PCI Requirement 3.6.8 – Key-Custodian Responsibilities
Someone in your organization needs to be responsible for managing the encryption of your environment and accept the importance of this role. This is why PCI Requirement 3.6.8 states, “Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.”
Key custodians are one of the most important jobs within your organization. They’re responsible for creating encryption keys, altering keys, recovering keys, rotating keys, distributing keys, maintaining keys, and so much more. They are managing every aspect of the encryption of your environment. Key custodians have the keys to your kingdom.
By having key custodians sign a formal document stating that they understand and accept their responsibilities, there is a better chance for them to commit to their role. Your key custodians must understand the gravity of the job they’ve taken, and assessors need to see some type of acknowledgement of that. If key custodians do not perform their job correctly or securely, this affects your entire organization because it could lead to vulnerabilities and breaches.
Somebody needs to be truly responsible for managing the encryption of your environment. The individuals we typically identify as your key-custodians. These individuals need to sign a document – this signature can be electronic or it can be in writing – but effectively what we’re needing is some acknowledgment by these individuals that they truly understand the gravity of the job they’ve taken, and that they understand all of the policies and procedures and are good with it. The purpose and intent behind this is understanding that these individuals really have the keys to your kingdom. Their job, in my professional opinion, is one of the most important jobs in your environment. If they do not do their job well, or do not do it correctly or securely, that could effectively lead to the compromise of your environment. We’ve all seen what breaches in the past have done to organizations.
From an assessment perspective, the assessor is going to be working with your HR department to identify who are those individuals responsible for the key management. We’re going to be asking for some artifact where they have read and understand their responsibilities as key-custodians in your environment.