Key-custodians are one of the most important jobs within your organization. They’re responsible for creating encryption keys, altering keys, recovering keys, rotating keys, distributing keys, maintaining keys, and so much more. They are managing every aspect of the encryption of your environment. Key-custodians have the keys to your kingdom.
By having key-custodians sign a formal document stating that they understand and accept their responsibilities, there is a better change for them to commit to their role. Your key-custodians must understand the gravity of the job they’ve taken, and assessors need to see some type of acknowledgement of that. If key-custodians do not perform their job correctly or securely, this affects your entire organization because it could lead to vulnerabilities and breaches. Watch the full video to learn more about PCI Requirement 3.6.8 from Jeff Wilder.
If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant.
Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-8-key-custodian-responsibilities/
Somebody needs to be truly responsible for managing the encryption of your environment. The individuals we typically identify as your key-custodians. These individuals need to sign a document – this signature can be electronic or it can be in writing – but effectively what we’re needing is some acknowledgment by these individuals that they truly understand the gravity of the job they’ve taken, and that they understand all of the policies and procedures and are good with it. The purpose and intent behind this is understanding that these individuals really have the keys to your kingdom. Their job, in my professional opinion, is one of the most important jobs in your environment. If they do not do their job well, or do not do it correctly or securely, that could effectively lead to the compromise of your environment. We’ve all seen what breaches in the past have done to organizations.
From an assessment perspective, the assessor is going to be working with your HR department to identify who are those individuals responsible for the key management. We’re going to be asking for some artifact where they have read and understand their responsibilities as key-custodians in your environment.
More Free Resources
PCI Demystified: https://kirkpatrickprice.com/pci-demystified/
White Papers: https://kirkpatrickprice.com/white-papers/
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice: https://kirkpatrickprice.com/
Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/