Tokenization Product Security Guidelines (2015) by the PCI Security Standards Council https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf
Summary of the Workshop on Cryptographic Key Management Systems (2012) by the National Institute of Standards and Technology http://csrc.nist.gov/groups/ST/key_mgmt/documents/Sept2012_Presentations/CKMS_Workshop_Summary2012_Final.pdf
Security Guidance for Early Adopters of the Internet of Things (2015) by the Cloud Security Alliance https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
Townsend Security Data Privacy Blog (2015) by Michelle Larson http://web.townsendsecurity.com/?Tag=Best+Practices
Guide for product evaluation
Organizations that plan on using a secure cryptographic device (SCD) for data protection can get more trust and confidence in a product by considering the following guidelines, which outline a product vendor’s responsibility in the creation, distribution, maintenance, and documentation of their product. Potential customers can evaluate the various product offerings against these guidelines, in order to obtain a greater degree of assurance about a purchase. If an organization decides to develop its own cryptographic solution, they can use these guidelines as best practices upon which they can base functional and non-functional requirements
Preliminary considerations for potential customers
An organization that plans on utilizing this information should first consider their performance requirements, and establish a data security policy that includes approaches for the required level of protection. The minimum requirements for the hardware, operating system, and supporting software should be defined. These requirements can then be compared to system features and associated implementations supplied by the product vendor. Once a product vendor is chosen, it is the vendor’s responsibility to supply the required level of security for all modes of operation in a system or device, and provide adequate documentation and instructions for maintaining integrity and confidence.
Types of data security
The following types of data security is considered in the following guidelines for product vendors. Organizations should establish policies and associated processes for these types of data security, to see how they relate to what the product vendor has to offer: