nerdexam
Isaca

CDPSE · Question #152

An organization Wishes to deploy strong encryption to its most critical and sensitive databases. Which of the following is the BEST way to safeguard the encryption keys?

The correct answer is C. Ensure the keys are stored in a cryptographic vault.. Storing encryption keys in a cryptographic vault-such as a Hardware Security Module (HSM) or a dedicated key management system-is the best practice because these systems are purpose-built with physical and logical protections specifically designed for key material. They prevent k

Privacy Architecture

Question

An organization Wishes to deploy strong encryption to its most critical and sensitive databases. Which of the following is the BEST way to safeguard the encryption keys?

Options

  • AEnsure key management responsibility is assigned to the privacy officer.
  • BEnsure the keys are stored in a remote server.
  • CEnsure the keys are stored in a cryptographic vault.
  • DEnsure all access to the keys is under dual control_

How the community answered

(37 responses)
  • A
    5% (2)
  • C
    86% (32)
  • D
    8% (3)

Explanation

Storing encryption keys in a cryptographic vault-such as a Hardware Security Module (HSM) or a dedicated key management system-is the best practice because these systems are purpose-built with physical and logical protections specifically designed for key material. They prevent key export, enforce access controls, and provide tamper evidence. Assigning responsibility to the privacy officer (A) is an accountability measure, not a technical safeguard. Storing keys on a remote server (B) does not provide the specialized protections an HSM offers. Dual control (D) adds an authorization layer but is insufficient without proper key storage; it is a complementary control, not the primary safeguard.

Topics

#Encryption Key Management#Cryptographic Vault#Data Protection#Security Controls

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice