DS-05 Data Security & Protection
Cryptographic Key Management
Keys are managed across their lifecycle (critical for a DPT firm).
- Domain
- Data Security & Protection
- Control type
- Preventive/Detective
- Automated / manual
- Hybrid
- Frequency
- Per policy
- Framework reference
- MAS TRM – Cryptography
What good looks like
Keys follow gen/store/rotate/revoke lifecycle with custodian segregation and HSM/KMS protection.
Risk if it fails
Key compromise undermining encryption and wallet security.
How Tess tests it
5 tests — each concludes only on cited evidence.
Key-management policy covers full lifecycle
Design- Procedure
- Inspect the policy.
- Expected
- Generation/storage/rotation/revocation defined.
- Sample
- 1 (design inspection)
- Evidence
- Key-management policy, KMS rotation logs, custodian records.
Keys stored in HSM/KMS
Operating- Procedure
- Inspect key storage.
- Expected
- Hardware/managed protection.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Key-management policy, KMS rotation logs, custodian records.
Rotation performed per schedule
Operating- Procedure
- Inspect rotation logs.
- Expected
- Rotated on cadence.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Key-management policy, KMS rotation logs, custodian records.
Custodian duties segregated (dual control)
Operating- Procedure
- Inspect custodian arrangements.
- Expected
- No single custodian for critical keys.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Key-management policy, KMS rotation logs, custodian records.
Revocation/compromise procedure exists & tested
Operating- Procedure
- Inspect the procedure and any test.
- Expected
- Defined and exercised.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Key-management policy, KMS rotation logs, custodian records.
Evidence Tess looks for
Key-management policy, KMS rotation logs, custodian records.
More in Data Security & Protection
Want Tess to test DS-05 against your evidence?
Book a demo