Episode 74: Mobile, Wireless, and IoT Device Security
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Encryption is one of the most important tools available for protecting sensitive information. It transforms readable data into an unreadable format unless the correct key is used to decrypt it. By doing so, encryption safeguards data confidentiality, whether the data is stored, transmitted, or being used by an authorized process. It acts as a critical last line of defense in case all other controls fail. Even if attackers gain access to the data, properly implemented encryption renders it useless to them. Encryption is also essential for meeting the requirements of data protection regulations such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standard. These laws mandate the use of encryption in specific contexts and expect auditors to evaluate its effectiveness. On the CISA exam, candidates should expect questions that test both conceptual understanding and practical application of encryption across systems, environments, and use cases.
There are several types of encryption used in information systems, and each serves a different purpose. Symmetric encryption uses the same key for both encryption and decryption. This method is fast and commonly used to encrypt large volumes of data. A well-known symmetric algorithm is the Advanced Encryption Standard. Asymmetric encryption, by contrast, uses a public key to encrypt data and a private key to decrypt it. This method is slower but allows for secure communications between parties without sharing a secret key. It forms the foundation of technologies such as email encryption and digital signatures. Hashing is a one-way encryption method that transforms data into a fixed-length value. It is used for verifying integrity, not for encryption in the traditional sense. Hashes cannot be decrypted, but matching the hash of two data inputs confirms they are the same. Hybrid encryption combines symmetric and asymmetric methods to balance performance and security. For CISA candidates, it is important to know the strengths, limitations, and use cases for each approach.
When protecting data at rest, encryption is applied to storage media, databases, and file systems. This protects against unauthorized access if a device is lost, stolen, or accessed outside of normal controls. Full-disk encryption encrypts the entire storage device, often using built-in tools such as BitLocker for Windows or FileVault for Mac systems. File-level encryption applies protection to specific files or folders and is useful in shared environments. Database-level encryption protects structured records and is especially important in systems that store personally identifiable or financial information. Backup media should also be encrypted, especially if it is transported or stored offsite. However, encryption alone is not enough. Keys must be properly managed to prevent exposure. CISA scenarios may involve stolen devices, misplaced backup tapes, or cloud storage that is not encrypted. Candidates must evaluate whether data at rest is encrypted, whether the methods used are appropriate, and whether the controls extend to all storage locations.
Data in transit requires protection as it moves between users, systems, and services. Without encryption, this data can be intercepted and read by unauthorized parties using techniques like packet sniffing or man-in-the-middle attacks. Secure protocols must be used to prevent this. Examples include HTTPS, which uses Transport Layer Security to encrypt web traffic; IPsec for encrypting data at the network layer; and SFTP or SSH for secure file transfers and remote administration. Certificate management is a critical part of securing data in transit, as certificates help verify the identity of communicating parties. Weak, expired, or self-signed certificates introduce risk and may allow attackers to impersonate trusted systems. Auditors review network configurations to ensure insecure protocols such as FTP or Telnet are disabled, and they check whether traffic is encrypted during transmission. On the exam, you may be asked to identify secure versus insecure transmission methods and evaluate whether encryption protocols are being properly enforced.
Key management is an essential part of any encryption strategy. Encryption is only as effective as the protections around the keys themselves. If an attacker gains access to the encryption key, the data can be decrypted regardless of how strong the algorithm is. Keys must be stored separately from the data they protect, and key access must be tightly controlled. Many organizations use hardware security modules to store and manage keys securely. Others use cloud-based key management services that integrate with cloud platforms and enforce policy-based access controls. Key rotation is another important best practice. Keys should be changed periodically to limit exposure and prevent reuse. All key access and changes must be logged, and organizations should implement policies to define key lifecycles and destruction procedures. CISA exam questions may involve assessing risks around key storage, the separation of duties in key management, or whether key changes are being monitored and logged appropriately.
Public key infrastructure supports many of the most common applications of encryption. PKI enables digital certificates, which verify the identities of users, systems, and services. These certificates are issued by certificate authorities and are used to secure web sessions, sign emails, and establish encrypted connections. The infrastructure also includes registration authorities that validate the identity of certificate requesters and repositories where certificates and revocation lists are stored. Properly functioning PKI ensures that trust chains are established and verified during encryption processes. If certificates are expired, misconfigured, or revoked, the encryption may not function properly and trust may be broken. Auditors must review certificate management practices, including monitoring for expiration, handling of revocations, and validation of certificate authority trust settings. On the CISA exam, be prepared to assess how PKI is used in an organization, and whether certificate lifecycles are properly managed to support secure communication and identity validation.
Encryption policy and governance are essential to ensure that encryption practices are consistent, enforceable, and aligned with legal requirements. A formal policy must define what types of data must be encrypted, under which conditions, and using which algorithms or tools. It should specify minimum key lengths, approved vendors, and use of strong, tested encryption methods. The policy should cover mobile devices, backups, removable media, and cloud services. Policies must be mapped to the results of risk assessments and to applicable regulatory requirements. If encryption is required under GDPR or HIPAA, the policy must explicitly enforce those conditions and be auditable. Training must also be provided to ensure that staff understand how to comply with encryption policies, especially in departments that handle sensitive data. Auditors examine whether the policy is clearly documented, whether it aligns with implementation, and whether enforcement is consistent across the organization. The CISA exam may include scenarios where policies exist but are not enforced or do not reflect current risks.
Encryption in cloud and hybrid environments requires special attention due to the complexity of data flow and shared responsibility. Cloud providers often offer native encryption options, but organizations must verify whether those features are enabled and configured correctly. Some organizations use customer-managed keys or bring-your-own-key models to retain control over their encryption processes. Encryption must be applied to all data stored in the cloud, whether structured or unstructured, and to data transfers between cloud applications or between cloud and on-premises systems. Virtual machines and cloud-based storage drives must also be encrypted. Auditors assess whether encryption is applied consistently in cloud environments, whether key management is integrated, and whether contractual obligations include encryption requirements. CISA exam scenarios may involve evaluating cloud encryption policies, misconfigured security settings, or third-party platforms that do not meet organizational standards.
Despite its strength, encryption is not a perfect or universal control. It does not protect against all types of attacks. For example, it cannot stop ransomware from encrypting data and demanding payment. It does not prevent data from being deleted, nor does it block legitimate users from misusing their access. If the encryption key is stolen, the protection is effectively removed. Encryption can also introduce performance overhead, complexity in application design, and delays in system startup or recovery. These challenges sometimes lead to inconsistent implementation or the use of weak shortcuts, such as using short key lengths, reusing keys across environments, or allowing self-signed certificates. Auditors must be vigilant for these signs of poor implementation. The CISA exam may test your understanding of encryption limitations, including gaps in coverage, key mismanagement, or policy enforcement failures. Knowing what encryption cannot do is just as important as knowing what it can.
For the CISA candidate, encryption is a high-priority topic that connects directly to data confidentiality, regulatory compliance, and audit readiness. You must be able to evaluate where encryption is applied, whether it protects data at rest, in transit, and in use, and how it is governed. Expect questions that involve assessing whether key management is secure, identifying expired certificates, or determining whether policies reflect actual practice. You will also be expected to know the appropriate encryption types for specific use cases and to recognize when encryption is poorly implemented or misaligned with the risk profile. Encryption only delivers value when it is deployed correctly, supported by governance, and monitored continuously. Auditors play a central role in ensuring that encryption truly protects what matters most—an organization’s sensitive data.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
