This is the final chapter of the CRISC syllabus, where we’ll learn about information security and privacy concepts. Information security involves protecting information from unauthorized access, use, retention, disclosure, disruption, modification, or destruction, while privacy refers to an individual’s right to control their personal information. Both are essential for maintaining trust with users.

The principles of information security include confidentiality, integrity, availability, accountability, and non-repudiation. We will learn about each of these, along with the additional concepts of encryption, hashing, digital signatures, and so on that enable achieving these principles. The principles of privacy include respecting user rights for confidentiality and giving them the option to exercise these rights.

The aim of this chapter is to understand information security and privacy principles that secure the system and...

Confidentiality, integrity, and availability (collectively known as CIA) are the fundamental pillars of information security. It is an absolute requirement for the risk manager to understand and account for these to ensure all decisions are risk-based and derived with these three security pillars in mind. Let’s look at these pillars in detail:

• Confidentiality: Confidentiality ensures that information is only accessible to authorized individuals. Unauthorized access to sensitive information can lead to incidents such as identity theft, fraud, or damage to an individual’s or organization’s reputation. Confidentiality can be ensured through technical and administrative controls such as encryption, masking, access control, training, and other similar controls.

Two important principles are related to maintaining confidentiality, as follows:

• The need-to-know principle ensures that individuals should be given...

Managing access to information systems is one of the most integral parts of information security. The following four principles are the pillars of robust access management and are also known as IAAA:

1. Identification: Identification is the process of identifying an individual attempting to access a resource, information, or application. This is done by providing a unique ID such as a username, an email address, a user ID, or a similar attribute that can be easily remembered by the user. A risk practitioner should verify that the process of issuing this unique ID is secure and not shared with multiple users unless warranted for legitimate use such as a system/service account.
2. Authentication: After the identity of the user is verified, authentication is the process of verifying that they are who they claim to be. This is typically done by providing using one of the three factors—something you know (such as PIN, password), something you have (a security...

Encryption is a process of converting plain text into cipher text with the help of mathematical algorithms and keys. The primary purpose of encryption is to protect sensitive data and ensure its confidentiality; however, it also supports achieving other aspects of security, such as integrity and availability.

Encryption works by taking a plain text message and using an encryption algorithm to convert it into cipher text. This cipher text can only be deciphered using a key that is known only to the intended recipient(s). The key is nothing but a very long prime number that is generated by the encryption algorithm or by a key management system.

Types of encryption

There are two main types of encryption, as follows:

• Symmetric encryption uses a single key for both encryption and decryption. It is faster and more efficient than asymmetric encryption, but it requires the key to be securely shared between the sender and the recipient. The following diagram illustrates...

Hashing is the mathematical process to convert arbitrary-size input to a unique fixed-size output, also known as a hash or digest.

Hashing algorithms are one-way functions, meaning that it is computationally infeasible to reverse engineer the original input data from the hash output. Additionally, even minor changes to the input data will result in significant changes to the hash.

The practical applications of hashing range from password storage to data integrity checks and digital signatures. For example, in the case of password storage, the database stores a hash of the password instead of the actual password. When a user attempts to log in, their entered password is hashed and compared to the stored hash, and access is granted only after the two hashes match. There are additional requirements of adding salt and pepper to the input to prevent an attacker from guessing the password based on a pre-determined hash. Even though that is outside the scope of CRISC and this...

Digital signatures provide the ability to verify the authenticity, integrity, and non-repudiation of electronic messages.

Important note

On their own, digital signatures do not provide confidentiality.

To create a digital signature, a sender uses a digital signature algorithm to generate a hash that is specific to the document or message. The sender then uses their private key to encrypt this value, creating the digital signature.

When the receiver receives the message, they use the sender’s public key to decrypt the digital signature and obtain the hash value. They then hash the original message and compare the resulting hash value with the decrypted hash value. Considering the message has not been tampered with, the two hashes should ideally match.

In addition to providing authentication and integrity, digital signatures also provide non-repudiation, which means that the sender cannot deny having sent the message because the digital signature...

The use of public key encryption (asymmetric encryption) allows for the decryption of data encrypted with the corresponding public key by the holder of a private key. However, it doesn’t provide any confirmation of the identity of the person who owns the public key. To establish a link between public keys and specific owners, certificates are utilized with the aid of a trusted third party known as a certificate authority (CA). The CA confirms the identity of the owner using other methods and creates a certificate that the owner can use to verify that the public key belongs to them. By trusting this process, the receiver of a digitally signed message using the public key of the certificate can confirm that the message was sent and signed by the claimed sender. Additionally, the recipient can use the public key to encrypt a response that only the intended receiver can open.

These certificates can be issued by different CAs; imagine if each CA used its own format...

