Exam CISSP topic 1 question 18 discussion

policy vs encryption = management vs technical staff. Which is more important? I choose policy because CISSP needs you to think like a manager..

I'm for the "B", encryption is part of the policy.

While monitoring and enforcing security policies (option B) is crucial for overall security, encryption directly protects the confidentiality and integrity of data by ensuring that unauthorized individuals cannot access or alter the data. Encryption of both data in transit and data at rest provides a robust layer of protection, especially in case of data breaches or unauthorized access. In contrast, enforcing security policies (option B) helps manage and guide actions, but without encryption, data might still be vulnerable even if policies are in place. Therefore, option A is the best choice

The best answer is: A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms. Explanation: While all the options contribute to security, encryption is the most fundamental and effective way to protect data assets from unauthorized access, even if other security controls fail. Proper encryption ensures data confidentiality and integrity, whether it is stored (at rest) or transmitted (in transit). • B (Monitor and enforce adherence to security policies): This is important but does not directly protect data assets—it’s more about governance and compliance. • C (Require MFA and Separation of Duties): These measures strengthen access control but do not directly protect data at rest or in transit. • D (Create a DMZ with proxies, firewalls, and bastion hosts): This helps protect network boundaries but does not directly safeguard stored or transmitted data. Encryption remains the most effective safeguard for data security across various attack vectors.

Encryption only PROTECTS data

Think like a manager

Policies lay the groundwork for all the other options mentioned.

B. A, C, and D are all valid ways to protect data assets. B is the one solution that can implement all of them.

When choosing answers, the order of priority should be People, Processes, Technology....Technology usually goes last. Think like a manager on this one.

Choose b as security policies may include using encryption. B in all encompassing and is a managerial selection vs a technical one.

you put your gold in the safe and then you make sure who can have access to safe , when and how. secure, safe guard and enforce A is the right answer.

Think like a CEO, it's B - policy

the answer is A. all data both in transit and at rest should be encrypted with the latest encryption mechanism

While all of these measures are important parts of a comprehensive security strategy, encryption, op A provides the most direct and fundamental protection for the data itself. It ensures that even if other security measures fail or data is somehow accessed, it remains unreadable and protected. This makes it the BEST way to protect an organization's data assets among the given options.

Is encryption enough to protect the data assets? There should be broader policies such as protection against tempering of the data or a web application firewall if there is a possibility of a SQL injection for example that could reveal the protected data to the attacker. Or the attacker can just delete the encrypted data. Therefore solely encrypting data isn't correct even from the technical perspective.

Correct Answer is B. all training suggests policy is typically the best answer. it may even encompass all of the rest of the less correct answers.

encrypting the data at rest and in transit is great for those who are unauthorized. However, the question is not that specific, reading that it applies to all types of users (authorized and not). When accounting for this interpretation of the question, B makes more sense. Additionally, B doesn't JUST list having or monitoring a policy, it is specific to also say enforce which implies technical controls.