[PCI DSS 3.0] [PCI DSS 3.0] 3.6.6 If manual clear-text cryptographic key-management operations are used, these operations must b

pcinetwork

PCINetwork.org Admin
#1
3.6.6 If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.

Note: Examples of manual key- management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.

3.6.6.a Verify that manual clear-text key-management procedures specify processes for the use of the following:
• Split knowledge of keys, such that key components are under the control of at least two people who only have knowledge of their own key components; AND
• Dual control of keys, such that at least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another.

3.6.6 b Interview personnel and/or observe processes to verify that manual clear-text keys are managed with:
• Split knowledge, AND
• Dual control

Split knowledge and dual control of keys are used to eliminate the possibility of one person having access to the whole key. This control is applicable for manual key-management operations, or where key management is not implemented by the encryption product.
Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components
convey no knowledge of the original cryptographic
key).

Dual control requires two or more people to perform a function, and no single person can access or use the authentication materials of another.
 
Top