Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
H O W C A N BU SIN E SSE S RE SPO N D TO TH E Q U A N TU M TH RE A T
TO C RYPTO G RA PH Y?
ASSESSMENT PREPARATION
ORDERLYMIGRATION
EMERGENCYMIGRATION MITIGATION
BQ
AQ
ASSESSM ENT
ASSESSM ENTR IS K
Risk Questions
M AGNITUDE: W hatriskswillinform ation disclosure create? (M onetaryloss, Com pliance, Legal, Reputation)
SCOPE: Do you issue keysorcerrtificatesto third parties? Under whatCPSsorSLAs?
DURATION: Can you quantifydam age due to degradation orinterruption of each servicesthatusescrypto?
RESPONSE: Is there a plan to protectencrypted assetsin case of a crypto failure?
DURATION: How long m ustconfidentialitybe m aintained foreach assetclass?
ASSESSM ENTD A T A
Data Questions
TYPE: W hatclassesof data do I encrypt? (PII, Trade Secret, CustodialSecret, GovtClassified…)?
RETENTION: Is encrypted data deleted according to a regularschedule?
DISCLOSURE IM PACT: W hatare the consequencesof disclosure of each data class?
EXPOSURE: Is encrypted data norm ally exposed to potentialattackers? (e.g. n transit orpubliccloud)?
PROTECTION DURATION: How long m ustconfidentialitybe m aintained foreach data class?
ASSESSM ENTK E Y S
KeyQuestions
TYPE: W hatare the strength, algorithm binding, and usage (sign vsencrypt, application, etc…) of each key?
LIFETIM E: W hatare the issuance and expiration datesforeach key?
M ANAGEM ENT: Are allkeysinventoried and locatable? Are keyseasyto revoke and reissue?
STRENGTH: W hatis the effective strength of each key, vs. classicaland quantum attack?
ASSESSM ENTIN F R A S T R U C T U R E
&S U P P L I E R S
Infrastructure Questions
CRYPTO SOFTW ARE INVENTORY: W hatcrypto librariesare in use? W hatprotocollibrariesare in use?
KEY INVENTORY: W hatkeysare in use, by whatapplications?
ADM IN INVENTORY: W ho is authorized to m anage which keysand which crypto m odulesand devices?
CERTIFICATE INVENTORY: W hatcertificatesare issued to the organization? W ho issued them ?
CRYPTO HARDW ARE INVENTORY: W hatcrypto hardware is in use?
W hatattributesdoeseach certificate have?
APPLICATION INVENTORY: W hich applicationsuse which libraries, which keys, and which protocols?
SupplierQuestions
CAs: Do m yCA agreem entshold the CA to an SLA fortim elyreissuance? Do I have a backup CA undercontract?
CODE SIGNATURES: Can and willm yapplication vendorsre-sign applicationsin a tim elyway?
SLAs(CA): Do m yrevocation and reissuance requestsgetpriorityvs. otherfirm sin em ergencies?
SLAs(Data Custodian): W hatobligationsdo custodiansof m ydata have in case of algorithm breach?
M Y CSRs: Have I retained m yCSRsso I can requestreissuance of certswith the correctattributes?
SLAs(Software Vendor): Are m yvendorsobligated to tim elyupgradesto fixcrypto breaches?
Are m yCAsobligated and prepared to revoke certificatesen m asse in case of an algorithm breach?
PREPARATIO N
PREPARATIO NO R D E R L Y M I G R A T I O N
OrderlyTransition Planning
SUPPLIER READINESS PLANS: Do yoursuppliershave quantum readinessplans? Do yourcontractsrequire them ?
STANDARDS PARTICIPATION: Are you participatingin standardsgroupspreparing forPQC?
PRODUCT TESTING: Are you testing and certifying PQC algorithm sand PQC-enabled productsin advance?
HYBRID CRYPTO: Are you investigating orim plem enting hybrid classical/PQC m odesof operation?
CRYPTO AGILITY: W illyourinfrastructure supportrapid replacem entof crypto algorithm sand protocols?
REGULATORY ENGAGEM ENT: Are you engaging with regulatorson use of PQC?
PREPARATIO NE M E R G E N C Y M I G R A T I O N
DisorderlyTransition Planning
EXERCISES: Are you planning and executing tabletop and sim ulation exercisesforcrypto algorithm failure response?
SUPPLIER AGREEM ENTS: Are you updating yoursupplierand partner agreem entsto coveralgorithm failure?
SAVED CSRs: Are you retaining yourCertificate Signing Requeststo supportem ergency certreissuance?
CA AGREEM ENTS: Are you updatingyourCA agreem entsto coveralgorithm failure?
EM ERGENCY SOFTW ARE DISTRIBUTION: Are you m aking arrangem entsto securely receive and deploy
patchesand updated software versionswhile network protocoland code signing cryptography is insecure?
E-RISK COVERAGE: Are you investigatingCyberInsurance forcryptographicalgorithm failures?
M IG RATIO N
M igration
RESPONSIBILITY: W hatexecutiveis responsible forQuantum Safety?
PROJECT M ANAGEM ENT: Is there a detailed plan forQuantum Safety? W hatis itspriority?
BUDGET: Is there a budgetforQuantum Safety projects?
M ETRICS AND TRACKING: Are there m etricsforQuantum Safety? To whom are theyreported?
M ITIG ATIO N
M itigation
STAKEHOLDER ENGAGEM ENT: Are Legal, Com pliance, and Corporate Com m unications involved in planning?
EXERCISES: Are you planning and executing tabletop and sim ulation exercisesforcrypto algorithm failure response?
BUDGET: Is there a budgetform itigation of crypto algorithm failures?
PLAYBOOKS: Have exercisesbeen used to create playbooksform itigation?
QUESTIONS