Confidentiality, Integrity, Availability.
These three terms represent the core principals of any effective information security program. Although often used interchangeably due to their tightly integrated concepts and areas of focus, the facets of a program for which they are used effectively differ in the implementation of controls.
Information Security practices are ever evolving based on the dynamic threat landscape. As such, your IT staff is bombarded from many directions and must remain agile and informed in order to apply effective response to meet these challenges. This pressure includes internal policy, regulatory requirement, and don’t forget about the external hackers looking to do you harm.
Keeping your data, or your client’s data, confidential means preventing it from being accessed by or exposed to unauthorized individuals. There are many ways data can be kept from prying eyes or innocent bystanders.
Access controls, password protection, and encryption are just three ways to help protect the data. Many states have passed strict privacy laws requiring data confidentiality. Technologies such as full disk encryption for laptops and encrypting backups going off site are seen as mandatory in every business that has this data.
Your staff may not have confidential data on those laptops, but in addition to losing the passwords cached on the laptops, the brand damage due to the perception of the loss itself may be worse.
Data integrity applies to any piece of data that is considered an authoritative source and/or is used for decision-making purposes. When data has integrity, there is assurance that unauthorized, malicious, or accidental modifications have not been made to it.
For example, an employee relies on a spreadsheet of receivables, if the spreadsheet has integrity, that employee can feel comfortable the data has not been modified by anyone outside of those job responsibilities. Emails sent with digital signatures mean the one just received from the CEO/President of the company telling everyone they can have Friday off is legitimate.
Finally, data availability ensures the right people have access to the right data when they need it. Following the same spreadsheet example as above, this means that the spreadsheet file is available when needed. If the current copy of the file becomes corrupt or accidently deleted, availability controls ensure that a backup copy can be quickly accessed or restored.
Important data should always have a backup, as hardware will eventually fail. Redundancy, and the level of redundancy you build in depend on the importance of the data and the cost benefit, (money spent vs value) to protect the data. Highly available, geographically dispersed, or clustered architectures, may be too little or too much to spend on data availability depending on your business.
Examples of Common IT Security Controls
Information security is a never-ending cycle, but a false sense of security can be devastating to an organization. You need to have assurance that the controls you have in place will protect your most valuable assets and keep you from reputational, regulatory or financial harm.
Often management assumes that a vendor’s product implementation is secure, all systems are fully patched, or anti-virus is working 100%, but never put it to the test. Vulnerabilities are constantly discovered and exploits are usually not far behind. You, your IT staff, or your outsourced IT provider must be vigilant and test your controls often.
IT Controls are an integral part of an effective information security program. Build a culture of “trust but verify”. No harm has ever come from efforts validating your controls. Depending on the business, it may even be required to have an independent party review those controls on a regular basis.
Michael W. Hammond, CISA, CRISC, CISSP, is Director, IT Audit Services for O’Connor & Drew P.C. (www.ocd.com), a full-service accountancy based in Braintree, MA. He has twenty years of extensive Information Technology expertise in various disciplines, including operations, control design, and testing. In addition to general IT control design and testing Michael’s work includes SOX and MA 201 testing, vulnerability assessment and penetration testing. He can be contacted at firstname.lastname@example.org.