Confidentiality, Integrity, and Cryptography Foundations

Data security starts with knowing which property you are trying to protect. Confidentiality means preventing unauthorized disclosure. Integrity means preventing or detecting unauthorized change. Availability means data and systems are usable when needed, but this chapter focuses on the Domain 5 data security controls that protect the data itself. The current ISC2 CC exam outline is effective October 1, 2025, and the new outline is effective September 1, 2026. The current exam uses CAT, allows 2 hours, includes 100 to 125 items, and uses a 700 out of 1000 passing grade.

The five current domain weights are 26, 10, 22, 24, and 18 percent; Domain 5 is the 18 percent domain. Do not rely on public pass-rate claims.

Confidentiality in Practice

Imagine a clinic stores patient intake forms in a shared drive. Confidentiality controls decide who can view those forms and how the forms are protected if the drive, backup, or laptop is exposed. Access control is one part of confidentiality, but cryptography is often the last line of defense. Full-disk encryption can protect a stolen laptop. Database encryption can reduce damage if storage media is copied. TLS can protect data moving between a browser and a web application.

Encryption changes readable plaintext into unreadable ciphertext using an algorithm and a key. The algorithm is not supposed to be secret; the key is. Strong encryption fails quickly if keys are copied into tickets, hardcoded into scripts, emailed to vendors, or stored next to the encrypted data.

Symmetric Encryption

Symmetric encryption uses the same secret key to encrypt and decrypt. It is fast and practical for large files, disk volumes, backups, and database fields. The challenge is key distribution. If two systems need to share a symmetric key, they need a secure way to agree on or exchange that key. If the shared key is compromised, anyone with the key can decrypt protected data and possibly create convincing encrypted messages.

For an exam scenario, think of symmetric encryption when the question emphasizes speed, bulk data protection, or one shared secret. A backup job encrypting nightly archives before sending them to cloud storage is a common use case. The backup is only as safe as the key storage, rotation plan, and recovery process.

Asymmetric Encryption

Asymmetric encryption uses a mathematically linked public key and private key. The public key can be shared. The private key must be protected. In simplified terms, data encrypted to a public key can be decrypted with the related private key, and a digital signature created with a private key can be checked with the public key. This model helps solve the key distribution problem and supports certificates, TLS, digital signatures, and secure key exchange.

Asymmetric operations are slower than symmetric operations, so real systems often combine both. A web session may use asymmetric cryptography and certificates to authenticate the server and establish session secrets, then use symmetric encryption for the actual data stream.

Hashing and Integrity

A hash function creates a fixed-length digest from input data. Hashing is one-way for practical purposes: you do not decrypt a hash to get the original file. Hashes are useful for integrity checks. If a vendor posts a software download and a hash value, you can hash the file you downloaded and compare the result. A different result means the file changed or the wrong file was obtained.

Hashing alone does not prove who created the data. An attacker who can replace both a file and its posted hash can fool a simple comparison. Digital signatures and trusted distribution channels add stronger assurance because they connect integrity to an identity and a protected private key.

Scenario Reasoning

A manager asks for "encryption" because reports are being changed after approval. That is not mainly a confidentiality problem. The better answer may include file permissions, version control, audit logging, digital signatures, or hash-based integrity checks. Another manager asks how to protect a stolen laptop containing customer data. That points to confidentiality through full-disk encryption, strong authentication, and key handling. On the CC exam, read the scenario carefully before choosing the control.

High-Yield Checkpoints

• Confidentiality protects data from unauthorized disclosure, while integrity protects data from unauthorized or accidental change.
• Symmetric encryption uses one shared secret key and is efficient for large amounts of data.
• Asymmetric encryption uses a public and private key pair and supports use cases such as key exchange, digital signatures, and certificate-based trust.
• Hashing creates a fixed-length digest and is used to detect changes, not to recover the original data.
• Domain 5 is weighted 18 percent on the current ISC2 CC outline effective October 1, 2025.