Confidentiality controls ensure that private information is kept safe from prying eyes and available only to authorized individuals. It prevents attackers from achieving the goal of disclosing sensitive information to unauthorized individuals. Confidentiality controls include access control lists and encryption algorithms.
- [Narrator] Throughout this course you will learn about many different controls that information security professionals use to achieve their goals. Each of these controls is aligned with at least one of three key objectives of information security: confidentiality, integrity, and availability. One of the things you'll need to do on the exam is match security controls what their corresponding security goals. Let's take a look at some of the controls that security professionals use to enhance confidentiality.
One way that we protect the confidentiality of information is preventing people from accessing sensitive information in the first place. Access controls are the primary mechanism for restricting people from seeing data that they should not. Access controls protect confidentiality by limiting users to accessing only those files where they have been granted permission. You'll learn more about access controls in the courses covering domain two, asset security, and domain five, identity and access management.
In those courses you learn how to use the Windows NTFS file access controls that are linked with Active Directory to restrict file and folder access to individual users and groups that require this type of access. In those same courses you learn how Linux file permissions achieve the same goal as administrators manipulate the permissions for a file's user owner, group owner, and other users by editing Linux permission strings. Encryption is also an important security control for enforcing confidentiality.
Attackers may try to steal information without going through normal channels. For example, they might attempt to eavesdrop on network communications or remove data from a hard drive by bypassing the operating system and its access controls. Encryption uses mathematical algorithms to transform plain text into cipher text that is unintelligible to anyone who does not have the appropriate decryption key. Encryption is an incredibly important topic on the exam, and you'll learn more about it in the course covering domain three, security engineering.
Information can also be hidden in plain sight to protect it. Steganography is a technique that hides information inside of other files by subtly manipulating the contents of that file. For example, steganography may be used to embed a secret message within an image file that is undetectable to the naked eye.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Aligning security with the business
- Using control frameworks
- Understanding compliance ethics
- Implementing effective security policies
- Planning for business continuity
- Ensuring the security of employees
- Managing risk
- Identifying threats
- Managing vendors
- Building security awareness
- Conducting security training