The HSM must be set into the Secure state before certain ‘privileged’ functions can be performed. This can be achieved only by Security Officers holding the physical keys for the front panel. The Secure state is required for sensitive operations involving the HSM local master keys.
Recommendations for usage of secure functions are as follows:
1. At least two separate authorised individuals must be required to switch the unit into Secure State.
2. Before the HSM is switched into the Secure State, the identities of both authorised officers should be checked and logged, with audit entries signed by both officers.
3. If a previously authorised individual is no longer authorised, procedures should be put in place to prevent him from acting subsequently as an authorised individual.
4. When the functions requiring Secure state have been completed, the Secure state should be cancelled.