A PKI is the overall implementation of certificates and CAs to establish, manage, distribute, and revoke digital certificates and public keys, which are used for authentication, encryption, and digital signatures. As the name suggests, a PKI relies on public key cryptography—that is, a pair of public and private keys.

There are many use cases for the implementation of a PKI; however, to understand it better, we’ll take the example of https, as follows:

1. When you visit a website that has https in its URL, a PKI is used to secure the connection between your computer and the website. When you initiate a secure connection, your browser sends a request for the website’s digital certificate that contains its public key.
2. The website responds with its digital certificate, and your browser uses the PKI to verify the certificate’s authenticity, making sure it was issued by a trusted CA and that it has not been revoked.
3. Once...

According to the Data Breach Investigations Report published by Verizon in 2022, “82% of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.” People, including insiders, pose a huge threat and the biggest risk of an incident or a breach. Therefore, it is imperative for organizations to prioritize training employees as much as protecting against external actors, and the best way to prevent internal threats is not by another tool or restriction on access but by continuously educating and upskilling employees in security-related matters.

Security awareness training is a critical component of any organization’s cybersecurity strategy. It is designed to educate employees on how to identify and mitigate potential security risks and threats and to promote a culture of security throughout the organization...

Data privacy refers to the protection of the personal information of individuals or organizations from unauthorized access, use, or disclosure. Regulations around the world are cognizant of data privacy laws, and it is important for the risk manager to understand these principles that guide data privacy. Laws such as General Data Protection Regulation (GDPR) that apply to data stored anywhere in the European Union (EU) also set limits on transfers to other jurisdictions of data associated with EU citizens. The California Privacy Rights Act (CPRA) has a similar structure to GDPR but is applicable only to California residents, and many other state laws require companies to put equal emphasis on privacy as much as security. The following are some key principles that are relevant to data privacy:

• Consent: Organizations should obtain individual consent before collecting, using, or sharing personal information. Consent should be obtained through clear and...

More often than not, risk practitioners consider data privacy and data security to be the same concepts; however, they are not. As discussed in the previous section, data privacy refers to the protection of personal information, ensuring that individuals have control over who can access their data, how it is used, and who it is shared with. On the other hand, data security refers to the measures taken to protect data from unauthorized access, use, disclosure, destruction, or modification.

Measures to ensure data privacy could involve obtaining explicit consent from individuals prior to collecting and using their personal data, implementing policies for retaining data, deleting that data when not required, and enabling individuals to access and manage their data. Measures to ensure data security could involve the use of access control, implementing strong password requirements, encrypting data in transit and at rest, implementing firewalls...

In this chapter, we learned about the fundamentals of information security—that is, confidentiality (make the information known only to intended parties), availability (keep the information available at all times for unauthorized users), and integrity (prevent unauthorized users from modifying the information), also known as the CIA triad. We then learned about the principles of access management, known in their abbreviated form as IAAA. These principles are identification (all users should be identifiable), authentication (all users should authenticate using single-factor authentication (SFA) or, preferably, MFA), authorization (users should only be able to perform operations that they are authorized to do), and accountability (all user activity should be logged and monitored).

In the next few sections, we learned about encryption and the types of encryption—symmetric (uses a single key for encryption and decryption) and asymmetric (uses a public/private key...

1. Which of the following keys are required for asymmetric key encryption?
   1. Only the public key
   2. Only the private key
   3. Any public or private key
   4. Public key and private key pair
2. Which of the following key(s) are required for symmetric key encryption?
   1. Public and private key
   2. A single key for encryption and decryption
   3. Only the public key and hash
   4. Only the private key and hash
3. Integrity of information means that ___.
   1. The information is available to authorized users only
   2. The information is available at all times to authorized users
   3. The information has not been tampered with
   4. All of these
4. Confidentiality of information means that ___.
   1. The information is available to authorized users only
   2. The information is available at all times to authorized users
   3. The information has not been tampered with
   4. All of these
5. Availability of information means that ___.
   1. The information is available to authorized users only
   2. The information is available at all times to authorized users
   3. The information...

1. D. Asymmetric encryption needs both a public key and a private key.
2. B. Symmetric encryption needs only one key for encryption as well as decryption.
3. C. Integrity means that information has not been tampered with at rest or in transit.
4. A. Confidentiality means that the information is available to authorized users only.
5. B. Availability means that the information is available at all times to authorized users.
6. D. The accountability principle deals with the logging and monitoring of user activities.
7. A. The identification principle requires all users to have a unique ID.
8. B. The SOD principle requires that no user should have sole access to approve all transactions.
9. D. All these options are true for hashing.
10. D. Digital signatures on their own do not provide confidentiality.
11. D. The sender should use their private key to encrypt the data so that the receiver(s) can use the sender’s public key to decrypt the data.
12. A. The sender...