UnixTime

Research Note

EXAM-037 - Use of Cryptography

- Assuming encryption alone satisfies the control. - Ignoring key lifecycle management. - Treating public keys and certificates as needing no integrity protection. - Selecting s...

On this page

Memory cue

Last-day cue

A.8.24 = define crypto rules and manage keys. Encryption without key management is not enough.

What the exam is likely testing

Topic Exam cue
Cryptographic policy Defines when and how crypto is used
Risk traceability Crypto choices should match confidentiality, integrity, authenticity, and non-repudiation needs
Approved algorithms Use industry-standard methods, not home-grown crypto
Key management Full lifecycle: generation, storage, distribution, rotation, revocation, destruction
Legal issues Crypto may be affected by laws, contracts, jurisdictions, or digital signature rules
Escrow/recovery Must be controlled, authorized, and protected from abuse

Common wrong answers

  • Assuming encryption alone satisfies the control.
  • Ignoring key lifecycle management.
  • Treating public keys and certificates as needing no integrity protection.
  • Selecting stronger crypto without considering performance or operational impact.
  • Accepting custom algorithms because they are secret.