Encryption
Domain 5 — Protection of Information Assets
Definition
Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and an encryption key. It protects data confidentiality at rest (stored data), in transit (network communication), and in use (processing). IS auditors evaluate encryption by reviewing key management practices, algorithm strength, encryption scope coverage, and compliance with regulatory requirements such as GDPR or PCI DSS.
Real-World Audit Scenario
During an audit of a healthcare provider, I discovered that patient records were encrypted at rest in the database but transmitted in plaintext between the web server and the database server over the internal network. The IT manager argued that "the internal network is trusted." I demonstrated that a simple ARP spoofing attack on the internal network could capture patient data in transit — including diagnoses, treatment codes, and insurance information. We recommended enabling TLS encryption for all internal database traffic.
Common Exam Trap
Encryption at rest without encryption in transit is incomplete coverage. The exam tests whether you understand that data is vulnerable at different points in its lifecycle. Also, weak key management (e.g., hardcoded keys, shared keys) can defeat even strong encryption algorithms.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →