Here we go again.....

My Assessor advised that i needed to include, per requirement 3.6.7, a form which key custodians would sign to state they understand and accept their key custodian responsibilitite.

I asked for an example of the form and was advised, with a snicker, he didn't have one.

Can anyone point me in the right direction???:eek:

Well, you have a documented key management process, I assume.
And security policy statements somewhere that state the key management goals.
Then there's PCI DSS that contains specific requirements like split knowledge and dual control, secure storage etc.

Wrap references from these into a 2-3 paragraph form and signature panel, and discuss with your assessor about what "must have" aspects are missing (the QSA is not being professional, imho, if they just respond 'not acceptable).

lyalc

As I stated in another thread, the whole section (IMHO) 3.6.1 thru 3.6.10 is madness and can be readily resolved (at a dear cost) with an encryption appliance like Vormetric.

All Key management products need management processes.
A crypto custodian 'I am aware of my responsibilities' form ensures those responsible for managing the arcane concepts of key management know whats expected.
Then the expensive tools will actually deliver the expected security outcomes.

As Bruce Schneier and others have said, most crypto attacks succeed not because of the crypto itself, its how the crypto implemented and managed.

lyalc

As I stated in another thread, the whole section (IMHO) 3.6.1 thru 3.6.10 is madness and can be readily resolved (at a dear cost) with an encryption appliance like Vormetric.

Good key management is essential for strong cryptography. If you think that the requirements for key management in PCI DSS are "madness" then you should avoid the requirements of PCI PED or PCI PIN - these have *much* more stringent requirements for key management.

As LyalC mentioned above, the requirements for key custodian forms in PCI DSS can be easily met with a single page document, and implementing an expensive third party solution does not necessarily get you this document.

Here's the paragraph from the sample key custodian form that we recommend to our clients.

I understand that PCI cryptographic encryption keys and information relating to [Organization Name]'s PCI encryption key infrastructure and cryptographic controls are "[Data Classification]" information that are most sensitive to the company. I further understand, agree and accept the requirements and restrictions, and my obligations as a key custodian of PCI encryption keys, as set forth in [Organization Name]'s Information Security and Cryptographic Policies, Standards and Procedures; as such documents may be amended from time to time.

Have the Key Custodians sign the form as well as someone further up in management such as a Vice President, Division Manager, General Manager, etc.