Exam CISSP topic 1 question 390 discussion

Must be C. Other options: A. Firewall and reverse proxy focus on perimeter defense, but they don't inherently guarantee data confidentiality or integrity. B. WAF and HTTPS help protect web applications and data in transit, but they do not cover data at rest, leaving stored data vulnerable. D. Firewall and IPS help with network-level threats but don't protect the content of the data itself.

C. Encryption of data in transit and data at rest Explanation: The CISO’s primary responsibility is to protect the confidentiality and integrity of the organization’s information systems. Encryption of data in transit and data at rest is the FIRST priority because it directly addresses these goals. Why Encryption (C) is Prioritized First: Confidentiality: Encryption ensures that even if data is intercepted (in transit) or accessed (at rest), it remains unreadable without the decryption key. Integrity: Modern encryption methods (e.g., AES, TLS) include mechanisms to detect tampering, ensuring data integrity. Regulatory Compliance: Financial institutions are often required by regulations (e.g., PCI DSS, GDPR) to encrypt sensitive data.

Went with C but I am not fully confident in it. Main thing I pulled out is that it is a financial organization so there are likely strict regulations on the encryption of that data over anything else.

ChatGPT says: In the context of protecting the confidentiality and integrity of information systems, the control that should be prioritized FIRST is: C. Encryption of data in transit and data at rest

This is a classic CISSP test of semantics, imo. The answer that correlates to the question is WAF and HTTPS. You have to pay attention to the solution that fits the exact question.

WAF for integrity and HTTPS for confidentiality

This is because encryption provides an additional layer of protection to sensitive data, making it more difficult for attackers to access or steal. Firewall, WAF, HTTPS, and IPS are also important security controls, but encryption should be prioritized first to ensure the confidentiality and integrity of the organization's information systems.

Encryption only protects confidentiality; hashing protects integrity so it can't be C. D does seem the best answer.

I like D. I think C is too much focussed on the data and not on the systems.

Agree with C