When encryption is used, appropriate key management procedures are crucial. The university is responsible to manage cryptographic keys for required cryptography employed within the university using automated mechanisms with supported procedures.


  • The owner of an information resource, or designee, is responsible for implementing this control.


  • An information resource owner, or designee, is responsible to:

  • 1

    Manage cryptographic keys using automated mechanisms with supporting procedures where feasible.

    • 1.1

      When automated mechanisms are not feasible, manual key management may be used along with sufficient supporting procedures and documentation.

  • 2

    Appropriately secure public and private keys.

  • 3

    Maintain availability of information in the event of the loss of cryptographic keys by users.

    • 3.1

      Recovery of encryption keys should be part of business continuity planning with the exception of data used by a single individual (e.g., an individual faculty member’s grade book working copy).