Confidentiality, Privacy, Encryption, and Disclosure Controls

This chapter separates confidentiality from privacy and explains the controls that support each objective. ISC questions here often depend on knowing whether the issue is unauthorized access, inappropriate use, or failure to comply with privacy obligations.

In This Chapter

• Distinctions Between Confidentiality and Privacy defines two related but separate control objectives.
• Encryption Techniques and Key Management covers the protection of data through cryptographic controls.
• Data Loss Prevention (DLP) Tools and Strategies explains how organizations try to stop inappropriate disclosure.
• Privacy Laws and Rules (HIPAA, GDPR, Other Jurisdictional Mandates) surveys major external privacy requirements.

How to Use This Chapter

• Read this chapter when confidentiality and privacy are being treated as interchangeable.
• Focus on what is being protected, from whom, and under which rule or obligation.
• Revisit it whenever an ISC question asks which control best addresses data misuse or disclosure risk.

In this section

• How Confidentiality Differs from Privacy in Control Design
  How confidentiality differs from privacy in control design.
• Encryption Methods, Key Management, and Data Protection
  Encryption methods, key management, and data protection.
• Data Loss Prevention Tools, Rules, and Response Strategies
  Data loss prevention tools, rules, and response strategies.
• Privacy Laws, HIPAA, GDPR, and Jurisdictional Obligations
  Privacy laws, HIPAA, GDPR, and jurisdictional obligations.