- Confidentiality, is the protection of personal information. Confidentiality means keeping a client’s information between you and the client, and not telling others including co-workers, friends, family, etc.
- Restricting access to data
- Protecting against unauthorized disclosure of existence of data
- g., allowing industrial spy to deduce nature of clientele by looking at directory names
- Protecting against unauthorized disclosure of details of data
- g., allowing 13-yr old girl to examine HIV+ records in Florida clinic
- Possession or Control, is the control a person intentionally exercises toward a thing. In all cases, to possess something, a person must have an intention to possess it.
Selecting proper controls and implementing those will initially help an organization to bring down risk to acceptable levels. Control selection should follow and should be based on the risk assessment. Controls can vary in nature but fundamentally they are ways of protecting the confidentiality, integrity or availability of information.
- Control over information
- Preventing physical contact with data
- g., case of thief who recorded ATM PINs by radio (but never looked at them)
- Preventing copying or unauthorized use of intellectual property
- g., violations by software pirates
- Confidentiality and Possession Losses
- Observing, monitoring, and acquiring
- Taking or controlling
- Claiming ownership or custodianship
- Exposing to all of the other losses
- Endangering by exposing to any of the other losses
- Failure to engage in or to allow any of the other losses to occur when instructed to do so
- Integrity, is a concept of consistency of actions, values, methods, measures, principles, expectations, and morals. Integrity is a personal choice, an uncompromising and predictably consistent commitment to honor moral, ethical, spiritual and artistic values and principles.
In information security, data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.
Internal consistency, validity, fitness for use
- Avoiding physical corruption
- g., database pointers trashed or data garbled
- Avoiding logical corruption
- g., inconsistencies between order header total sale & sum of costs of details
- Authenticity, is an integral component of information security. In the field of information security, as well as in the fields of e-Business and computing, it is of great importance to ensure the genuineness of physical or electronic documents, communications, transactions, and data.
In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim to be. Some information security systems incorporate authentication features such as “digital signatures”, which give evidence that the message data is genuine and was sent by someone possessing the proper signing key.
- Correspondence to intended meaning
- Avoiding nonsense
- g., part number field actually contains cost
- Avoiding fraud
- g., sender’s name on e-mail is changed to someone else’s
- Integrity & Authenticity Losses
- Insertion, use, or production of false or unacceptable data
- Modification, replacement, removal, appending, aggregating, separating, or reordering
- Repudiation (rejecting as untrue)
- Misuse or failure to use as required
Availability refers, unsurprisingly, to the availability of information resources. An information system that is not available when you need it is almost as bad as none at all. It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure.
Ensuring that information systems and the necessary data are available for use when they are needed. Traditionally, computer systems were made available for staff use by the IT department in the early morning, and then closed down again by the IT staff before running their ‘End of Day’ routines. Availability was thus the poor relation of Confidentiality and Integrity in security terms. However the extension of the working day (for example because of trading with different time zones) and the growth of 24×7 systems, associated with e.g. web sites, Internet (on-line) trading, cash point machines, coupled with the threats of viruses and intrusions means that availability has become a much more important element of Information Security work.
For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down.
Timely access to data
- Avoid delays
- g., prevent system crashes & arrange for recovery plans
- Denial-of-service (DoS) attacks can be ruinous
- High-volume commercial sites can lose $M
- Avoid inconvenience
- g., prevent mislabeling of files
A specialised program designed for more technical users as a tool, or set of tools, for checking the system, housekeeping, monitoring system health/status, repairing files, etc. Access to utility programs by non-technical users should be restricted.
Usefulness for specific purposes
- Avoid conversion to less useful form
- g., replacing dollar amounts by foreign currency equivalent
- Prevent impenetrable coding
- g., employee encrypts source code and “forgets” decryption key.