PaulDotCom mailing list archives
Crypto Key Management Process?
From: mvharley2 at gmail.com (MV)
Date: Mon, 23 Mar 2009 09:08:26 -0700
Jason, If you are looking at the processes right now you may want to also look at this project from an IT audit perspective, there are loads of guides out there for looking at the processes even PKI, for example; * Global Technology Audit Guides (GTAG) GTAG-1 Info Tech Controls .pdf GTAG-2 Chg and Patch Mgmt .pdf GTAG-3 continous auditing 1.pdf GTAG-4 Mgmt of IT Audit 1.pdf GTAG_5_ Managing and Auditing Privacy Risks .pdf GTAG_6 Managing IT Vulnerabilities.pdf GTAG_7_IT_Outsourcing.pdf GTAG_8 Auditing Application Controls.pdf GTAG_9_Identity_and_Access_Management.pdf GTAG_10_Business Continuity Management.pdf GTAG_11_Developing the IT Audit Plan.pdf GTAG_12_Auditing IT Projects.pdf * Federal Financial Institutions Examination Council (FFIEC) Audit AUD - IT Examination Handbook.pdf Business Continuity Planning BCP - IT Examination Handbook .pdf Development and Acquisition D&A - IT Examination Handbook.pdf E-Banking EB - IT Examination Handbook.pdf FedLine FED - IT Examination Handbook.pdf Information Management MGMT - IT Examination Handbook.pdf Information Security IS - IT Examination Handbook.pdf Operations Management OPS - IT Examination Handbook.pdf Outsourcing Technology Services OT - IT Examination Handbook.pdf Retail Payment Systems RPS - IT Examination Handbook.pdf Supervision of Technology Service Providers TSP - IT Examination Handbook.pdf USAPatriot_Act.pdf Wholesale Payment Systems WPS - IT Examination Handbook.pdf COBIT, new COSO, NIST, NSA and more. Good luck. MV 2009/3/22 Jason Wood <tadaka at gmail.com>
Thanks for the reply guys. I've taken John's idea and used the NIST guide as a reference while following PCI's individual crypto requirements. So far its going ok. Chris, your point is well taken about the technology to back up the process. I'm trying to tackle the process right now, but I'm checking out HSMs too. There's a lot to do and this is only one of them. Thanks for the help. Jason 2009/3/21 Chris Biettchert <chris.biettchert at gmail.com> What type of application is it? Key management policies are great but youalso need to be sure that the system is designed/developed to withstand attacks. I would start by using well known and trusted implementations of crypto libraries. Keyczar can simplify the implementation and help you avoid errors. Since Steve Weis, Ben Laurie, etc worked on it, I would be more confident in using it than rolling your own crypto wrapper. You will also probably want to purchase an HSM. There are several vendors and price really depends on feature set/required load. If this is going to be used to encrypt e-commerce transactions or someting similar, expect to pay quite a bit to get an HSM that can keep up with the load but a smaller HSM should be within budget of most projects. 2009/2/19 John Fiedler <johnfiedler at gmail.com> Hi Jason,You should take a peek at the PCI Requirements, they have some decent requirements for companies handling keys used to encrypt credit card numbers. This might not be exactly what your looking for what it might help some. https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html Look at requirements 3.6.x John 2009/2/18 Jason Wood <tadaka at gmail.com>Hi all, I'm doing some reading on doing key management for a project and was wondering what has worked for others. I'm currently reading my way through NIST's guidelines. Does anyone have a document, book, paper, etc that helped them build a secure key management process? Thanks, Jason _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- John _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090323/609556d9/attachment.htm
Current thread:
- Crypto Key Management Process? Jason Wood (Feb 18)
- Crypto Key Management Process? John Fiedler (Feb 19)
- Crypto Key Management Process? Chris Biettchert (Mar 21)
- Crypto Key Management Process? Jason Wood (Mar 22)
- Crypto Key Management Process? MV (Mar 23)
- Crypto Key Management Process? Chris Biettchert (Mar 24)
- Crypto Key Management Process? Chris Biettchert (Mar 21)
- Crypto Key Management Process? John Fiedler (Feb 19)