IAM.6.01 - Key Repository Access - IllumiDesk

Search…

IllumiDesk Team Handbook

People Group

General Employment

Employment Status & Recordkeeping

Working Conditions & Hours

Employee Benefits

Employee Conduct

Timekeeping & Payroll

Security and Compliance

Security Controls

BC.1.01 - Business Continuity Plan

BC.1.0.2 - Business Continuity Plan: Roles and Responsibilities

BC.1.03 - Continuity Testing

BC.1.04 - Business Impact Analysis

CFG.1.01 - Baseline Configuration Standard

CFG.1.03 - Configuration Checks

CM.1.01 - Change Management Workflow

CM.1.02 - Change Approval

CM.1.03 - Change Management Issue Tracker

CM.1.04 - Emergency Changes

DM.1.01 - Data Classification Criteria

DM.2.01 - Terms of Service

DM.4.01 - Encryption of Data in Transit

DM.7.03 - Data Retention and Disposal Policy

IAM.1.01 - Logical Access Provisioning

IAM.1.02 - Logical Access De-Provisioning

IAM.1.04 - Logical Access Review

IAM.1.05 - Transfers: Access De-Provisioning

IAM.1.06 - Shared Logical Accounts

IAM.1.08 - New Access Provisioning

IAM.2.01 - Unique Identifiers

IAM.2.02 - Password Authentication

IAM.2.03 - Multi-factor Authentication

IAM.3.02 - Source Code Security

IAM.4.01 - Remote Connections

IAM.6.01 - Key Repository Access

IR.1.01 - Incident Response Plan

IR.1.03 - Incident response

IR.1.04 - Insurance Policy

IR.2.02 - Incident Reporting

NO.1.01 - Network Policy Enforcement Points

PR.1.01 - Background Checks

RM.1.01 - Risk Assessment

RM.1.02 - Continuous Monitoring

RM.1.04 - Service Risk Rating Assignment

RM.1.05 - Risk Management Policy

RM.3.01 - Remediation Tracking

SDM.1.01 - System Documentation

SG.1.01 - Policy and Standard Review

SG.2.01 - Information Security Program Content

SG.5.03 - Security Roles and Responsibilities

SG.5.06 - Board of Director Bylaws

SG.5.07 - Board of Directors Security Program Content

SLC.1.01 - Service Lifecycle Workflow

SLC.2.01 - Source Code Management

SYS.1.01 - Audit Logging

SYS.2.01 - Security Monitoring Alert Criteria

SYS.2.07 - System Security Monitoring

TPM.1.01 - Third Party Assurance Review

TPM.1.02 - Vendor Risk Management

TRN.1.01 - General Security Awareness Training

TRN.1.02 - Code of Conduct Training

VUL.1.01 - Vulnerability Scans

VUL.1.03 - Approved Scanning Vendor

VUL.2.01 - Application & Infrastructure Penetration Testing

VUL.3.01 - Infrastructure Patch Management

VUL.3.02 - End of Life Software

VUL.4.01 - Enterprise Protection

VUL.5.01 - Code Security Check

VUL.6.01 - External Information Security Inquiries

VPAT Version 2.3

Powered By GitBook

IAM.6.01 - Key Repository Access

Control Statement
Access to the cryptographic keystores is limited to authorized personnel.
Context
One of the fundamental and most important security considerations of encryption is protecting cryptographic keys, particularly private keys. This controls aims to protect the confidentiality and integrity of data for customers, IllumiDesk team-members, and partners by limiting the number of people with access to view, modify, and create new cryptographic keys. A malicious actor with access to IllumiDesk's cryptographic keys could decrypt all sensitive data stored and transmitted by IllumiDesk, rending the encryption useless.
Scope
This control applies to all cryptographic keystores for the production environment. The production environment includes all endpoints and cloud assets used in hosting IllumiDesk.com and its subdomains. This may include third-party systems that support the business of IllumiDesk.com.
Ownership
Control Owner: Infrastructure
Process owner(s):
Infrastructure
Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Key Repository Access control issue.
Examples of evidence an auditor might request to satisfy this control:
Sample of access requests for Google Cloud and specifically KMS; Chef Data Bags; any servers which store the Data Bags private key; and any servers which store the TLS private key
Documentation or some form of record demonstrating access to a keystore or server containing the private key to a keystore is only provisioned to IllumiDeskers where there is a clear need for access
A copy of Google Cloud users with access to production KMS, Data Bags, and servers storing private keys to either
 Framework Mapping
SOC2 CC
CC6.1
CC6.3

IAM.4.01 - Remote Connections

IR.1.01 - Incident Response Plan

Last modified 1yr ago

Copy link

Contents

Control Statement

Additional control information and project tracking

Framework Mapping