Exam CISSP topic 1 question 18 discussion

policy vs encryption = management vs technical staff. Which is more important? I choose policy because CISSP needs you to think like a manager..

I'm for the "B", encryption is part of the policy.

Think like a CEO, it's B - policy

the answer is A. all data both in transit and at rest should be encrypted with the latest encryption mechanism

While all of these measures are important parts of a comprehensive security strategy, encryption, op A provides the most direct and fundamental protection for the data itself. It ensures that even if other security measures fail or data is somehow accessed, it remains unreadable and protected. This makes it the BEST way to protect an organization's data assets among the given options.

Is encryption enough to protect the data assets? There should be broader policies such as protection against tempering of the data or a web application firewall if there is a possibility of a SQL injection for example that could reveal the protected data to the attacker. Or the attacker can just delete the encrypted data. Therefore solely encrypting data isn't correct even from the technical perspective.

Correct Answer is B. all training suggests policy is typically the best answer. it may even encompass all of the rest of the less correct answers.

encrypting the data at rest and in transit is great for those who are unauthorized. However, the question is not that specific, reading that it applies to all types of users (authorized and not). When accounting for this interpretation of the question, B makes more sense. Additionally, B doesn't JUST list having or monitoring a policy, it is specific to also say enforce which implies technical controls.

Choosing A. The AIO textbook has a section on "Data Protection Strategy" with the following key areas to consider when developing those strategies: -Backup and recovery -Data life cycle -Physical security -Security culture -Privacy -Organizational change The subsection "Data life cycle" states "we tend to disregard securing the data as it transitions from one stage to another. If we are archiving data at an offsite location, are we ensuring that it is protected as it travels there?" This implies that we SHOULD be doing option A (encrypting data in transit and at rest) as part of a data protection strategy to protect an orgs data assets. -CISSP AIO Exam Guide: Ninth Edition pg.269

All the options provided are important for protecting an organization's data assets, but the BEST way to protect the data assets depends on various factors and requires a comprehensive approach. However, out of the options given, option A is generally considered the most critical and effective measure for protecting data assets. A. Encrypting data in transit and at rest using up-to-date cryptographic algorithms is essential for maintaining the confidentiality and integrity of sensitive data. Encryption ensures that even if data is intercepted or compromised, it remains unreadable and unusable without the encryption keys. While options B, C, and D are also important, they focus on different aspects of security: the protection of data assets. In summary, while all the options have their importance, encrypting data in transit and at rest using up-to-date cryptographic algorithms is generally considered the BEST way to protect an organization's data assets. However, a comprehensive approach combining multiple security measures is crucial for overall data asset protection.

The best way to protect an organization's data assets is not a single method, but a combination of multiple methods that address different aspects and layers of data security. However, among the four options given, the most comprehensive and effective one is A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms. Option B. Monitor and enforce adherence to security policies is a good practice for ensuring compliance and awareness of data security standards and regulations, but it does not directly protect data from attacks or breaches.

Agree with B, I feel like everything must start with a policy and go from there.

B- Think like manager

CHAT GP

A is more specific. If the security policy outdated or even the policy is not developed yet?

B encompasses A. B is more comprehensive than A. B could include access control and other control measures not specific to integrity or the like.

I feel it's B. Because you need to monitor and enforce. This includes due diligence and care. Security policy would tell you 5 W's. I'm going with B.