Key backup/DR procedures tested

Why it matters

NIST SC-12 requires that cryptographic key establishment and management procedures survive personnel and infrastructure changes. If the encryption key backup procedure exists only in one engineer's head — or in a document that has never been tested — a key loss event during an incident becomes unrecoverable data loss on top of the original incident. PCI-DSS 4.0 Req-3.7 requires key custodian procedures and documented key lifecycle controls. The FFIEC IT Handbook Business Continuity Planning section explicitly requires disaster recovery procedures be tested, not just documented. An untested DR procedure is a hypothesis, not a control.

Remediation

Document the key backup and DR procedure explicitly, including the test cadence, and store it at a path your deployment checklist references (e.g., docs/key-dr-procedure.md):

# Encryption Key Backup & Disaster Recovery

## Key Storage
- Primary: AWS KMS (us-east-1, multi-region enabled to us-west-2)
- Backup: Offline HSM in secure facility

## Recovery Procedure
1. Authenticate to AWS Console with break-glass credentials
2. Retrieve CMK ARN from `docs/kms-inventory.md`
3. Verify multi-region replica in us-west-2 is active
4. Update application KMS_KEY_ID env var to replica ARN
5. Run `scripts/verify-decryption.ts` against known test ciphertext

## Test Log
| Date       | Tester    | Result | Notes              |
|------------|-----------|--------|--------------------|
| 2025-11-20 | Jane Doe  | PASS   | Replica activated  |

## Next test due: 2026-11-20

For cloud-managed KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault), verify that multi-region replication is enabled in the console — this often satisfies the skip condition, but must be documented.

Detection

ID: finserv-encryption.data-at-rest.key-backup-dr-tested
Severity: low
What to look for: Count all documented key backup procedures and DR test records. Quote the actual last-tested date found. Look for KMS configuration with multi-region replication. Verify at least 1 DR test has been performed within the past 365 days.
Pass criteria: At least 1 documented key backup procedure exists, AND at least 1 dated test record shows the procedure was tested within the past 365 days. Report the count even on pass (e.g., "1 DR procedure documented, last tested 2025-11-20, KMS multi-region enabled").
Fail criteria: No key backup procedures documented (0 procedures), or no evidence of testing within 365 days (0 test records).
Skip (N/A) when: Encryption keys are managed entirely by a cloud provider's KMS with built-in redundancy (AWS KMS, Google Cloud KMS, Azure Key Vault) — cite the actual KMS service found.
Detail on fail: "0 key backup procedures documented. 0 DR test records found" or "Key backup procedure exists but 0 test records within 365 days"

Remediation:

Document your key backup strategy:

# Key Backup & Disaster Recovery Procedure
1. Master encryption key stored in [KMS service]
2. Key material backed up monthly to offline HSM
3. Recovery procedure: [specific steps]
4. Testing: Annual DR test with sign-off
5. Last tested: [date]

Test the procedure at least annually.

Why it matters

Remediation

Document the key backup and DR procedure explicitly, including the test cadence, and store it at a path your deployment checklist references (e.g., docs/key-dr-procedure.md):

# Encryption Key Backup & Disaster Recovery

## Key Storage
- Primary: AWS KMS (us-east-1, multi-region enabled to us-west-2)
- Backup: Offline HSM in secure facility

## Recovery Procedure
1. Authenticate to AWS Console with break-glass credentials
2. Retrieve CMK ARN from `docs/kms-inventory.md`
3. Verify multi-region replica in us-west-2 is active
4. Update application KMS_KEY_ID env var to replica ARN
5. Run `scripts/verify-decryption.ts` against known test ciphertext

## Test Log
| Date       | Tester    | Result | Notes              |
|------------|-----------|--------|--------------------|
| 2025-11-20 | Jane Doe  | PASS   | Replica activated  |

## Next test due: 2026-11-20

For cloud-managed KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault), verify that multi-region replication is enabled in the console — this often satisfies the skip condition, but must be documented.

Detection

ID: finserv-encryption.data-at-rest.key-backup-dr-tested
Severity: low
What to look for: Count all documented key backup procedures and DR test records. Quote the actual last-tested date found. Look for KMS configuration with multi-region replication. Verify at least 1 DR test has been performed within the past 365 days.
Pass criteria: At least 1 documented key backup procedure exists, AND at least 1 dated test record shows the procedure was tested within the past 365 days. Report the count even on pass (e.g., "1 DR procedure documented, last tested 2025-11-20, KMS multi-region enabled").
Fail criteria: No key backup procedures documented (0 procedures), or no evidence of testing within 365 days (0 test records).
Skip (N/A) when: Encryption keys are managed entirely by a cloud provider's KMS with built-in redundancy (AWS KMS, Google Cloud KMS, Azure Key Vault) — cite the actual KMS service found.
Detail on fail: "0 key backup procedures documented. 0 DR test records found" or "Key backup procedure exists but 0 test records within 365 days"

Remediation:

Document your key backup strategy:

# Key Backup & Disaster Recovery Procedure
1. Master encryption key stored in [KMS service]
2. Key material backed up monthly to offline HSM
3. Recovery procedure: [specific steps]
4. Testing: Annual DR test with sign-off
5. Last tested: [date]

Test the procedure at least annually.

Key backup/DR procedures tested

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Key backup/DR procedures tested

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History