Back

Implement a hardware security module, as necessary.


CONTROL ID
12222
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Implement security controls when developing systems., CC ID: 06270

This Control has the following implementation support Control(s):
  • Require dual authentication when switching out of PCI mode in the hardware security module., CC ID: 12274
  • Include an indicator to designate when the hardware security module is in PCI mode., CC ID: 12273
  • Design the random number generator to generate random numbers that are unpredictable., CC ID: 12255
  • Design the hardware security module to enforce the separation between applications., CC ID: 12254
  • Protect sensitive data when transiting sensitive services in the hardware security module., CC ID: 12253
  • Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer., CC ID: 12233
  • Design the hardware security module to erase sensitive data when compromised., CC ID: 12275
  • Restrict key-usage information for cryptographic keys in the hardware security module., CC ID: 12232
  • Prevent cryptographic keys in the hardware security module from making unauthorized changes to data., CC ID: 12231
  • Include in the system documentation methodologies for authenticating the hardware security module., CC ID: 12258
  • Protect sensitive information within the hardware security module from unauthorized changes., CC ID: 12225
  • Prohibit sensitive functions from working outside of protected areas of the hardware security module., CC ID: 12224
  • Establish, implement, and maintain an acceptable use policy for the hardware security module., CC ID: 12247
  • Install secret information into the hardware security module during manufacturing., CC ID: 12249


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database. (Control: ISM-1402; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database. (Control: ISM-1402; Revision: 6, Australian Government Information Security Manual, September 2023)
  • use of physically and logically protected devices and environments to store and generate cryptographic keys, generate PINs and perform encryption and decryption. In most cases this would involve the use of Hardware Security Modules (HSMs) or similarly secured devices; (Attachment E 5(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution would typically utilise tamper resistant devices to store and generate cryptographic keys, generate PINs and perform encryption and decryption. In most cases this would involve the use of Hardware Security Modules (HSMs) or similarly secured devices. These devices would be ap… (Attachment F ¶ 7, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defin… (AI3.2 Infrastructure Resource Protection and Availability, CobiT, Version 4.1)
  • Implement Hardware Security Modules (HSM) or Key Management Servers as needed to store, generate, and manage keys within the DISN (Section 5.11 ¶ 3 Bullet 3, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • An organization's risk management strategy is constrained by such factors as legal, regulatory, and contractual requirements as reflected in organizational policies and procedures, financial resources, legacy investments, and organizational culture. These constraints imply the need to consider the c… (3.1.2 ¶ 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Build, install, configure, and test dedicated cyber defense hardware. (T0335, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)