An information security program aims to support a company achieving its business goals.
The fields of action where the information security program can mainly contribute are the protection the confidentiality and integrity of business data and the availability of the same as well as the supporting and underpinning services.
Confidentiality
- Confidentiality requires data or information to be protected of unauthorized access.
- Data or information should not fall into the wrong hands.
- Possible mitigating measures:
- Need to know principle; Only entities (subjects and objects) that require the information should know about it.Access rights; Only entities (subjects and objects) that require the information should have access to it.
- Data encryption; Data at rest and data in motion should be encrypted, to prevent unauthorized entities from getting aware of its content.
Integrity
Integrity requires data to be complete and unchanged for a defined time span.
- To achieve this the data must be protected from loss and unauthorized modifications.
- Unauthorized modifications can be prevented by using cryptographic checksums also known as hashes.
Availability
Availability ensures that an authorized entity (subjects and objects) have, for any given time, access to the required data.
$$Availability = \frac{Total Time – Total Down Time}{Total Time}$$
Example:
An availability of 99.99% is around a total down time of 1 hour.
Related Terms
Authenticity
The authenticity and credibility of a person or service must be verifiable.
Traceability
Actions of entities (users or systems) must be recorded in a way that allows to recreate the user action trail. This can be achieved for instance by logging relevant activities of an entity with the environment.
Accountability
An action taken can be clearly assigned to a communication partner.
Non-Repudiation
It requires that “no inadmissible denial of actions performed” is possible. Among other things, non repudiation is important in the electronic agreement of contracts, which can be achieved for example with electronic signatures.
Non- Contestability
It is the proof that for instance a message has been sent and received.