Confidentiality controls ensure that private information is kept safe from prying eyes and is available only to authorized individuals. It prevents attackers from achieving the goal of disclosing sensitive information to unauthorized individuals. Confidentiality controls include access control lists and encryption algorithms.
- View Offline
[Instructor] - Throughout this course, you will learn about many different controls, that information security professionals use to achieve their goals. Each of these controls is a line with at least one of the three key objectives of information security. Confidentiality, Integrity, and Availability. One of the things you'll need to do on the exam, is match security controls, with their corresponding security goals. Let's take a look at some of the controls that security professionals use, to enhance confidentiality.
One way that we protect the confidentiality of information, is preventing people from accessing sensitive information in the first place. Access controls are the primary mechanism for restricting people from seeing data that they should not. Access controls protect confidentiality by limiting users to accessing only those files where they have been granted permission. You'll learn more about access controls in the courses covering domain two, asset security, and domain five, identity and access management.
In those courses, you learn how to use the windows and TFS file access controls, that are linked with active directory, to restrict file and folder access to individual users and groups that require this type of access. In those same courses, you learn how linux file permissions achieve the same goal, as administrators manipulate the permissions for a file's user owner, group owner, and other users, by editing linux permission strings. Encryption is also an important security control for enforcing confidentiality.
Attackers may try to steal information without going through normal channels. For example, they might attempt to eavesdrop on network communications, or remove data from a hard drive, by bypassing the operating system, and it's access controls. Encryption uses mathematical algorithms to transform plain text into cipher text, that is unintelligible to anyone who does not have the appropriate decryption key. Encryption is an incredibly important topic on the exam, and you'll learn more about it in the course covering domain three, security engineering.
Information can also be hidden in plain sight to protect it. Steganography is a technique that hides information inside of other files, but subtly manipulating the contents of that file. For example, steganography may be used to embed a secret message within an image file that's undetectable to the naked eye.
Members who complete this course will be prepared to answer questions on the Security and Risk Management domain of the CISSP exam, and establish a critical foundation for the rest of their careers.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Aligning security with the business
- Using control frameworks
- Understanding compliance ethics
- Implementing effective security policies
- Ensuring the security of employees
- Managing risk
- Identifying threats
- Managing vendors
- Building security awareness and conducting security training