CISSP · Question #1375
The Chief Information Security Officer (CISO) of a large financial institution is responsible for implementing the security controls to protect the confidentiality and integrity of the organization's
The correct answer is C. Encryption of data in transit and data at rest. Protecting confidentiality and integrity of information systems requires prioritizing encryption of data in transit and at rest, as it directly addresses both principles simultaneously across all data states.
Question
Options
- AFirewall and reverse proxy
- BWeb application firewall (WAF) and HyperText Transfer Protocol Secure (HTTPS)
- CEncryption of data in transit and data at rest
- DFirewall and intrusion prevention system (IPS)
How the community answered
(57 responses)- A11% (6)
- B5% (3)
- C63% (36)
- D21% (12)
Why each option
Protecting confidentiality and integrity of information systems requires prioritizing encryption of data in transit and at rest, as it directly addresses both principles simultaneously across all data states.
Firewalls and reverse proxies are network perimeter controls that regulate traffic flow but do not directly encrypt or ensure the integrity of data itself, making them secondary to encryption in protecting confidentiality and integrity.
A WAF and HTTPS protect web application traffic and encrypt data in transit over HTTP, but HTTPS alone does not address data at rest, and a WAF focuses on application-layer attack prevention rather than foundational data confidentiality and integrity.
Encryption of data in transit (via TLS/SSL) and data at rest (via AES or similar algorithms) directly addresses both confidentiality and integrity - the two specific security objectives named in the question. In a financial institution, sensitive data must be protected regardless of where it resides or travels, and encryption is the foundational control that satisfies both requirements at the data layer before any network-level controls are considered. NIST and financial regulatory frameworks (e.g., PCI-DSS, GLBA) consistently identify encryption as a primary control for protecting sensitive data.
A firewall combined with an IPS provides perimeter defense and intrusion detection/prevention, but these are detective and preventive network controls that do not directly encrypt or protect the confidentiality and integrity of the underlying data.
Concept tested: Prioritizing encryption controls for confidentiality and integrity
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-111.pdf
Topics
Community Discussion
No community discussion yet for this question.