14.1 Confidentiality, Integrity, and Cryptography Foundations

Where Data Security Sits on the CC Exam

Data security is tested inside Domain 5: Security Operations, which is weighted 18 percent on the ISC2 CC outline effective October 1, 2025. A new outline takes effect September 1, 2026, integrating AI-security concepts across all five domains, so confirm which version applies to your exam date. The five current domains and weights are fixed numbers worth memorizing.

Exam logistics: 100 to 125 items, 2 hours, scaled passing score of 700 out of 1000, delivered as a Computerized Adaptive Test (CAT) at a Pearson VUE testing center, multiple choice plus advanced item types. The standard exam fee is USD 50. Do not rely on public pass-rate claims; ISC2 does not publish an official CC pass rate.

Confidentiality, Integrity, Availability

Confidentiality means preventing unauthorized disclosure. Integrity means preventing or detecting unauthorized change. Availability means data and systems are usable when needed. Data-security questions almost always pivot on confidentiality (keep data secret) or integrity (keep data trustworthy), so your first move on any scenario is to name which property is at risk.

Picture a clinic storing patient intake forms on a shared drive. Confidentiality controls decide who may view those forms and protect them if a laptop, backup, or USB drive is lost. Access control is one layer; cryptography is often the last line of defense. Full-disk encryption protects a stolen laptop, database encryption limits damage if storage media is copied, and Transport Layer Security (TLS) protects data moving between a browser and a web application.

Encryption converts readable plaintext into unreadable ciphertext using an algorithm and a key. The algorithm is public; only the key is secret. Strong encryption collapses the instant a key is emailed to a vendor, hardcoded into a script, or stored beside the data it protects.

Symmetric Encryption

Symmetric encryption uses the same secret key to encrypt and decrypt. It is fast and ideal for large files, disk volumes, backups, and database fields. Common examples are the Advanced Encryption Standard (AES). The weakness is key distribution: two parties need a secure channel to share the one key, and anyone who obtains that key can read everything it protects.

On the exam, reach for symmetric encryption when wording stresses speed, bulk data, or a single shared secret — for example, a nightly backup job encrypting archives before uploading them to cloud storage.

Asymmetric Encryption

Asymmetric encryption uses a mathematically linked public key and private key. The public key is shared freely; the private key is guarded. Data encrypted to a public key is decrypted only with the matching private key, and a digital signature made with a private key is verified with the public key. This solves the distribution problem and powers certificates, TLS handshakes, and key exchange.

Asymmetric math is slow, so real systems combine both: a TLS session uses certificates and asymmetric crypto to authenticate the server and establish a shared session secret, then switches to fast symmetric encryption for the actual data stream.

Hashing and Integrity

A hash function (for example, SHA-256) produces a fixed-length digest and is one-way — you never decrypt a hash back to the file. Identical input always yields the identical digest, so any change, even one byte, produces a completely different value. That makes hashing an integrity check: hash a downloaded file and compare it to the vendor's published value; a mismatch means the file changed.

Trap: hashing alone does not prove who created data. An attacker who replaces both a file and its posted hash defeats a naive comparison. Digital signatures bind integrity to an identity through a protected private key, which is why trusted distribution plus signatures beats a bare checksum. A second trap is encoding versus encryption: Base64 encoding or simple obfuscation looks scrambled but uses no key and reverses instantly, so it provides zero confidentiality. The exam often offers "encoding" as a distractor when the real answer is encryption.

A related concept is data state. Data exists in three states, and each needs a matching control. Data at rest (files, disks, databases) is protected by full-disk or database encryption. Data in transit (moving across a network) is protected by TLS or a virtual private network (VPN). Data in use (loaded in memory or being processed) is the hardest to protect and relies on access control, masking, and trusted computing. When a question describes where the data is, match the state to the control.

Scenario Reasoning

If a manager says reports are being changed after approval, that is an integrity problem — answer with version control, audit logging, hashes, or digital signatures, not bulk encryption. If the concern is a stolen laptop with customer data, that is confidentiality at rest — answer with full-disk encryption, strong authentication, and key handling. If users complain that a login page sends passwords over plain HTTP, that is confidentiality in transit — answer with TLS. Read the scenario, name the property and the data state, then choose the matching control.

The most common wrong answer simply restates "encrypt it" without matching the actual risk.