cdpse-d2-technical-privacy-controls-key-management

Key Management

isaca-cdpse · framework · Production-ready

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 6, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Key Management

Key management is the end-to-end discipline of governing cryptographic keys across their full lifecycle—generation, distribution, storage, rotation, revocation, and retirement—so that encrypted personal data remains accessible only to authorized parties and stays compliant with privacy regulations. In the ISACA CDPSE framework, key management is a foundational technical privacy control: the operational and architectural practice that makes encryption meaningful. Encryption without disciplined key management is like locking a safe and taping the combination to the door.

Where it stops · what it isn't

—IS: Full lifecycle governance of cryptographic keys—generation policy, secure storage (HSM or cloud KMS), access control, rotation schedules, revocation procedures, audit logging, and retirement/destruction.
—IS: A privacy AND security control—key management determines who can access what personal data, making it a direct mechanism for enforcing data minimization and purpose limitation under GDPR and CCPA.
—IS NOT: Cryptographic algorithm design (e.g., designing AES or RSA—that is cryptography research, not key management).
—IS NOT: General secrets management (e.g., storing database passwords or API tokens in a vault), though key management principles overlap with secrets management patterns.
—IS NOT: Data classification policy—key management depends on classification to determine which data requires encryption, but does not define that classification.
—IS NOT: Identity and access management (IAM), though IAM governs who can request key operations via role-based policies.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Technical Privacy Controls (CDPSE Domain 2)

REQUIRES

Cryptography Fundamentals (symmetric/asymmetric encryption, key derivation)Data Classification (determines which data assets require which encryption tier)

ENABLES

Data Minimization and Purpose Limitation (encryption enforces access control at the data layer)Breach Notification Exemptions (encrypted data with managed keys may qualify for safe harbor under GDPR Recital 83)

RELATED TO

Access Control (IAM governs identity; key management governs data-layer access)Audit Logging and Monitoring (key access events must be logged for compliance evidence)

CONSTRAINS

Cloud Architecture (shared responsibility model defines provider vs. customer key ownership boundaries)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.