Confidentiality, privacy, encryption, DLP, and privacy-law obligations.
This chapter separates confidentiality from privacy and explains the controls that support each objective. ISC questions here often depend on knowing whether the issue is unauthorized access, inappropriate use, or failure to comply with privacy obligations.
The best control depends on what is being protected and why. Encryption, key management, DLP, privacy notice, consent, access restriction, and breach response address different risks even when the same data set is involved.
| Control issue | What to decide first | Common ISC trap |
|---|---|---|
| Confidentiality vs. privacy | Whether the risk is unauthorized access or improper collection, use, retention, or disclosure. | Treating privacy as just another word for secrecy. |
| Encryption and keys | Whether data needs protection at rest, in transit, or during processing and who controls keys. | Encrypting data but leaving key management weak. |
| DLP | Whether sensitive data can leave approved channels or locations. | Relying on DLP without classification and monitoring. |
| Privacy law | Which jurisdictional or sector rule creates the obligation. | Applying one privacy framework to every data subject and use case. |
| Step | ISC question to ask | Control implication |
|---|---|---|
| 1. Classify the data | Is the data confidential, personal, regulated, proprietary, or public? | Protection requirements begin with data sensitivity and obligation. |
| 2. Identify the risk event | Is the concern unauthorized access, improper use, excessive retention, disclosure, or breach response? | Confidentiality and privacy controls solve different problems. |
| 3. Select the protection layer | Should the response use access restriction, encryption, key management, masking, DLP, or monitoring? | Controls should match the data state and risk path. |
| 4. Map legal and policy obligations | Which law, contract, policy, consent, or notice requirement governs the data use? | Privacy obligations often depend on jurisdiction and purpose. |
| 5. Verify evidence and response | What logs, reviews, incident records, or compliance documentation prove the control worked? | ISC questions often ask whether the control is supported by evidence, not just designed. |
| Checkpoint | Ask before selecting a control | Control effect |
|---|---|---|
| Data classification | Is the data personal, confidential, regulated, proprietary, public, or a mixed data set? | Classification determines protection and compliance obligations. |
| Risk type | Is the concern unauthorized access, unauthorized use, excessive retention, disclosure, breach, or consent failure? | Privacy and confidentiality risks require different responses. |
| Data state | Is the data at rest, in transit, in use, exported, archived, or shared with a third party? | Encryption, DLP, masking, and monitoring depend on where the data is exposed. |
| Key and access control | Who can decrypt, administer, export, approve, or override protection? | Encryption is weak if keys and privileged access are poorly governed. |
| Legal evidence | What notice, consent, log, review, incident record, or retention proof supports compliance? | Privacy control conclusions need evidence tied to the applicable obligation. |