Description
Applicability
-
The owner of an information resource, or designee, is responsible for implementing this control.
Implementation
-
An information resource owner, or designee, is responsible to:
-
1
Manage cryptographic keys using automated mechanisms with supporting procedures where feasible.
-
1.1
When automated mechanisms are not feasible, manual key management may be used along with sufficient supporting procedures and documentation.
-
1.1
-
2
Appropriately secure public and private keys.
-
3
Maintain availability of information in the event of the loss of cryptographic keys by users.
-
3.1
Recovery of encryption keys should be part of business continuity planning with the exception of data used by a single individual (e.g., an individual faculty member’s grade book working copy).
-
3.1