3.7.8 Formal acknowledgment of key-custodian responsibilities

Defined Approach Requirements

3.7.8 Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.

Customized Approach Objective

Key custodians are knowledgeable about their responsibilities in relation to cryptographic operations and can access assistance and guidance when required.

Defined Approach Testing Procedures

3.7.8.a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define acknowledgments for key custodians in accordance with all elements specified in this requirement.

3.7.8.b Examine documentation or other evidence showing that key custodians have provided acknowledgments in accordance with all elements specified in this requirement.

Purpose

This process will help ensure individuals that act as key custodians commit to the key-custodian role and understand and accept the responsibilities. An annual reaffirmation can help remind key custodians of their responsibilities.

Further Information

Industry guidance for key custodians and their roles and responsibilities includes:

• NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems [5. Roles and Responsibilities (especially) for Key Custodians]
• ISO 11568-1 Banking -- Key management (retail) -- Part 1: Principles [5 Principles of key management (especially b)]