Segregation of access to both parts of a symmetric key?
Asymmetric encryption key length a minimum of 256 bit?
Encryption keys encrypted at rest and when transmitted?
Segregation of duties between key management duties and normal operational duties?
Key/certificate sharing between production and non-production?
Default certificates provided by vendors replaced with proprietary certificates?
Are Results tracked, remediated and reported to management?
Are Processes to manage threat and vulnerability assessment tools and the data they collect?
Are encryption tools managed and maintained for Scoped Data?
Is there:Encryption in storage / at rest?