Confidentiality is ensuring that information is accessible only to those authorized to have access, regardless of where the information is stored or how it is accessed. Each employee within an organization has the responsibility to maintain the confidentiality of the information entrusted to them for job performance and this responsibility must be reinforced through awareness. An awareness training program should address at the minimum, the following confidentiality topics to ensure an acceptable level of knowledge is imparted upon organization employees.
a. Access Control
Access control is any mechanism used for controlling which resources a user can access and the tasks which can be implemented with the accessed resources. Passwords and biometrics are two methods of access control that can be used individually or in combination to limited access to resources.
Passwords and their safekeeping are a fundamental element of system and network security and are of key interest to hackers. An intruder in the organization's physical area may check under keyboards and in drawers to find passwords that have been written down and then use it to gain access to private information. Password protection can be augmented by additional security measures such as smart cards and biometric identification systems. Employees need to be taught on password creation and handling best practices.
Biometric technology can identify individuals based on the physical characteristics of human body parts. The primary biometric technologies in use are retina scanning, facial recognition, voice recognition, and fingerprint scanning. A sample is submitted by a user requesting access and compared to a database for a match with access permissions. Biometric information is difficult to duplicate and when used in conjunction other access methods such as passwords and badges creates a very good defense against unauthorized access to organizational resources.
Encryption is any process that converts readable (plaintext) data into secret code (ciphertext) to prevent unauthorized disclosure of the information. It can be used in Internet transactions, e-mail, and wireless networking. An encryption algorithm is a mathematical procedure that scrambles information to make it unreadable to unauthorized parties. Encryption has become the foundation of securing networks, communications systems, and online transactions. Employees should utilize encryption whenever possible to ensure security.
Privacy is the prevention of confidential or personal information from being viewed by unauthorized parties and the control over its collection, use, and distribution. The terms privacy and confidentiality can be used interchangeably. Maintenance of privacy is essential to prevent unauthorized disclosure which can lead to identity theft or other issues.
Employees should be given clear instruction, via policy, on what the organization considers acceptable behavior and should also be informed of the processes in place for clarification of ethical concerns and for disclosure of unethical activities.
Data Integrity is defined as safeguarding the accuracy and completeness of information and processing methods from intentional, unauthorized, or incidental changes. Maintaining data integrity is essential to the privacy, security, and reliability of business data. Integrity of data can be compromised by malicious users, hackers, software errors, computer virus infections, hardware component failures, and by human error in entering or transferring data. Mitigating data integrity risks can allow for rapid recovery of data. Employees can mitigate risk by regular data backups and off-site secure storage of backup media, integrity monitoring tools, and encryption.
a. Configuration Management
Configuration or change management is a process to introduce changes into an information technology environment. Change in an environment can introduce new vulnerabilities and by the process of configuration management changes can be implemented in a documented, systematic, monitored, and reversible manner. Formalized configuration management processes should be implemented by organizations and followed by employees.
b. Configuration Auditing
Configuration auditing involves the verification that only approved changes have been made to systems. Auditing also verifies that the configuration management procedures are adhered to by employees and that all settings are documented. Auditing to actively monitor systems and log changes for reconciliation with configuration management documentation can be performed either manually or automated with the use of specialized systems.
Availability is ensuring that authorized users have access to information and associated assets when required. This can be accomplished utilizing data backup plans, disaster recovery plans, and business continuity / recovery plans. Employees should be trained in their responsibilities as it relates to data backups, disaster recovery, and business continuity.
a. Data Backup Plan
Data backups are an essential part of information security and an organization must be able to restore data in the event of data corruption or hardware failure. Backups should be done on a regular basis and the frequency is dependent upon how much data an organization is willing to lose in the event of loss (Recovery Point Objective). The backup media should be stored in a secure location, possibly off-site, which is not exposed to the same hazards as the primary data. Backups should also be periodically restored to test systems to ensure that the process is functioning properly and within the specified time frame (Recovery Time Objective) before the need for the backup actually arises.
b. Disaster Recovery Plan (DRP)
A DRP is a plan that is used to recover quickly after a disaster with a minimum of impact to the organization. DR planning should be part of the initial stage of implementing IT systems. DR plans are developed in response to risk assessments and designed to mitigate those risks. Risk assessments determine the frequency and extent of potential disasters; this will allow an organization to decide which technologies to implement to achieve an appropriate level of recovery. External audits can be valuable to discover deficiencies, although an organization's DRP can never be fully tested until a disaster actually occurs.
c. Business Continuity Plan or Business Resumption Plan
The business continuity plan (BCP), sometimes called a business reduction plan (BRP), is an essential part of a disaster recovery plan. This is a plan that details, step-by-step, how to continue or quickly resume normal business after a disaster occurs in a methodical manner. The BCP must also identify employees responsible for implementing the various plan components and these employees should receive clear instruction on their responsibilities in the event of a disaster. The plan must be regularly revised to ensure that any changes to business processes are reflected in the BCP.