backup keys for the entirety of their operational lifetime.
The key management service must rotate keys at least once every 12 months.