What is Information Technology Security? That is a question with as many answers as there are different organizational environments. Generally speaking, it is the safe guarding of an organization’s data from unauthorized access, and where necessary, disabling modification of data, to assure data integrity and availability without risk to its confidentiality. Confidentiality, integrity, and availability (CIA) is a commonly used benchmark for evaluation of information systems security, focusing on the three core goals of the confidentiality, integrity and availability of information. Every time IT personnel install software, review a data transport method, create or modify a database, or provide access to information or data sets, confidentiality, integrity and availability adherence must be reviewed.
Confidentiality generally relates to limiting access to information and disclosure of that information to authorized users — “authenticated and verified users” — and preventing access by or disclosure to unauthorized ones — “unauthenticated and unverified users”. Authentication methods like username and password, that uniquely identify data systems’ users and control access to data systems’ resources, strengthen the goal of confidentiality. Systems level permissions, granting varying levels of access to individual pieces of information make an even more complete confidentiality solution, as it relates to an individual’s right to access specific data and information while being restricted from accessing other sensitive information. Confidentiality is directly tied to the broader concept of data privacy — limiting access to specific individual information. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Breaches such as these can occur in many forms. Allowing someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company’s employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information. Confidentiality is necessary (but not solely adequate) for maintaining the privacy of the people or companies whose personal information a system maintains.
Integrity & Authenticity
In information security, integrity means that data cannot be modified without detection. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality. It includes the base concept of data integrity, ensuring that data has not been changed inappropriately, either accidentally or deliberately. It also includes origin or “source integrity, validating that the data actually came from the person or entity you think it did, rather than an imposter. Integrity can even include the notion that the person or automation in question has entered correct information, that the information in question is actual and that under the same circumstances would generate identical data. This is commonly referred to as reliability. As integrity requirements have advanced, so too have the technologies involved in enforcing integrity rules, but are still limited in capability. For example, the use of Metadata at the storage bit level, now can be used to determine the authenticity of specific information at any given time, but is still limited to working with the actual data, not determining the accuracy or correctness of the data itself.
Data authenticity is a sub-set of data integrity. In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity.
Security efforts to assure confidentiality, integrity and availability can be split between prevention and detection, with detection focusing on items that were not or could not be prevented. The employment of auditing with automated pattern detection is sometimes employed to assist in the discovery and detection of information technology security weaknesses and breach.
Availability refers to the availability of information resources. An information system that is not available when you need it can be as bad as none at all, or it may be worse, depending on how dependent an organization has become on their systems and network infrastructure. Almost all modern organizations are implicitly dependent on functioning information systems, and most these days could not operate without them. Availability, like other aspects of security, may be affected by purely technical issues, natural phenomena, or human causes, whether deliberate or accidental. While the qualified risks associated with each of these depend on the particular context, the general rule is that people are and likely will continue to be the weakest link, bringing us back to the need for organizational systems security and security methodologies. Availability also brings us a high level of systems available as it relates to organizational needs and service-level-agreements, determining uptime requirements for a company, and putting policies and procedures in place to maintain that level of availability, while securing the system against unnecessary outages.