3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.
Note: If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). Archived cryptographic keys should only be used for decryption/verification purposes.
3.6.5.a Verify that key-management procedures specify processes for the following:
• The retirement or replacement of keys when the integrity of the key has been weakened.
• The replacement of known or suspected compromised keys.
• Any keys retained after retiring or replacing are not used for encryption operations.
3.6.5.b Interview personnel to verify the following processes are implemented:
• Keys are retired or replaced as necessary when the integrity of the key has been weakened, including when someone with knowledge of the key leaves the company.
• Keys are replaced if known or suspected to be compromised.
• Any keys retained after retiring or replacing are not used for encryption operations.
Keys that are no longer used or needed, or keys that are known or suspected to be compromised, should be revoked and/or destroyed to ensure that the keys can no longer be used. If such keys need to be kept (for example, to support archived, encrypted data) they should be strongly protected.
The encryption solution should provide for and facilitate a process to replace keys that are due for replacement or that are known to be, or suspected of being, compromised.