What is the concept of the measures used to ensure the protection of the secrecy of data objects or resources?
Show
Figure 1 – CIA Triad models the balance between confidentiality, integrity, and availability Confidentially, in InfoSec, is the protection of information from unauthorized people and processes. It’s one of the three pillars of InfoSec’s CIA triad, along with integrity and availability. Ensuring confidentiality means taking adequate measures to ensure the protection of the secrecy of data objects, or resources. Note that it does not mean taking every measure to ensure secrecy, but enough measures. There are always relative cost and other considerations to factor into any approach. Adequate measures are those that strike the right balance for your system between the need for confidentiality, the competing needs for both availability and integrity, and the overall need for affordability. Sensitivity, Criticality, and Classification Authenticate, Authorize, Access Authorization, Authentication, and Access Two
goals, not one Prevent and minimize with layers
The more controls you implement which are apparent to the thief, the more likely he will be to consider other less secure houses instead of yours. It’s more trouble for him, and consumes more time, to overcome numerous layers to gain entry. Now think about minimizing the harm a thief might cause if he gains entry. How can you use the same concept of layers to minimize the risk to your family, and your valuables, should a thief gain access to your house? You might consider the following:
The more layers you can afford to add to your home security system, that address both issues of prevention and minimization, the more likely you are to not only prevent a robbery, but also to minimize damage, harm, or loss should a robbery occur. When securing confidential data in an information system, some of the concepts and goals of layered security are similar to home security. Most information systems employ a firewall to establish a secure exterior boundary to prevent intrusion from the internet for a network. It’s now recommended practice to segment your internal network subsystems where possible and affordable, by installing interior firewall devices which are perhaps a different vendor or model than the exterior. This layering idea is trying to shield various areas of your network from an intruder gaining access to another area. If the intruder penetrated because of a vulnerability from a particular vendor or device, then the next device which is a different make or model helps mitigate the extent of the damage. Control Domains: Physical, Technical, Administrative Three states of data
The plan needs to implement adequate controls for preventing unauthorized access, use, and disclosure for each state. Further, it should enumerate controls across three domains.
These three domains are used explicitly in some data security control frameworks, including the HIPAA/HITECH legislation governing protected health information. In other frameworks these domains are referenced implicitly. It’s important to keep each in mind to ensure the controls you implement are thorough and robust. These domains are interdependent. If you invest in one or two of these domains, yet ignore a third, your efforts and expense in the other two domains are at high risk of being wasted due to a simple exploit in the domain you ignored. There are a number of Data Security Frameworks
These frameworks all separate controls into categories, and provide methodologies and parameters for a robust and thorough data security plan for your organization. The controls they provide are a roadmap to ensure you don’t forget an area or concept to account for that will leave your data too easily exploited. Investigate these or others and choose the framework(s) that makes the most sense for your system and industry. Becoming intimately familiar with a framework provides you both a language and organization to guide your analysis and discussion. This helps your ability to find solutions, get good advice, and adopt best practices from colleagues and experts more rapidly. Most of these frameworks also provide ample opportunities for both training and certification. Each control in a framework which is implemented can be considered another layer of defense for protecting the confidentiality of data. You must always balance the affordability of your approach to data security with the number, feasibility, and ability of maintaining the controls. You must also recognize that as the pool of authorized individuals grows larger, and the more readily available you want confidential data to be, the more your security features, components and considerations will multiply. This will increase both complexity and cost. Please like or share. Thanks! What security measure is used to ensure confidentiality?Data encryption is a common method of ensuring confidentiality. User IDs and passwords constitute a standard procedure; two-factor authentication is becoming the norm. Other options include biometric verification and security tokens, key fobs or soft tokens.
Which information security concept ensures that information is accurate and can only be changed by Authorised users?A system's ability to ensure that only the correct, authorized user/system/resource can view, access, change, or otherwise use data.
What are the 3 main protection goals in information security?The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.
What are 3 security controls that you can use to protect the confidentiality and availability of information?There are three main types of IT security controls including technical, administrative, and physical.
|