Question DATA-18

Do you have a cryptographic key management process (generation, exchange, storage, safeguards, use, vetting, and replacement) that is documented and currently implemented, for all system components? (e.g., database, system, web, etc.)

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

Summarize your cryptographic key management process.

Answering "YES"

Summarize your cryptographic key management process.

Reason for Question

Understanding how key management is handled and the safeguards implemented by the vendor to ensure key confidentiality in all components of a system(s) can provide insight into other complex details of a vendor's infrastructure. Use vendor responses to this question as a way to pivot to other infrastructure specifics, as needed to clarify potential risks.

Follow-Up Inquiries

Follow up with the vendor to ensure that all components of the system are considered. This includes system-to-system, system-to-client, applications, system accounts, etc.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]